IFF writes to the Parliamentary Standing Committee on IT on the “Bulli Bai” and “Sulli Deals” Incidents

tl;dr

The recent “Bulli Bai” and “Sulli Deals” incidents, a fake online auction of almost 100 Muslim women, was a blatant violation of their data security and privacy rights. It severely impacted their constitutional right to life and free speech by displaying sensitive information without consent. Hence, we have sent a letter to the Parliamentary Standing Committee on Information Technology requesting them to investigate the matter to understand the reasons behind the delayed response of the relevant authorities.

Background

The "Bulli Bai" case garnered public outrage on January 1, 2022, when one of the target women of the application filed an FIR against unknown persons with the Mumbai Police. "Bulli Bai", hosted on GitHub, a code-sharing platform, was a tech tool created to demean and humiliate Muslim women. The application aimed to "auction" over 100 women by displaying their doctored photos along with their social media profiles. It attached a "price tag" with every profile and labelled them as "Your Bulli Bai of the Day". The "Bulli Bai" application targeted several women, including a journalist, a pilot, activists, political leaders and the mother of a missing JNU student.

This came barely six months after a similarly horrific "Sulli Deals" case was reported in July 2021, which had a similar modus operandi. "Sulli" is a derogatory term used for Muslim women by right-wing extremists. The incident came to light when a Noida-based resident filed a complaint with the local police upon finding her and several other Muslim women's pictures uploaded on this application without their consent. The developers wanted to "auction" almost 80 Muslim women by sourcing their pictures from their social media accounts and defacing them with lewd remarks.  

Below is a brief timeline of the incidents and the action taken by IFF.

Date Particular
05.07.2021 Multiple Twitter accounts posted the screengrab from an application hosted on GitHub titled, "Sulli Deals". The application shared the photographs and social media handles of more than 80 women belonging to the Muslim community in India without their consent to purportedly "auction" them off.
05.07.2021 Erica Brescia, COO at GitHub, confirmed on Twitter that the app had been removed. However, no formal statement has been issued.
06.07.2021 One of the targeted women, Pilot Hana Khan, filed an FIR with the Delhi Police under S. 509 of the IPC which relates to acts intended to insult the modesty of a woman and S. 66 & 67 of the Information Technology Act.
08.07.2021
  1. National Commission for Women (NCW) took suo-moto cognisance of a media report "about now a defunct website 'Sulli Deals', which had posted pictures of Muslim women and had put it up for auction". NCW asked the Delhi Police to file FIRs "so that perpetrators be punished".
  2. . Delhi Commission for Women also issued notice to the Delhi Police on the incident and asked for a detailed action taken report.
  3. Delhi Police registered FIR in 'Sulli deals' case u/s 354A, sent notice to website host GitHub.
  4. According to an update posted on Twitter, a new domain had been registered but not yet hosted, on GoDaddy.com titled, “sullidealing.co.in”.
  5. GitHub spokesperson told HT that "GitHub has long-standing policies against content and conduct involving harassment, discrimination, and inciting violence. We suspended user accounts following the investigation of reports of such activity, all of which violate our policies."
16.07.2021
  1. IFF sent Representation to GoDaddy.com.
  2. According to DCW spokesperson Rahul Tahilani, the Delhi Police replied on July 16, saying that they were trying to get details from GitHub, but the American company did not follow Indian laws. "They said that they were having a difficult time getting data from them," he said.
17.07.2021 IFF sent representation to both NCW and DCW.
29.10.2021 IFF sent a letter to Delhi Police on the Sulli Deals incident.
01.01.2022 Multiple Twitter accounts posted the screengrab from an application hosted on GitHub titled "Bulli Bai". The application shared the photographs and social media handles of almost 100 women belonging to the Muslim community in India without their consent to purportedly "auction" them off.
01.01.2022 Mumbai Police registered an FIR under IPC sections 153A (spreading enmity), 153B (imputations, assertions to national integration), 295A (outraging religious feelings), 354D (stalking), 509 (sexual harassment), 500 (defamation) and IT Act Section 67 (publishes or transmits obscene materials) against the Twitter handle-holders and 'Bulli Bai' app developer.
01.01.2022 Minister of Electronics and Information Technology Ashwini Vaishnaw tweeted about GitHub blocking the user of the “Bulli Bai” application. He also informed about the government working with the Mumbai and Delhi Police.
02.01.2022 NCW took cognizance of the “Bulli Bai” case. Chairperson Rekha Sharma wrote to Delhi Police Commissioner to immediately register an FIR.
03.01.2022 Mumbai Police detained a 21-year old engineering student, Vishal Kumar, from Bengaluru. The Minister of State for Home (Urban) Satej Patil tweeted about the breakthrough; however, he refused to divulge details “as it may hamper the ongoing investigation”.
03.01.2022 IFF sent a letter to Mumbai Deputy Police Commissioner requesting expeditious investigation in the “Bulli Bai” and “Sulli Deals” incident.
05.01.2022 Mumbai Police arrest Shweta Singh in Uttarakhand. She was suspected to be the main accused behind the application. DGP Ashok Kumar said “she allegedly created some fake IDs to commit the crime”.
06.01.2022
  1. Mumbai Police arrested the third accused in the case, Mayank Rawat, a B.Sc. student at Zakir Hussain College in Delhi.
  2. Delhi Police arrested the fourth accused, Neeraj Bishnoi, a second-year B.Tech student at Vellore Institute of Technology, from Assam. DCP (Cyber Cell) K P S Malhotra said he is “main conspirator” of the app, and was also running the Twitter handle of the app.item2
09.01.2022 Delhi Police arrested 25-year old Aumkareshwar Thakur from Indore for being the alleged developer of the “Sulli Deals” application. Police said Thakur admitted to being a part of a trad-group on Twitter which wanted to “defame and troll Muslim ladies”.

Why should you care?

The fake online auction of Muslim women seen in the "Bulli Bai" and "Sulli Deals" incidents show women are still unsafe on the internet. The online harassment meted out to them, and the subsequent delay in content moderation by the involved technology platforms reinforces India's need for more robust data protection and legislation laws. Moreover, the country's wanting state of cyber policing further fails to dissuade such criminal activities. We, at IFF, believe these incidents violate the core fundamental rights of citizens guaranteed under the Indian Constitution.

Violation of Right to Life and Privacy: Article 21 of the Indian Constitution guarantees "protection of life and personal liberty". However, by displaying sensitive information without consent, the application's developers effectively violated a fundamental right of these women. The gender and religion-based targeting of the application were meant to intimidate and harass them. While the women were not "auctioned" in reality, the application reduced them to saleable items. Unsurprisingly, this elicited further lewd and objectionable comments, threatening the women's security and liberty. By leaving them vulnerable to online abuse, the applications also infringed upon their "right to privacy" delivered accorded to every Indian citizen by the Hon'ble Supreme Court's decision in KS Puttaswamy v. Union of India (2017) 10 SCC 1.

Violation of Right to Free Speech and Expression: As per Article 19 1(a) of the Indian Constitution, every citizen is guaranteed the right to free speech and expression. However, online harassment in these incidents may lead to a chilling effect on this fundamental right. The women may feel unsafe to be active social media users and leave the platform altogether. The abuse also increases against politically articulate women, as seen in the "Bulli Bai" and "Sulli Deals" incidents that targeted journalists and human rights activists. According to a study conducted by Plan International, one in every five young women have opted out of social media after being targeted or harassed. The abuses are further aggravated in cases of women who belong to minority communities on social media platforms and dissuade them from expressing themselves without any fear or inhibitions. A recent study by Pew Research Center showed that while Indians essentially believe in religious tolerance of other faiths, they strongly prefer keeping religious communities segregated.

We raised this issue with the Standing Committee

The digital security of the targeted women was compromised due to the delayed response to the online vitriol. Their photos and social media handles were shared on a third-party platform without their consent and were taken down only after the media outrage. As a result, the women faced threats, harassment, and ridicule on their social media platforms. What makes matters worse is the lack of action taken after the "Sulli Deals" incident was reported last year. While the FIR was filed in July 2021, only after six months on January 5, 2022, did DCP KPS Malhotra say that the MLAT procedure "was completed". MLAT, or the Mutual Legal Assistance Treaty, is a treaty between the U.S. and India to improve international cooperation on criminal matters. Though the "Sulli Deals" application creator has been arrested now, the process could have been quicker if GitHub, via MLAT, had helped the Delhi Police with the registrant and IP details of the accused earlier. Such delays further encourage miscreants to continue their harassment with impunity. As per the National Crime Records Bureau's (NCRB) 2020 data, of the 50,035 cybercrimes reported, 10,405 were explicitly against women.

Further, the lack of overarching data protection legislation also leaves a gaping hole in the legal measures to be taken in case of personal data usage violation. There is no clarity on the obligation and governance terms to be followed by technology platforms for the data collected. This exacerbates security and privacy threats and fails to safeguard against data breaches.

Therefore, this breach of citizens' online privacy and security falls squarely within three subjects selected by the Parliamentary Standing Committee on Information Technology for the seventeenth Lok Sabha which are-

  1. Citizen’s data security and privacy.
  2. Safeguarding citizens’ rights, including special emphasis on women security in the digital space.
  3. Review of cyber security scenario in India.

Our recommendations

In light of these two incidents, IFF made a few recommendations to the Standing Committee. While Section 67 of the Information Technology Act, 2000 protects against "publishing or transmitting obscene material in electronic form", the recent developments show it is not enough. The recurrence of such horrific events and the delayed response begs answers to what needs to be done and where the system lacks. Hence, we recommended that the Standing Committee set up an inquiry to investigate the data security and privacy violations committed in the "Bulli Bai" and "Sulli Deals" incidents, which may include the following actions:

  1. Invite the victims of these applications, experts on digital rights and online safety to provide testimonies.
  2. Call relevant officials from the government and the social media platforms involved (GitHub and Twitter) to discuss their content take-down and online safety policies.
  3. Summon the investigating departments (Mumbai, Delhi and Uttar Pradesh Police) to understand the delay in investigation, specifically in the “Sulli Deals” incident.
  4. Summon the National Commission for Women and the relevant state commissions (DCW and MSCW) to inquire about the steps taken by them to redress the incidents.  

We believe these measures will help the Committee delve deeper into the issues by looking at them from the perspective of all the involved stakeholders. It will help us ascertain the gaps in the technological and legal procedures to be followed during cyber crimes. Lastly, meeting the NCW and the respective state commissions will provide further details on the preventive measures taken, as it is only through transparency that accountability and justice can be provided to the victims of this incident.

Important Documents

  1. Letter to Standing Committee on Information Technology for the inquiry into the “Bulli Bai” and “Sulli Deals” incidents dated January 14, 2022. (link)
  2. IFF’s representation to the Mumbai Police dated January 3, 2022. (link)
  3. IFF assists Amina targeted by the “Bulli Bai” application. (link)
  4. Previous blog post titled “Women’s safety on the internet has to account for intersectionality”. (link)

Note: This post was drafted by Shivangani Misra, a Capstone Fellow hosted at IFF, and reviewed by IFF staffer Anushka Jain.