Two days ago, the Government of India banned 59 mobile apps. The reasons for this include national security and protection of user privacy and security. This sets a concerning precedent and may be a singular action of web censorship that has impacted more people India than ever before. In this post, we, through our statement, indicate areas of concerns around the legality of the process and also indicate how, by filing Right to Information requests, we are hoping for greater public disclosure.
A concerning act of web censorship
On June 29, through a press release the Government of India acting through the Ministry of Electronics and IT (MEITY) banned 59 smartphone applications. To provide clarity from the perspective of digital rights of users we published an initial statement linked below.
We are substantiating this initial statement with a detailed analysis which indicates several concerns on the legality of the blocking process. To achieve further clarity and transparency we have also yesterday morning filed several right to information requests.
The detailed statement follows below:
As firm believers in the Constitution of India our mission is to ensure that technology should further the goals set out in the preamble. These goals cannot be achieved if the integrity and the security of India is compromised. To safeguard them our republic prescribes clear means and measures that are premised on a democratic framework. The hallmark of this are our fundamental rights.
In one of the most significant cases concerning the interaction of these fundamental rights with digital technologies, hearing a challenge against Section 66A of the Information Technology Act, 2000 the Supreme Court also had occasion to examine the power of the Government to issue directions to block web services. This power contained under Section 69A of the Information Technology Act, 2000 contains the power to issue directions for blocking along with its grounds in it's first sub-section. The second-subsection to Section 69A contains a requirement to establish a process and safeguards under which the IT Blocking Rules, 2009 have been made.
This power has been purportedly been exercised by the Ministry of Electronics and IT on June 29, 2020 which has been publicly disclosed through a press release through the Press Information Bureau (PIB). This press release indicates distinct grounds under which 59 smartphone applications have been blocked that are contained under in an Annexure. The release contains references to threats to the security, integrity of India and public order of an "emergent nature" for which the direction to block these web services are "emergency measures". The further basis of this direction to block is premised on purported complaints including a recommendation from the Indian Cyber Crime Coordination Committee, Ministry of Home Affairs and complaints received by CERT-In. Further references are made to debates and comments made in Parliament.
While acknowledging the real harm which occurs to the privacy and security of users due to the unregulated expropriation of their personal data we are also concerned with a restriction of their right to receive information and use such services. As per our reading of Section 69A it does not extend to directions for blocking smartphone applications but individual pieces of information and content. We are particularly concerned with the legal process which has been initiated for these directions given they do not contain any available technical analysis against any specific application prior to the media release on the direction for blocking. This sets a worrying precedent and tremendous expansion of the power to block web services in India.
There seems to be any pre-decisional hearing which has been afforded to any of these 59 web-services and given they have been accessible for a long period of time a regular process in which they were afforded a hearing would be naturally expected. Such "emergent circumstances" even when they did emerge do not specifically indicate any technical assessments conducted by CERT-In and do not also clearly indicate whether they are linked to recent border tensions caused due to China given there is a natural inference that many of these web services are of Chinese origin or control.
The press release is a drastic step and expansion in the practice of website blocking. It presents risk of setting a precedent that will undermine the digital rights of Indian internet users. Such directions are in deviation from the rule of law framework under the provisions of the Information Technology Act and the judgement of the Supreme Court as adverted above. In view of the above we call on the Government of India to publish the legal order (not a media release) and make proper disclosures. We further urge that specific regulatory instruments such as the Data Protection Bill to safeguard individual privacy must be advanced. Further if action is needed due to security reasons in examining foreign control made in core sectors such as technology and telecoms then appropriate policy conversations may be initiated. Here non-compliance can be penalised in an objective and evidence based manner with a clear legal standard that may include fines and directions to abstain from illegal conduct.
We caution against the expansion of the power to block web-services. This is bad for users, innovation, the larger technology ecosystem of India. We urge the Government to reconsider this dangerous step which sets a worrying precedent for digital rights.
In view of this statement and to seek further transparency we have initiated steps commencing with the filing of Right to Information Requests with several government departments.
Right to Information requests filed by IFF
Yesterday morning, we filed Right to Information requests with multiple authorities in the hopes of bringing transparency and accountability to the process through which this ban is being implemented. Requests have been filed with the Ministry of Electronic & Information Technology (MeitY) through its Department of Electronics & Information Technology (DeitY) and Department of Telecommunication (DoT). We have also filed a separate request with the DeitY for obtaining information from the Indian Computer Emergency Response Team (CERT) which operates under the department. Lastly we have filed a request with the Ministry of Home Affairs (MHA) to obtain information about their involvement in the ban. Below we have provided insight into each of these requests.
A. Right to Information requests with MeitY
i. With DeitY and DoT on the ban
In our requests dated June 30, 2020 with Ref. No.s DITEC/R/E/20/00519 (DeitY) and DOTEL/R/E/20/00577 (DoT), we asked these two authorities to provide us with copies of the actual order issued by MeitY banning these applications, since currently we only have a press release and not the actual order. Obtaining the order is crucial since it contains the reasons for the ban which are important when we try to assess the legality and validity of the ban. We also asked them whether the process which is stated under S.69A of the IT Act and the Blocking Rules, 2009 for blocking of websites was followed in the implementation of this ban. This process includes giving notice, having a hearing and providing a reasoned order for blocking.
In the press release, it is stated that the blocking was being done because MeitY had "received many complaints various sources including several reports about misuse of some mobile apps available on Android and iOS platforms for stealing and surreptitiously transmitting users’ data in an unauthorized manner to servers which have locations outside India." In our request, we asked them to provide us copies of these complaints. Additionally, we asked them whether they had carried out any objective assessments on the privacy impact of these applications and to provide us with a copy of the reports of these assessments if they had been carried out.
ii. With DeitY for obtaining information from CERT-IN
In our request dated June 30, 2020 with Ref. No. DITEC/R/E/20/00521, we asked DeitY to provide us with information about the role played by CERT-IN in the implementation of the ban. According to the press release, CERT-IN "has also received many representations from citizens regarding security of data and breach of privacy impacting upon public order issues". Thus, we asked them to provide us with a copy of all the representations that they have received which flag such concerns about the blocked applications. Additionally, we asked them to provide us with the minutes of the any meetings that they held wherein this issue was discussed as a measure of increasing transparency and accountability. Finally, we asked them whether CERT-IN had carried out any objective assessments on the privacy impact of these applications and to provide us with a copy of the reports of these assessments if they had been carried out.
B. Right to Information Requests with MHA
In our request dated June 30, 2020 with Ref. No. MHOME/R/E/20/03251, we asked MHA to provide us with a copy of all the representations that they had received which were "raising concerns from citizens regarding security of data and risk to privacy relating to operation of certain apps" as stated in the press release. It was also stated in the press release that the Indian Cyber Crime Coordination Centre (I4C), which operates under the MHA, had "sent an exhaustive recommendation for blocking these malicious apps". We asked them to provide us with a copy of this recommendation as it would help us in assessing the reasons behind the ban.
We also asked them to provide us with the minutes of the any meetings that I4C held wherein this issue was discussed. Additionally, we asked them whether I4C had carried out any objective assessments on the privacy impact of these applications and to provide us with a copy of the reports of these assessments if they had been carried out. Finally, we asked them to provide us with a copy of all the correspondence which took place between the MHA and MeitY with regard to the ban.
IFF's video explainers on the ban
Our Executive Director Apar Gupta, in the videos below, explains the current situation and the legal problems that have arisen due to the steps taken by the government. The videos are in English and Hindi respectively.