June 16, 2011

Mr. P. Karunakaran,

The Chairperson,

Parliamentary Committee on Subordinate Legislation,

Lok Sabha, Parliament of India,

New Delhi

Re: Need to revisit and amend various rules notified on April 11, 2011, under the Information Technology Act, 2000, namely – (i) The Information Technology (Intermediaries Guidelines) Rules, 2011, and (ii) Information Technology (Guidelines for Cyber Cafe) Rules, 2011.

Dear Sir,

1. In consonance with the rule making power prescribed under the Information Technology Act, 2000 (the “IT Act”) the Department of Information Technology, Ministry of Communications and Information Technology, Government of India, has notified various rules under the IT Act on April 11, 2011, including:

 

a). The Information Technology (Intermediaries Guidelines) Rules, 2011, notified in exercise of the powers conferred by clause (zg) of sub-section (2) of section 87 read with sub-section (2) of section 79 of the IT Act;

b). Information Technology (Guidelines for Cyber Cafe) Rules, 2011, notified in exercise of the powers conferred under Sections 87(2) read with Section 79 of the IT Act, 2000

 

2. For the reasons specified in Annexure – I to this letter, we believe that the aforesaid rules in their present form:

a). lead to a clamp down on the freedom of speech and expression enshrined in the Constitution of India by providing for a system of pre-censorship / self-censorship by non-state actors;

b). will severely hamper the growth of internet penetration in India, and consequently lead to a slowdown of economic growth;

c). limit the growth of various IT related industries and services (in particular cyber cafes, search engines and bloggers).

 

3. While the need for a set of rules governing the rights, duties and obligations of an Intermediary (and cyber cafés) is unquestioned, the rules as presently notified are arguably unconstitutional, arbitrary and vague and could pose a serious threat not only to the business of various Intermediaries in the country but also to the public at large who may face increased instances of censorship and invasion of privacy. The rules clearly exceed the scope of the parent IT Act and in fact, overlap in some areas leading to a lack of clarity on their application. Accordingly, there has been severe criticism of the said rules both in the national and international media (various media reports are enclosed herewith as Annexure II).

 

 

4. The National Cyber Security Policy, while recognizing the need for the government to be able to regulate the cyber sphere, does note that “the IT sector has become one of the most significant growth catalysts for the Indian economy. In addition to fuelling India’s economy, this sector is also positively influencing the lives of its people through direct and indirect contribution to the various socio-economic parameters such as employment, standard of living and diversity among others.” The said Policy recognizes that the free exchange of information and ideas that the internet is crucial to the socio-economic development of the country. In this context it is particularly important that legislation governing the cyber world be both realistic as well as non-restrictive, given that the full scope of the media is yet to be explored.

 

5. As the Parliamentary Standing Committee on Subordinate Legislation (hereinafter “CSL”) is required (in terms of the Manual of Parliamentary Procedures for the Government of India,) to consider every subordinate legislation that is tabled in a house of Parliament, and further as the Rules of Procedure and Conduct of Business in the Lok Sabha mandate that the CSL is inter alia to ensure that all delegated/subordinate legislation is being properly exercised within the scope of such delegation, we believe it is well within the mandate of the CSL to examine and review the aforementioned rules notified under the IT Act.

 

6. Accordingly, we appeal to the Parliamentary Committee on Subordinate Legislation to examine the aforementioned rules notified under the IT Act and ensure that they are in conformity with the Constitution, other relevant enactments and within the scope of the IT Act itself. We would be happy to assist the Committee with any further discussions, clarifications or collaboration in this regard.

Thanking you,

Your sincerely,

The Society for Knowledge Commons

ANNEXURE – I

A. Comments on the Information Technology (Intermediaries Guidelines) Rules, 2011 (hereinafter the “Guidelines”)

1. The 2008 amendment to the IT Act, inter alia introduced Section 79 whereby Intermediaries1 were not to be liable for any third party information, data or communication hosted by it, if the various circumstances mentioned in the section were met.2 Despite some criticism3 the introduction of such a section was undoubtedly required in view of the nature of the business of Intermediaries and to protect them from undue legal harassment. The present Guidelines aim to establish and clarify the diligence process required of Intermediaries in order to claim the exemption from liability offered by Section 79 of the IT Act.

 

2. The Guidelines are clearly impractical and ill thought out as they cast obligations well beyond the means of most Intermediaries, as defined under the IT Act. To be noted that Intermediaries include businesses such as cyber cafes, online websites etc, and compliance with the strict requirements of the Guidelines is likely to be exceedingly onerous. Further, the need to regulate cyber cafes under such a law is unclear, given that the government has simultaneously notified the Information Technology (Guidelines for Cyber Cafe) Rules, 2011, which cover the rights, duties and obligations of a cyber café in some detail.

 

3. The constitutionality of the Guidelines is open to question given that it empowers and obliges Intermediaries to weed out pernicious or objectionable information on the internet. The onus cast on Intermediaries to act as a policeman of the internet is clearly impractical and unwarranted. With the amount of information available on the internet, it is impossible for an Intermediary to ensure that all content made available to users is inoffensive as per the criteria laid down. (For example, gambling is legal in many countries as is advertising for the same, which is fairly common on popular sports related websites, similarly with alcohol related advertising.) The crucial point here is that the Guidelines fail to mandate any sort of judicial role in the process (the closest concession being a requirement of a “lawful order” by an investigative agency prior to enlisting the aid of any Intermediary). The Intermediary is required to make a judgment on the offensive nature of any information and act to take the offending content offline. The Intermediary may also be required to act upon receiving appropriate requests from the public. This is clearly arbitrary and unconstitutional4 and has tremendous scope for misuse. To be noted that normally if any person is aggrieved by any information being made public, they may seek remedies—including the relief of injunction—from courts of law, under generally applicable civil and criminal law. There is no rational reason for the inapplicability of such provisions even for information posted on the internet.

 

4. The list of information that is barred includes information that “is blasphemous5”, “defamatory”, “harassing”, “libellous”, “invasive of another’s privacy”, “disparaging”, “hateful”, “relating or encouraging money laundering or gambling or otherwise unlawful in any manner” etc. This is patently in violation of various Fundamental Rights protected under the Constitution. The Guidelines are therefore vague and ambiguous in that they fail to lay down parameters for deciding what objectionable, disparaging etc and what is not. Further, Intermediaries are required to act as an agency of the government in censoring offending material and may be liable for failure to do the same. The list of offensive information is extremely broad (more so than in Sections 69 and 69A of the IT Act6). Supreme Court dicta7 makes it evident that if any limitation on the exercise of the fundamental rights under Art. 19(1) does not fall within the ambit of Art. 19(2) or is not reasonable and just, it cannot be upheld. The removal of content can thus only be done if it falls under the reasonable restrictions imposed under Art. 19(2) of the Constitution. Hence the broad list of proscribed information provided by the Guidelines, together with the absence of any fair procedure for determining what is offending material ensures that the Guidelines are ultra vires the Constitution of India.

 

5. Further, the constitutionality of the Guidelines may also be called into question on the grounds that they enlarge and expand the scope of the IT Act beyond what was originally envisaged. The Government is empowered by the IT Act to frame guidelines for the process of due diligence by Intermediaries. The present Guidelines however go well beyond the scope of what could normally be considered “due diligence” and have widened the scope of the IT Act by listing a broad list of information that can be considered unlawful and then requiring Intermediaries to act as a policing agency of the state. It is a settled principle that the conferment of rule-making power by an Act does not enable the rule-making authority to make a rule which travels beyond the scope of the enabling Act or which is inconsistent there with or repugnant thereto. As noted by the Supreme Court,8 a delegate who has been authorised to make subsidiary rules and regulations has to work within the scope of its authority and cannot widen or constrict the scope of the parent Act or the policy laid down thereunder. It cannot, in the garb of making rules, legislate on the field covered by the parent Act and has to restrict itself to the mode of implementation of the policy and purpose of the parent Act.

 

6. To be noted also that the existing procedure involved in interception, monitoring and blocking under Section 69 and 69A will be rendered useless if information can be censored through the offices of an Intermediary. The current Guidelines completely remove the safeguards contained in Section 69 and rules framed thereunder, and would make Intermediaries answerable to virtually any request from any source accusing any website of breaching these Guidelines – this could seriously hamper the business of any online website. Pertinent to note that all rules framed by the government that could have the effect of abrogating a citizen’s fundamental rights must be fair and reasonable. As laid down by the Supreme Court9 “procedure which deals with the modalities of regulating, restricting or even rejection; a fundamental right falling within Article 21 has to be fair, not foolish, carefully designed to effectuate, not to subvert, the substantive right itself. Thus, understood, “procedure” must rule out anything arbitrary, freakish or bizarre. A valuable constitutional right can be canalised only by canalized processes.”

B. Comments on the Information Technology (Guidelines for Cyber Café) Rules, 2011

1. Till date cyber cafes have been regulated under various state laws in particular the Shops and Establishments Act (though specific legislations have been promulgated in Karnataka, Andhra Pradesh, Tamil Nadu, Gujarat and Maharashtra). The recently notified Information Technology (Guidelines for Cyber Cafe) Rules, 2011, (hereinafter the “Cyber Café Rules”) attempts to follow the same principles as in these local state legislations viz:

 

compulsory licensing of cyber cafes

onus is placed on the cyber café to prevent the customer from carrying out unlawful / illegal activities

requiring identification of all customers and logging of the same

require storage of history logs, cache files etc

 

2. A “cyber café” is defined in the Cyber Cafe Rules (following the parent IT Act) as “any facility from where access to the internet is offered by any person in the ordinary course of business to the members of the public”. The said definition thus includes within its ambit all places where the public may have access to the internet, including airports, hotel lobbies, restaurants, etc. This is particularly relevant given the stringent diligence and security procedures required to be followed by all cyber cafes, which in fact extend to specifying physical layouts and dimensions of a cyber café.

 

3. The Cyber Café Rules require the Government to notify a licensing agency to regulate the sector. The said Rules are however silent on the process, conditions, license fee, etc for the grant of a license and appear to leave the matter completely to the designated agency. To be noted that Cyber Cafes are in any event already regulated and require licensing under the Shops and Establishments Act. The additional licensing requirement therefore seems pointless and subject to abuse. Needless to say, the costs as well as the increasing compliance issues will only threaten the penetration of internet in rural and semi-urban areas.

 

4. The Cyber Café Rules require every Cyber Café to record the identity of every user prior to allowing access to a computer resource. This is troublesome not only for the practical difficulties in maintaining records for a cyber café but also for minors who wish to access the internet (who may not have the requisite documents and may not always be accompanied by an adult). It is also advisable that the photographing of users be done only as a last resort. In the case of businesses that offer internet access to the public only as an add-on, without it being a core part of the services provided, (lounges, restaurants etc) these provisions are undoubtedly harsh and unwarranted.

 

5. Every Cyber Café must maintain a record of the users and data usage by each for a period of one year. A monthly log, showing the date wise usage details must be submitted to the relevant agency. The Cyber Café must maintain the following records for at least six months for each user:

 

(i) History of websites accessed using computer resource at cyber cafe

(ii) Logs of proxy server installed at cyber café

(iii) Mail server logs

(iv) Logs of network devices such as router, switches, systems etc. installed at cyber café

(v) Logs of firewall or Intrusion Prevention/Detection systems, if installed.

 

6. To be noted that the Cyber Café Rules do not contain any provisions prohibiting unwarranted or unauthorized disclosure of the records and further do not mandate deletion of records by the Cyber Café after a certain period of time. The aforesaid provisions thus raise serious questions regarding the possible invasion of privacy of users. Monitoring of web history etc over a period of six months can lead to sensitive personal information of a user being exposed and in conjunction with no punishment for disclosure, these provisions could be abused. Further, there does not appear any pressing need for a Cyber Café to maintain such detailed records when merely duration of use and identity of the user would normally suffice.

 

7. The various physical restrictions imposed on cyber cafes will also severely hamper the growth of smaller cyber cafes and industries where internet connectivity is being offered as an add-on. Every computer must be equipped with a safety/filtering software “so as to the avoid access to the websites relating to pornography, obscenity, terrorism and other objectionable materials”. These rules also appear impractical given that (a) they would allow every computer screen to be seen by a bystander thereby invading the privacy and security of every user; (b) may pose practical problems for small Cyber Cafes (c) filtering software is far from perfect and tends to censor a lot of necessary, useful and completely inoffensive material (for example medical information may be censored as pornography).

 

8. Under the Cyber Café Rules, an officer, not below the rank of Police Inspector as authorized by the licensing agency, is authorized to check or inspect a Cyber Café, at any time for compliance. Cyber Café owners must provide all requisite assistance for the same including by producing the registers / logs etc. This provides unfettered discretion to the police to conduct raids on a Cyber Café and appears to be unnecessary. Given that under the Shops and Establishments Act, a procedure for inspection of establishments has already been laid down, it is unwarranted that the Government has laid down a far harsher regime in respect of Cyber Cafes.
9. The aforesaid Cyber Café Rules thus clearly need revision in order to balance security concerns, the practical needs of the industry and the overwhelming need to increase internet penetration in India.

1 Defined in the IT Act as “any person who on behalf of another person receives, stores, or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web hosting service providers, search engines, online payment sites, online auction sites, online market place and cyber cafes.”

2 “(1) Notwithstanding anything contained in any law for the time being in force, but subject to the provisions of subsection (2) and (3), an intermediary shall not be liable for any third party information, data or communication link made available or hosted by him. (2) The provisions of subsection (1) shall apply if – (a) the function of the intermediary is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or hosted; or (b) the intermediary does not – (i) initiate the transmission (ii) select the receiver of the transmission, and (iii) select or modify the information contained in the transmission; (c) the intermediary observes due diligence while discharging his duties under this Act and also observes such other guidelines as the Central Government may prescribe in this behalf. (3) The provisions of subsection (1) shall not apply if – (a) the intermediary has conspired or abetted or aided or induced, whether by threats or promise or otherwise, in the commission of the unlawful acts; (b) upon receiving actual knowledge, or upon being notified by the appropriate Government or its agent that any information, or data, or communication link residing in or connected to a computer resource controlled by the intermediary is being used to commit the unlawful act, the intermediary fails to expeditiously remove or disable access to that material on that resource without vitiating the evidence in any manner. Explanation – For the purposes of this section the expression “third party information” means any information dealt with by an intermediary in his capacity as an intermediary.”

3Due primarily to (a) the ambiguous nature of the due diligence requirement, (b) no clarity on what was meant by “actual knowledge” and the obligations this would impose on an Intermediary (c) lack of clarity regarding what constitutes altering, modifying information etc.

4 To be noted that in the context of obscenity, in Ranjit Udeshi v State of Maharashtra, AIR 1965 SC 881 the Supreme Court held that “the delicate task of deciding what is artistic and what is obscene has to be performed by courts and as a last resort by the Supreme Court and therefore, the evidence of men of literature or others on the question of obscenity is not relevant.” It logically follows that intermediaries have no business censoring material.

5 Not a violation under the IPC

6 In this context it is also interesting to note that the checks on unbridled executive action in the Indian Telegraph Act, 1885, as noted in the PUCL case, have been removed from the IT Act altogether. In the said case, the Supreme Court noted that the executive could only use the powers it had under the Telegraph Act in the cases of a “public emergency” or in case “public safety is threatened” however these checks have been removed in the case of the IT Act.

7 The Hon’ble Supreme Court has held in numerous cases, notably in The Secretary, Ministry of Information and Broadcasting v. Cricket Association of Bengal, AIR 1995 SC 1236, that “The freedom of speech and expression includes the right to acquire information and to disseminate it. Freedom of speech and expression is necessary, for self expression which is an important means of free conscience and self fulfillment… The right to communicate includes right to communicate through any media that is available whether print or electronic or audio-visual. .. This freedom includes the freedom to communicate or circulate one’s opinion without interference to as large a population in the country as well as abroad as is possible to reach. This fundamental right can be limited only by reasonable restrictions under a law made for the purposes mentioned in Article 19(2) of the Constitution. ” In the context of television, the Supreme Court stated “The broadcasting media should be under the control of the public as distinct from Government. This is the command implicit in Article 19(1)(a). It should be operated by a public statutory corporation whose composition must be such as to ensure its impartiality in political, economic and social matters and on all other public issues… Airwaves being public property, it is the duty of the State to see that airwaves are so utilised as to advance the free speech right of the citizens which is served by ensuring plurality and diversity of views, opinions and ideas. This is imperative in every democracy where freedom of speech is assured.” See also Express Newspapers (Private) Ltd. v. The Union of India, AIR1958 SC 578

8 Agricultural Market Committee v. Shalimar Chemical Works Ltd., (1997)5 SCC 516

9 Maneka Gandhi v. Union of India (1978) 2 SCR 621.