Community Consultation for TRAI + Meredith Whittaker at BIC Hello everyone! There are 2 upcoming events of interest to those involved in privacy, tech policy, and AI. more
Social Media networks and platforms, chat and messaging applications, photo and video sharing services have radically transformed the internet landscape in India and elsewhere in the last decade. User generated content has allowed diverse voices to create and share views, political opinions, dance videos, movie and music commentaries.
While the platforms and networks have encouraged these voices, there is also a growing concern1 over the sharing of potentially offensive material such as pornographic content, child sexual abuse material (CSAM), hate speech and violent content often not suitable for the wide audience such platforms caters to.
The INFORMATION TECHNOLOGY (GUIDELINES FOR INTERMEDIARIES AND DIGITAL MEDIA ETHICS CODE) RULES, 2021 notified by the Ministry of Electronics and Information Technology (MEITY), together with the Ministry of Information and Broadcasting (MIB), Government of India – under the IT Act 2000, seeks to monitor and control user generated content and provide firm guidelines for social media Intermediaries, digital news publications and other organizations who host or transfer content on the internet.
The Rules were notified in February 2021, and went into effect in May 2021. Organizations and individuals have challenged the Rules on various counts2 – including their applicability under the parent law. Large platforms and social media networks have expressed concern about implementation and compliance.
Privacy Mode, a hub for conversations around privacy, data security and compliance, conducted a two-part research project seeking to understand the impact of the Rules on organizations and employees in the tech ecosystem who might be responsible for implementing the Rules and achieving compliance in tech and media products.
A qualitative study of Social Media Platforms, Digital News Publications, and Cloud Computing services providers, was undertaken to look at the possible impact on encryption, traceability, compliance, applicability of law among others, was conducted in May-June 2021; and a quantitative survey of tech workers across India, looking at awareness, professional and personal impact, work flows and requirements, was conducted in June-July 2021.
This report is a comprehensive analysis of both surveys and presents a rounded picture of the impact of the IT Rules 2021 on organizations and its employees. This research report also looks at larger questions and concerns about privacy, freedom of expression and speech given the discursive debates around responsible tech, digital platforms and ethics, and impact on society and individuals.
By definition, the ‘Rules’ framed for any law in India are ‘Subordinate Legislation’ or ‘Delegated Legislation’. While laws are made by the Parliament/Legislature, Rules are made by the Executive i.e., the Government of India, to fulfill the requirements of the parent law. In Indian democracy, it is only the Legislative that can make laws. The Executive can only implement them. If the law says ‘XYZ has to be accomplished’, rules can frame the methods in which ‘XYZ’ can be accomplished. However, in the case of IT Rules 2021, the Rules are seen as overarching and exceeding the parent law.
Notified under the Information Technology Act, 20003 , which provides ‘Safe Harbour’ status to digital intermediaries, the Rules are ultra vires of the parent Act and seek to regulate activities that have no mention in it. Further, bringing digital news publishers under the ambit of the Rules, is unconstitutional and ultra vires of the IT act, as news websites do not fit the definition of ‘Intermediaries’ given under the Act4.
Further, the activities of news publishers and media are regulated by the Ministry of Information and Broadcasting (MIB)5, and thus excluded from the ambit of the IT Act. Concerns emerged that the Rules – which did not pass through the legislative body – sought to curtail rights and laws that did emerge from due legislative process.
Further, with existing guidelines under the Press Council Act that govern news organizations, the Rules are seen as overarching and drafted to censor specific media channels and outlets.
The Rules require intermediaries to identify the first originator of messages deemed objectionable. This implies that messaging platforms and social networking sites will have to significantly alter their product (and the technology underlying products) to comply. This is again not governed by the parent act, and is therefore unconstitutional. The Rules also operate from a position of assumed guilt, where all conversations and communications are expected to be scanned for potentially offensive material, and traced back to the original sender. This is against the assumption of innocence enshrined in the legal system operating in the country.
Breaking encryption and implementing traceability, a fundamental requirement of the new Rules, have international legal implications, as messaging services and social media platforms will need to alter the underlying technical architecture of their products or services - or at least have a different product and user experience for Indian users. Since this cannot be implemented for users in India alone and will affect every user of the services across the world, these social media intermediaries will be in violation of international laws governing user privacy and security, thus inviting legal costs.
The Rules are seen as violating freedom of expression guaranteed in the Indian constitution by implementing traceability, which breaks encryption. Privacy, also a fundamental right as determined by the Supreme Court of India, is increasingly seen as a ‘make-or-break’ feature of all websites, apps, products, and services. Privacy operates from a position of assumption of innocence of the user. The Rules, by enforcing traceability, violate the fundamental rights of Indian citizens by reducing privacy to a conditional service, and not a constitutional guarantee
When the IT Rules came into effect in May 2021, they were criticized for imposing high costs of compliance, including legal and personal liability attached to employees of social media organizations. In the case of the office of the Chief Compliance Officer (CCO), liability extended even after the CCO retired from office. Every social media and news organization surveyed during this research pointed to the personal liability attached to the role of the CCO, grievance and nodal officers as imposing financial and legal costs on their organizations.
Proactive content filtering requirements will impact human resources requirements, demand changes in product and business operations, thereby significantly increasing costs. Traceability clauses under the Rules require extensive overhaul of messaging services and social networking platforms’ core architecture, requiring significant monetary and human resource investment.
Further, respondents in the Focus Group Discussions (FGDs) believed that ease of doing business will diminish given the stringent compliance regime and employee impact.
The Rules are also framed vaguely and arbitrarily, leading to confusion over operating clauses. Additionally, they have stringent reporting requirements. This will affect all organizations, especially small and medium enterprises, financially, and otherwise.
In addition to the legal and ethical concerns emerging from implementation of the Rules, there are knowledge, awareness, and skill gaps across a representative sample of the IT industry, which may impact the ability of organizations to comply with the IT Rules.
Software developers in junior and mid-level roles in IT organizations believe their workload will increase with the IT Rules. Respondents hinted at their jobs now requiring them to do more documentation and reporting, and their role in achieving compliance in the company’s product as increasing their workload.
Industry representatives however felt that tech workers and product managers will fundamentally need knowledge in, or retraining in, privacy features, content filtering and user experience, in order to fully comply with the Rules. Experts in the industry believe that more than just technical skills or knowledge, what is missing is also perspective and understanding of how executing the Rules will impact users of media and tech products.
As noted above, encryption and traceability requirements of the Rules will mean major changes in products, especially user experience and inability to safeguard privacy of Indian users under the IT Rules. Implementing features such as voluntary verification will need product managers to acquire new skills and knowledge. Tech workers will need to learn how to work in coordination with legal teams. Given the implementation of the IT Rules, each content takedown request will have to be serviced on a case-by-case basis. This will impact scale and standard operating procedures in organizations, or will result in organizations relying more heavily on automation to censor content proactively (and to avoid being served takedown notices). In both cases, users of these products will bear the brunt, where their freedom of speech and expression will be reduced drastically.
Individual chapters and sections of the report are presented as submissions. Scroll down to read them.
Nadika Nadja is a researcher at Hasgeek. She has worked across advertising, journalism, TV and film production as a writer, editor and researcher.
Bhavani S is a Research Associate at Hasgeek. She has previously worked for the Centre for Budget and Policy Studies (CBPS), Microsoft Research India, and the University of Michigan, Ann Arbor.
Anish TP illustrated the report. Satyavrat KK provided research and editorial support. David Timethy and Zainab Bawa were project managers for producing this report. Kiran Jonnalagadda and Zainab Bawa advised on research design and execution.
We would like to thank the following individuals who provided feedback during different stages of the research. Their feedback helped the team fine-tune and bring rigour to the research process.
- Suman Kar, founder of security firm Banbreach, for reviewing early drafts of the quantitative research questionnaire, and providing detailed inputs on survey design.
- Prithwiraj Mukherjee, Assistant Professor of Marketing at IIM-Bangalore, for reviewing early drafts of the quantitative research questionnaire, and providing detailed inputs on survey design.
- Chinmayi SK, Founder of The Bachchao Project, for reviewing and providing feedback on the final report and conclusions
While Hasgeek sought funding from organizations, the research itself was conducted – with full disclosure at all stages – independently and objectively. The findings do not reflect any individual organization’s needs.
Unicef: Growing concern for well-being of children and young people amid soaring screen time (2021) - https://www.unicef.org/press-releases/growing-concern-well-being-children-and-young-people-amid-soaring-screen-time ↩︎
LiveLaw: Supreme Court Lists Centre’s Transfer Petitions, Connected Cases After 6 Weeks
India Code: The Information Technology Act 2000 https://www.indiacode.nic.in/bitstream/123456789/1999/3/A2000-21.pdf ↩︎
India Code: IT Act Definitions https://www.indiacode.nic.in/show-data?actid=AC_CEN_45_76_00001_200021_1517807324077§ionId=13011§ionno=2&orderno=2 ↩︎
Impact of IT Rules on tech workers’ ecosystem - personal concerns; impact on participation and advocacy
This chapter is divided into two sections:
- Impact of IT Rules on personal lives, mainly freedom of speech and expression, and privacy.
- Lack of empowerment with respect to participation and advocacy in tech-policy issues despite personal concerns.
Over 50% of the respondents believe their freedom of speech will be seriously harmed.
Over 70% of the respondents felt that their individual privacy will be affected by the IT Rules. This cuts across organization size and nature of work.
Related to this is the concern that speaking up about the harmful effects of the IT Rules will lead to repercussions from the government, potentially in terms of intimidation and punitive action.
Concerns about freedom of speech and expression, and privacy stem mainly from the IT Rules mandate to break encryption and to determine the first originator of offensive messages. The presumption of guilt, where every individual is by default deemed as a potential harm creator, adds to the fear that tech workers’ privacy will be invaded. These concerns were voiced most vociferously in the FGD held with Public Interest Technologists in May 2021.
Tech workers engage in a number of practices to protect individual privacy, including use of VPNs to access websites and applications which have been blocked by their ISPs, use of tools to prevent browsers from ad targeting, etc. With the IT Rules and the presumption of guilt, tech workers are concerned whether surveillance on these practices will increase. Governments across the world have, from time to time, deemed such practices as “criminal” to prevent their widespread use. Similar concerns emerged during the session with PyDelhi Community on IT Rules where software programmers asked public policy expert Udbhav Tiwari questions about how their use of mesh networks, Tor and other privacy preserving tools will be affected by the IT Rules.1
How will the developer community be affected by the IT Rules: Developers will have to be a lot more careful about what they say in such platforms and must choose platforms that are likely to not be blocked. For those developers who want to build start-ups, they have to take into consideration the obligations of the IT Rules and the resources required to comply.
How does the use of Tor services get impacted by IT Rules: Tor either needs to change its features in India, or it might get blocked. Tor services can be degraded and users can be disincentivised by the government.
How will mesh networks be impacted: For mesh networks, government can enforce their Rules against owners/operators, and if they don’t comply, they will either lose safe harbour (which could lead to them being blocked) or be allowed to function after making product changes, as with other intermediaries.
Expanding on the traceability argument and how it may be implemented: Traceability provision was created to trace illegal content. Intermediaries will either have to break encryption or implement traceability in a manner that increases data collection (if at all). On the flip side, they can get banned or taken to court.
The survey data presented here, previous research about privacy practices and beliefs[^privacy-tech survey], and anecdotal accounts show that tech workers lack spaces in which they can speak about these concerns, and often do not feel empowered enough to do so. Any organization or forum looking to address this concern must make available knowledge and legal resources, and create safeguards for members/employees, in order to encourage them to raise concerns publicly, without fear of losing their jobs.
The impact of IT Rules on personal lives was felt even more because of the lack of three critical resources:
- Lack of knowledge and awareness about the intricacies of the law: Respondents believed that they do not have the means to speak up openly about IT Rules because they are unsure about the legal challenges to these Rules, and how the Rules stand the test of legality and constitutionality in a court of law. A similar concern was witnessed when startup founders were flummoxed by the Non Personal Data (NPD) framework and the short time frame set by the ministry to give comments on the framework2. They were concerned that a framework laced with extensive legalese and lack of a forum to discuss each clause and its impact, prevented them from representing their concerns in a comprehensive manner.
This gap in awareness is compounded by the lack of resources to learn about new regulations, and avenues to discuss concerns about how laws can affect professional and personal lives. The survey results show that if tech workers are to learn about IT Rules and similar laws, they prefer to go to digital advocacy groups such as the Internet Freedom Foundation (IFF) for information and awareness.
| Experts Preferred | Response Percent |
|--- |---: |
| Professional advocacy organizations such as Internet Freedom Foundation (IFF) or similar | 60.40% |
| Newsletters/shows by commentators | 26.24% |
| Discussion groups or events that cover such topics | 47.52% |
| Chat groups of friends/peers | 41.09% |
| I have a contact I usually ask | 13.86% |
| None/other | 11.39% |
Tech workers also rely heavily on social media platforms and digital news publications for information and awareness about IT Rules. Mainstream news media and legacy print publications are not high on their sources of learning about tech-policy developments.
| Awareness | Other | TV shows/TV News Broadcast | Grand Total |
|--- |---: |---: |---: |
| I think I remember seeing something. | 81.82% | 18.18% | 100.00% |
| N/A | 100.00% | - | 100.00% |
| No | 83.33% | 16.67% | 100.00% |
| Somewhat. I saw some headlines. | 92.96% | 7.04% | 100.00% |
| Yes. I followed the news closely. | 88.89% | 11.11% | 100.00% |
| Yes. I read the rules in detail. | 92.31% | 7.69% | 100.00% |
| Grand Total | 89.45% | 10.55% | 100.00% |
Going forward, if IT Rules censor digital media heavily, there will be a further impact on the awareness that tech workers can build about such regulations, further complicating existing problems of a poorly informed citizenry.
Lack of legal resources and absence of formal and informal forums and advocacy organizations at an industry or sector level that can act as ‘speakeasy’ for employees, and protect their rights is a big gap that this research points to. The survey data reveals that 91% of the respondents believe that IT Rules should either be repealed or amended. But when asked which organizations they trust for advocacy and litigation about IT Rules, the first preference again was for digital rights groups such as IFF and Software Freedom Law Center (SFLC), not an industry body or association.
Organizations preferred for Representation Response Percentage Advocates for digital rights - Eg: Internet Freedom Foundation, SFLC 77.37% Advocates for FOSS - Eg: FSMI, FOSS United 46.84% Organizations behind large public projects, like Mozilla and Wikimedia 59.47% Big Tech organizations like Google, Amazon, Facebook, etc 64.74% Industry bodies such as ASSOCHAM, FICCI, etc 41.05% Startup related organizations and associations 32.63% Others 13.68%
Lack of legal resources such as legal counsel and lawyers and monetary resources required for litigation and larger campaigning efforts for speaking up about IT Rules: this dearth is most succinctly expressed in the words of a developer working in a media-tech startup,
“Also what is constantly interesting is that the questionnaires that I have responded to seem to try to understand the money power to fight back (the IT Rules) by small companies. It is hard to even find lawyers. We are again forced to bombard the same SFLC and IFF lawyers who are already overloaded. What I think the community is missing is the legal support to not just fight the law, but to fight issues on specific cases.”
Unsurprisingly, 65% of the respondents have mentioned that big tech firms can represent and do advocacy on IT Rules. FAANG companies have the wherewithal and the resources to do the same.
The survey responses and data analyses clearly show that tech workers feel certain and reassured with respect to the security of their professional lives i.e., there is no real threat to their job security from the IT Rules or that their organizations will be negatively impacted to the extent of closure of business. It will be important to survey the tech industry and the media tech industry one year after the enforcement of the IT Rules to assess more carefully whether tech workers experience mental stress from implementing the compliance work for IT Rules i.e., tracking messages, filtering content, fulfilling content takedown requests etc. We draw this analysis from the negative stress and mental health pressures that workers in back offices of social media platforms face when they have to filter and censor content under organizational mandates.
At present, tech workers are most impacted by the IT Rules personally. Here too, there is no vocalization of the concerns publicly, owing to the factors explained above. The way forward from here is for existing tech communities to actively discuss privacy and law-related concerns, thereby encouraging more tech workers to join these forums.
Of the 200+ tech workers we surveyed, and the representatives and experts we spoke to, the majority agree that there are deep concerns in the way the Rules have been formulated and that it needs to change.
Interestingly, over 57% of the survey respondents felt they didn’t have the means to speak up about the IT Rules.
When probed further, a large number of respondents feared government repercussions for doing so, thus signifying an atmopshere of fear and intimidation that is created by the IT Rules and policies that are implemented to increase surveillance on individuals and communities.
Civil society has been consistently battling for consultations that take into consideration the very people these policies attempt to regulate. As a respondent in the qualitative interviews says,
“My experience of the last like 10-12 odd years, looking at how things have evolved in India, is that the impetus for change has come from civil sector organizations rather than from the government. You can literally count the number of people in the government, both establishment and anti-establishment, who advocated for strong user protections and user rights. That number in the civil society context continues to grow.”
There is a growing need for building awareness among members of the tech worker community. The focus of the awareness building cannot just be on the technical aspects of product development, but also on legal and ethical concerns, and therefore the impact of the work that tech workers do, on society. As an interviewee mentioned,
“Look, the most tempting solution is regulation. But that immediately raises the next question: ‘who regulates’. Is the government that is in power in India currently - do I trust it with regulating social media? I don’t. Do I trust progressive governments with regulating social media? I don’t. What has to happen is that stakeholders like yourselves, myself and a whole host of other entities whose interests are directly being affected by how these companies are governed, they need to have a bigger seat at the table. And it has to be a consultative process through which we come upon what could potentially look like regulation.”
[^privacy-tech survey]: Hasgeek: Privacy practices in the tech ecosystem 2020. The survey results show that “Over a fifth of respondents across all organization sizes say there is a lack of a peer group across the tech ecosystem to discuss and find solutions to privacy concerns. This lack was felt both within the organization and outside of it. This points to a larger concern where even those who may want to implement privacy-respecting features in products or services do not have the adequate support or use-cases to guide them.” Read summary of findings of this survey at https://hasgeek.com/PrivacyMode/privacy-in-indian-tech-2020/
Hasgeek: Summary of the session on IT Rules, organized for PyDelhi community. https://hasgeek.com/PrivacyMode/it-rules-il-guidelines-2021/updates/summary-of-session-on-impact-of-it-rules-on-open-s-X38gvuUgBEsUCLkhD4dtfr ↩︎
Hasgeek - Fifth Elephant: Impact of NPD. This feedback from the community resulted in Privacy Mode’s research on the impact of Non Personal Data on innovation and privacy. https://hasgeek.com/fifthelephant/impact-of-npd/ ↩︎