Community Consultation for TRAI + Meredith Whittaker at BIC Hello everyone! There are 2 upcoming events of interest to those involved in privacy, tech policy, and AI. more
Social Media networks and platforms, chat and messaging applications, photo and video sharing services have radically transformed the internet landscape in India and elsewhere in the last decade. User generated content has allowed diverse voices to create and share views, political opinions, dance videos, movie and music commentaries.
While the platforms and networks have encouraged these voices, there is also a growing concern1 over the sharing of potentially offensive material such as pornographic content, child sexual abuse material (CSAM), hate speech and violent content often not suitable for the wide audience such platforms caters to.
The INFORMATION TECHNOLOGY (GUIDELINES FOR INTERMEDIARIES AND DIGITAL MEDIA ETHICS CODE) RULES, 2021 notified by the Ministry of Electronics and Information Technology (MEITY), together with the Ministry of Information and Broadcasting (MIB), Government of India – under the IT Act 2000, seeks to monitor and control user generated content and provide firm guidelines for social media Intermediaries, digital news publications and other organizations who host or transfer content on the internet.
The Rules were notified in February 2021, and went into effect in May 2021. Organizations and individuals have challenged the Rules on various counts2 – including their applicability under the parent law. Large platforms and social media networks have expressed concern about implementation and compliance.
Privacy Mode, a hub for conversations around privacy, data security and compliance, conducted a two-part research project seeking to understand the impact of the Rules on organizations and employees in the tech ecosystem who might be responsible for implementing the Rules and achieving compliance in tech and media products.
A qualitative study of Social Media Platforms, Digital News Publications, and Cloud Computing services providers, was undertaken to look at the possible impact on encryption, traceability, compliance, applicability of law among others, was conducted in May-June 2021; and a quantitative survey of tech workers across India, looking at awareness, professional and personal impact, work flows and requirements, was conducted in June-July 2021.
This report is a comprehensive analysis of both surveys and presents a rounded picture of the impact of the IT Rules 2021 on organizations and its employees. This research report also looks at larger questions and concerns about privacy, freedom of expression and speech given the discursive debates around responsible tech, digital platforms and ethics, and impact on society and individuals.
By definition, the ‘Rules’ framed for any law in India are ‘Subordinate Legislation’ or ‘Delegated Legislation’. While laws are made by the Parliament/Legislature, Rules are made by the Executive i.e., the Government of India, to fulfill the requirements of the parent law. In Indian democracy, it is only the Legislative that can make laws. The Executive can only implement them. If the law says ‘XYZ has to be accomplished’, rules can frame the methods in which ‘XYZ’ can be accomplished. However, in the case of IT Rules 2021, the Rules are seen as overarching and exceeding the parent law.
Notified under the Information Technology Act, 20003 , which provides ‘Safe Harbour’ status to digital intermediaries, the Rules are ultra vires of the parent Act and seek to regulate activities that have no mention in it. Further, bringing digital news publishers under the ambit of the Rules, is unconstitutional and ultra vires of the IT act, as news websites do not fit the definition of ‘Intermediaries’ given under the Act4.
Further, the activities of news publishers and media are regulated by the Ministry of Information and Broadcasting (MIB)5, and thus excluded from the ambit of the IT Act. Concerns emerged that the Rules – which did not pass through the legislative body – sought to curtail rights and laws that did emerge from due legislative process.
Further, with existing guidelines under the Press Council Act that govern news organizations, the Rules are seen as overarching and drafted to censor specific media channels and outlets.
The Rules require intermediaries to identify the first originator of messages deemed objectionable. This implies that messaging platforms and social networking sites will have to significantly alter their product (and the technology underlying products) to comply. This is again not governed by the parent act, and is therefore unconstitutional. The Rules also operate from a position of assumed guilt, where all conversations and communications are expected to be scanned for potentially offensive material, and traced back to the original sender. This is against the assumption of innocence enshrined in the legal system operating in the country.
Breaking encryption and implementing traceability, a fundamental requirement of the new Rules, have international legal implications, as messaging services and social media platforms will need to alter the underlying technical architecture of their products or services - or at least have a different product and user experience for Indian users. Since this cannot be implemented for users in India alone and will affect every user of the services across the world, these social media intermediaries will be in violation of international laws governing user privacy and security, thus inviting legal costs.
The Rules are seen as violating freedom of expression guaranteed in the Indian constitution by implementing traceability, which breaks encryption. Privacy, also a fundamental right as determined by the Supreme Court of India, is increasingly seen as a ‘make-or-break’ feature of all websites, apps, products, and services. Privacy operates from a position of assumption of innocence of the user. The Rules, by enforcing traceability, violate the fundamental rights of Indian citizens by reducing privacy to a conditional service, and not a constitutional guarantee
When the IT Rules came into effect in May 2021, they were criticized for imposing high costs of compliance, including legal and personal liability attached to employees of social media organizations. In the case of the office of the Chief Compliance Officer (CCO), liability extended even after the CCO retired from office. Every social media and news organization surveyed during this research pointed to the personal liability attached to the role of the CCO, grievance and nodal officers as imposing financial and legal costs on their organizations.
Proactive content filtering requirements will impact human resources requirements, demand changes in product and business operations, thereby significantly increasing costs. Traceability clauses under the Rules require extensive overhaul of messaging services and social networking platforms’ core architecture, requiring significant monetary and human resource investment.
Further, respondents in the Focus Group Discussions (FGDs) believed that ease of doing business will diminish given the stringent compliance regime and employee impact.
The Rules are also framed vaguely and arbitrarily, leading to confusion over operating clauses. Additionally, they have stringent reporting requirements. This will affect all organizations, especially small and medium enterprises, financially, and otherwise.
In addition to the legal and ethical concerns emerging from implementation of the Rules, there are knowledge, awareness, and skill gaps across a representative sample of the IT industry, which may impact the ability of organizations to comply with the IT Rules.
Software developers in junior and mid-level roles in IT organizations believe their workload will increase with the IT Rules. Respondents hinted at their jobs now requiring them to do more documentation and reporting, and their role in achieving compliance in the company’s product as increasing their workload.
Industry representatives however felt that tech workers and product managers will fundamentally need knowledge in, or retraining in, privacy features, content filtering and user experience, in order to fully comply with the Rules. Experts in the industry believe that more than just technical skills or knowledge, what is missing is also perspective and understanding of how executing the Rules will impact users of media and tech products.
As noted above, encryption and traceability requirements of the Rules will mean major changes in products, especially user experience and inability to safeguard privacy of Indian users under the IT Rules. Implementing features such as voluntary verification will need product managers to acquire new skills and knowledge. Tech workers will need to learn how to work in coordination with legal teams. Given the implementation of the IT Rules, each content takedown request will have to be serviced on a case-by-case basis. This will impact scale and standard operating procedures in organizations, or will result in organizations relying more heavily on automation to censor content proactively (and to avoid being served takedown notices). In both cases, users of these products will bear the brunt, where their freedom of speech and expression will be reduced drastically.
Individual chapters and sections of the report are presented as submissions. Scroll down to read them.
Nadika Nadja is a researcher at Hasgeek. She has worked across advertising, journalism, TV and film production as a writer, editor and researcher.
Bhavani S is a Research Associate at Hasgeek. She has previously worked for the Centre for Budget and Policy Studies (CBPS), Microsoft Research India, and the University of Michigan, Ann Arbor.
Anish TP illustrated the report. Satyavrat KK provided research and editorial support. David Timethy and Zainab Bawa were project managers for producing this report. Kiran Jonnalagadda and Zainab Bawa advised on research design and execution.
We would like to thank the following individuals who provided feedback during different stages of the research. Their feedback helped the team fine-tune and bring rigour to the research process.
- Suman Kar, founder of security firm Banbreach, for reviewing early drafts of the quantitative research questionnaire, and providing detailed inputs on survey design.
- Prithwiraj Mukherjee, Assistant Professor of Marketing at IIM-Bangalore, for reviewing early drafts of the quantitative research questionnaire, and providing detailed inputs on survey design.
- Chinmayi SK, Founder of The Bachchao Project, for reviewing and providing feedback on the final report and conclusions
While Hasgeek sought funding from organizations, the research itself was conducted – with full disclosure at all stages – independently and objectively. The findings do not reflect any individual organization’s needs.
Unicef: Growing concern for well-being of children and young people amid soaring screen time (2021) - https://www.unicef.org/press-releases/growing-concern-well-being-children-and-young-people-amid-soaring-screen-time ↩︎
LiveLaw: Supreme Court Lists Centre’s Transfer Petitions, Connected Cases After 6 Weeks
India Code: The Information Technology Act 2000 https://www.indiacode.nic.in/bitstream/123456789/1999/3/A2000-21.pdf ↩︎
India Code: IT Act Definitions https://www.indiacode.nic.in/show-data?actid=AC_CEN_45_76_00001_200021_1517807324077§ionId=13011§ionno=2&orderno=2 ↩︎
Impact of IT Rules on tech workers’ ecosystem - professional concerns
As discussed in the chapter on respondent profiles, a quantitative survey was conducted with tech workers to assess awareness, understanding and impact of the IT Rules.
The survey helped to gain insights about the following questions:
- As frontline workers who will be tasked with implementing compliance for the mandates in the IT Rules, are developers, designers and product managers aware of the law and its impact on users of the products they build?
- In what ways do tech workers’ personal and professional opinions about IT Rules differ? How do the differences in the impact on professional and personal lives influence their decision to voice/not to voice concerns about the IT Rules and their participation in advocacy?
- Do tech companies invest in training workers about the law and legalese, and hold internal discussions about the consequent changes in processes, product, workflows and impact on customers?
- Do tech workers have access to independent forums, and resources to learn about IT Rules outside their organizations?
Questions were accordingly included in the survey to draw out data about tech workers’ professional and personal concerns regarding IT Rules.
Quantitative survey respondents were broadly engaged in one or more of the following three activities:
From these activities, we can approximately conclude that the broad category of tech workers who participated in this survey included software developers, designers and product managers (whose primary work responsibility is documentation)1. Each profile will be differently involved in the organization’s work on compliance with IT Rules. Therefore, opinions about the professional impact of IT Rules among these profiles varies2. Our hunch is that about one year after the enforcement of the IT Rules, it will be important to survey Product Managers, especially from media-tech organizations, because they will play a pivotal role in defining product features and specs to comply with IT Rules. This will have a big impact on Indian users’ experience and privacy.
This section is divided into the following three sub-sections to explain the findings:
- Description and analyses of work-related concerns (and impact of IT Rules) among developers, designers and product managers.
- Analyses and inferences about personal concerns with IT Rules.
- Conclusions about advocacy and participation among tech workers on tech-policy issues.
In this chapter, we will look at the work-related concerns.
In the survey, we asked tech workers how their professional roles, reporting structures and relationships within their organizations, and overall job security will be impacted by the IT Rules. The survey’s findings show that work-related concerns do not necessarily influence tech workers to to voice concerns - individually or collectively - about tech-policies such as IT Rules because their fundamental sense of job security is not threatened.
About 44% of the respondents from small, medium and large organizations opined that the IT Rules will impact organizational processes and workflows. This impact was perceived by all three roles i.e., software development, design and documentation. While the survey did not dig deeper into the specifics of workflow and process changes, the intent of this question was to understand respondents’ perceptions about how the legislation might affect their work, and transform their relationship with the structure and hierarchies in the organization.
Despite the perception that organizational processes and workflows will be impacted by IT Rules 2021, when asked about effects on organization structure, 59% of the respondents opined that there will be no effect.
|Size||Strongly benefit||Offer some benefits||No effect||Pose challenges||Seriously harm||N/A||Grand Total|
IT Rules 2021 require organizations to hire for new roles such as the CCO and Nodal Officers. However, for frontline tech workers, there is no real impact of the presence of these officers because they don’t necessarily interact with these officers. The CCO and Nodal Officers are more likely to interact with the business heads and CXO teams. Frontline workers only have to follow the leadership’s mandates, especially in large organizations.
We also know from previous research that tech workers are rarely aware of the powers and jurisdictions that specialized roles such as the Chief Data Officer (CDO) and Privacy Officers have in their organizations. For example, the research on “Privacy Practices in the Indian Technology Ecosystem” shows that 52% of the respondents in the study reported lack of awareness about the CDO’s or Compliance Officer’s power to veto product decisions if there were real data privacy concerns3.
One of the direct impacts of any policy is compliance related work once implementation is done. Compliance processes and workflows have to be codified in every organization. Hence, tech workers will likely experience an increase in the initial workload. Later, depending on the compliance-related tasks and their periodicity - whether monthly, quarterly, half-yearly or annually - tech workers will see an increase in their responsibilities and tasks. The survey results show that 41% of the respondents perceived an increase in their daily workload.
|Size||No it won’t||Cannot Say||Yes it will||N/A||Grand Total|
Among coding, design and documentation tasks, workload increase was perceived as maximum for coding-related tasks.
|Size||Fewer tasks||Same amount of tasks||More tasks||N/A||Grand Total|
In a session on IT Rules conducted by Medianama, Kawaljit Singh Bedi, CTO at NDTV, explained the steps involved in doing compliance for IT Rules:
- Anyone can file a complaint against any intermediary. The intermediary has to respond within 24 hours. The intermediary must also take a decision within 15 days on how to act on the complaint.
- All action taken for a complaint has to be put on a ‘publicly displayed website’. Information about the details of the complaint received, response the intermediary gave, and the action taken have to be mentioned on the public website.
Kawaljit concluded that such compliance involves a great deal of paperwork and is very onerous. He also explained that organizations cannot reduce the burden of compliance by programming technical filters for batching complaints that can be sent to the junior staff to handle. This is because every complaint has to be treated with the same level of seriousness, where the company’s legal personnel, compliance officer and editor(s) have to be consulted on how to respond to the complaint and what action has to be taken4.
Corresponding to Kawaljit’s point about the requirement to document complaints and complaints handling process, survey respondents also reported an increase in documentation tasks i.e., many respondents perceived that documentation and reporting requirements will go up as part of the compliance with the IT Rules.
|Role||Fewer tasks||Same amount of tasks||More tasks||N/A||Grand Total|
|None of the above||0.50%||5.53%||6.53%||1.0%||13.56%|
Most respondents reported no impact on their job security, though 28% of the respondents expressed challenges to their job security. It is unclear whether the latter group felt that the challenges to their job security will stem from their personal opinions about the IT Rules (and if these are expressed in public forums). Nevertheless, the point of this question was to understand whether a law has the effect of putting an entire segment of workers in industry and society into uncertainty, which then leads to larger changes including increased consciousness among workers. The IT sector has often been considered a producer of precarious work5, due to the long hours, lack of protection and large-scale retrenchment6. It is therefore important to understand whether tech workers are sensitive to any changes in policy that might affect their job security.
|Size of org||Strongly benefit||Offer some benefits||No effect||Pose challenges||Seriously harm||N/A||Grand Total|
|Roles||Strongly benefit||Offer some benefits||No effect||Pose challenges||Seriously harm||N/A||Grand Total|
|None of the above||1.00%||0.50%||4.52%||4.52%||2.01%||1.00%||13.55%|
Similarly, across coding, design and documentation, nearly 50% of the tech workers don’t see any significant impact on job security.
To probe further into how tech workers perceived the impact of IT Rules on their organizations and consequently on job security, we asked questions about upskilling, cost of compliance and likelihood of criminal liability on their organizations, and other such fallouts of the IT Rules
Despite the vehement agreement about increase in workload and compliance-related tasks, tech workers do not simultaneously perceive the need to learn new skills to do compliance. Perhaps this reticence about learning new skills also stems from the fact that no new job opportunities will open up as a result of IT Rules, as discussed above.
As the table below shows, 42% of the respondents felt that the IT Rules will pose challenges to their organizations in terms of costs of compliance and increase in associated expenses. Interestingly, respondents from medium-sized organizations were most vocal about the increase in costs of compliance to their organizations.
|Size of organization||Strongly benefit||Offer some benefits||No effect||Pose challenges||Seriously harm||N/A||Grand Total|
To probe work-related concerns further, the survey asked tech workers to share concerns about whether their organizations will be punished or held criminally liable owing to non-compliance.
|Size of the organization||Yes||I have read the rules but I am unsure||I have not read the rules and I don’t know||No||N/A||Other||Grand Total|
Nearly 33% of the respondents share the fear of punishment and criminal liability for their organizations. More than 50% of the respondents were either unsure or unaware whether IT Rules will impose such penalties on their organizations. Among respondents who said that the Rules will not impact their organizations, they likely viewed the Rules as applicable only to media-tech organizations, and not applicable to their organizations/workplaces which operated in other domains.
Overall, tech workers opined that they were unable to predict the impact of IT Rules on their professional lives, including questions about changes in job roles, job security and even the need for upskilling.
In this chapter, we have discussed how tech workers perceive the impact of IT Rules on their professional lives, including changes in the structure, workflows and processes inside their organizations. Tech workers are unable to fathom the impact of the IT Rules in this regard.
As explained in the chapter on respondent profiles, awareness about IT Rules is far lesser among the lower rungs of the organizational hierarchy i.e., tech workers in junior roles - less than 5 years’ experience - have less awareness and therefore understanding about the Rules. It is unclear whether organizations make significant investments in creating awareness about tech-policy developments and impact on business/product among junior tech workers.
Privacy Mode’s research on privacy practices in the technology ecosystem found that over a third of respondents’ organizations lacked forums in which employees can discuss and debate privacy needs and tools. The current survey substantiates this finding, in that tech workers feel they lack the know-how and/or spaces to discuss how IT Rules will impact their work and how they can mitigate any effects. This lack of awareness leads to vacuums inside organizations, as tech workers don’t understand the impact of their work (in relation to tech-policy implementation) on their organization and on society in general.
The tech workers’ survey reveals that the strongest professional impact of the IT Rules is the increase in workload and compliance-related tasks. As we saw, tech workers reported a potential increase in coding and documentation tasks following enforcement of IT Rules.
Finally, tech workers reported fears and concerns of criminal liability and punitive action on their organization due to non-compliance. Despite this fear, respondents did not report threats to job security. Since there is no immediate fear of losing jobs, and neither is there awareness of the larger impact of IT Rules on their organizations, tech workers do not feel urgency or the need to voice concerns about the legality and unconstitutional nature of IT Rules in the public domain. Instead, they are more concerned about the impact of IT Rules on their personal lives, but are reticent to articulate the same. We examine personal concerns in the next chapter.
Respondents’ personal information such as company name and designation were not asked in the survey questionnaire. This was done to preserve respondents’ privacy and anonymity. ↩︎
Opinions about the impact of IT Rules on work also depend on the domain that individual respondents are working in. For example, a product manager from a health-tech firm concluded that IT Rules are not of direct concern for their organization. Instead, HIPAA compliance is far more important. ↩︎
Hasgeek: Privacy practices in the Indian technology ecosystem https://hasgeek.com/PrivacyMode/privacy-in-indian-tech-2020/sub/analysis-of-survey-responses-KKbY5mYjoDtZuP3d62fHsX ↩︎
Medianama: The Impact of IT Rules 2021 on News https://www.youtube.com/watch?v=tEb0YHQSWLo&t=223s ↩︎
Platypus, the CASTAC blog: Precarity, Exclusion, and Contract Work in the Tech Industry https://blog.castac.org/2019/05/precarity-in-tech/ ↩︎
Livemint: Mass Layoffs Brewing in IT Sector Amid Uncertainties https://www.livemint.com/companies/news/mass-layoffs-brewing-in-it-sector-amid-uncertainties-11594174446353.html ↩︎