The second public consultation on the Digital India Act is about to begin. It is taking place in Mumbai. The consultation will, like its first edition in Bangalore, be chaired by MoS IT Rajeev Chandrasekhar.
Dr Sandip Chaterjee, the group coordinator for Cyber Laws division, introduced the consultation. It is on the principles for DIA.
RC is here.
[I won't tweet about the PM's vision for techade, all the great things he has done, etc. I'm going to focus on the meat of the matter.]
More than 115 people have joined via Zoom.
RC: IT Act is 22 years old. In the IT world, that's almost like a century. It doesn't even mention internet.
Paraphrase: A lot has changed since then.
Thus far the presentation seems to be identical to the previous presentation that was made in Bangalore.
RC: Recognition even in 2002 that the IT space has to depend on regulations and can't be hard coded into the legislation itself.
RC: The DPDP Bill has undergone consultation. The National Data Governance Policy is with the Cabinet.
RC; Aim is to be able to be respond very quickly through regulations so that we don't have to go through the 'painful process' of legislating every time.
Slide 14 (with the index) seems to be new.
RC, while talking about openness, specifically mentioned Facebook. "I can see Shivnath [Thukral, the head of public policy for Meta in India India] and he would have received the email from EU about the 1.3 billion fine."
"Discretionary moderation of fake news ... by platforms" is mentioned in Slide 19 that RC said has been addressed to some extent by the Ministry [reference to the fact check amendment] but acknowledged that the Ministry may not have "communicated that very well".
People in the audience include Dr Sanjay Bahl, the DG of CERT-In.
RC: I was in the EU recently [he was in Belgium for the first India-Eu Trade Technology Council meeting] . People like Margrethe Vestager and Theirry Breton are clear that they are looking at regulation through
the prism of user harm.
[Couldn't take a screenshot of the news clippings around misinformation.]
RC: it is the responsibility of the platforms to do their due diligence. We are genuinely considering doing away with safe harbour. Most platforms are anonymous so the perpetrator is untraceable but the govt draws flack for free speech related issues.
If the platforms does not do due diligence and if it does not act in certain areas like SCAM, patentt infringement, religious incitement.
We have moved from blanket immunity to conditional immunity. I'm not saying we have decided but worth having a conversation on.
I think that model of the government being in between the user and the intermediary can be replaced by the government playing the arbiter but not having the govt being in the middle waving the safe harbour flag.
If you [the platform] can't be the arbiter of what's right or wrong
then you go to the court. You can't keep claiming Section 79 protection. There is a built in incentive for someone to be harmed but to never have that matter adjudicated.
[My internet flaked on the slide about misinformation. At that time, RC had talked about the threat of AI and mentioned meeting an entrepreneur during AKrnataka elections who was a pro at creating deepfakes.]
RC: The DIA will say that we can classify newer and newer types of intermediaries on the basis of risk, size, etc.
First draft of the Bill by first week of June.
Q&A time (M. Sasikumar, ED of CDAC, also on stage)
Adil Shetty (Co-founder BankBazaar): Given that various sectors have sector-specific regulation for digital intermediaries, will DIA take into account sector-specific regulation?
RC: Yes. We are doing that with the DPDP Bill as well. Just like with DPDP Bill where a sectoral regulator can go beyond DPDP Bill, DIA will also allow that. But DIA seeks to harmonise across sector.
Arun Prabhu (Partner, CAM): 1. In the list of intermediaries, will we include pure intermediaries such as telecom services. 2. Will an intermediary still be able to do some degree of automated filtration to deal with the sheer volume of problematic content.
RC: This should have an answer but I don't have one right now. DIA currently does not envisage regulating the ISPs and TSPs ebcause they are ergulated by MoC. Currently, it's out of the scope of DIA but during the consultation, if someone can make a case for itTSPs and ISPs to be
included, we are willing to consider it.
2. The Bill is not prescriptive. It's up to the platform to determine how to deliver on the obligations cast on them. They may choose to automate or hire a thousand people.
Rhea Rao (Parinam Law Associate [have to double check]): How is DIA going to deal with user harm?
RC: DIA will include things but broad idea given by the IT Rules and the due diligence guidelines for intermediaries. We will not allow an intermediary to host anything that causes
harm to users and they can keep crying about right to free speech, right of Mt Everest, etc.
*** Tiwari: Web 3 and blockchain are emergenting tech and have a huge role to play inDigital India. We have created a custody infra
RC: I know you want to make a pitch on it [I'm glad RC interrupted his pitch] and I will respond to you. Web3 is a big area for our start-ups and we want to lead the charge but with guard rails.
We are very clear that we will not ban any new technology. We will have a
conversation about Web3 in June.
N.S. Nappinai (SC lawyer): 1. No part about procedural aspects, especially wrt electronic evidence. 2. How will DIA look at national security, esp. wrt the two agencies that were created by IT Act?
RC: No attempt to buck these legacy issues; we will only put a modern twist on it. We don't want to be prescriptive [I'm confused about what he said about going from door-to-door and prescribing procedures]. We couldhave a digital regulator. We will talk about these things in
June and July.
Venkatesh (The Software Alliance): Classification of intermediaries is a welcome move. Right now it is quite broad. How will it proceed?
RC: We will work out different criteria for thresholds, etc. Different thresholds for different kinds of intermediaries.
Venkatesh: AI regulation for only high-risk cases?
RC: We want to regulate only through the prism of user harm.
Shreya Kamath (Gateway Conslutating): Any compliance concessions to begin with for start-ups? 2. We hear that govt is going to come up with homegrown version of CHatGPT. Will it be regulated the same way and why?
RC: 2. Govt version of ChatGPT will also be regulated the same way.
1. PM is very clear that nothing should cause a speed bump or an obstacle for innovation and start-ups.
Sandeep (Founder of Credilew?): Q about consumer grievance redressal. Is there a plan to create an ombudsman?
RC: We obviously havne't done a good job in communicating what's there in the IT Rules. [explaining the GO and GAC mechanism of IT Rules]
The grievance redressal mechanism is fairly robust that is keeping platforms on its toes. I don't see the need for an ombudsman because of the GACs.
Aman Jha (lawyer, advises DNPA): Would DIA have provisions for equitable distribution of revenue?
RC: Mentioned it wrt monetisation of content. We have to address the asymmetry of content monetisation that is monopolised by big platforms. We will have principles.
We won't go the Australia way.
Enforcement is not the theme of this law. The focus is on rights and obligations.
Someone from Zaggle: Suggestion around Section 79 and anonymity. Is there any discusison around Aadhaar based KYC for online users like in banks?
RC: We are working on mandatory eKYC using Aadhaar. On the other issue, do you [really] want eKYC for all social media users? Last year, a Congress MP asked why are all users on social media not verified and I had answered him and said that anonymity is important. But we cast an
obligation on platforms that in the even to fan illegality, they should have a mechanism to trace them.
But they went to court and argued that traceability is ultra vires. Nobody thought a decade back that platforms will have millions of users and be the playgrounds for harm.
[I will fact check this later]
Saikat Datta (DeepStrat, ex-journalist): How do you harmonise them across ministry?
RC: Not unusual not unwanted. As more digitalisation, esp across governance happens, it is bound to happen and we will have sectoral regulation.
Karnika Sethi (online, SC lawyer): A code of ethics is not enough for India. We need model clauses and standardisation such as SCCs. We could have high-impact assessments to facilitate growth to encourage openness and transparency and increase accountability of the industry.
RC: Maybe you missed a part of the presentation. We are going to regulate AI; an entire chapter in DIA is dedicated to AI and emerging tech. But it will be done through the prism of user harm. There will be no separate legislation to regulate AI.
Since you are such a fan of the GDPR, once the DPDP is enacted, you can be the ambassador of that.
Karnika Sethi. Of course! We need to address the issue of maladvertising, especially wrt children.
RC: That is already dealt with to a large extent in DPDP Bill.
Someone from Wikimedia Foudnation, connected through Zoom, is attempting to ask a question but I think there's a connectivity issue.
Rachna (Trilegal): Will DIA define principles for how platforms assess whether or not something is misinformation?
RC: The obligation is already cast upon platforms through IT Rules. Misinformation is already defined as "patently false". Disinformation is not defined or called upon.
RC basically said that platforms have to be arbiters of misinformation since it's "patently false"
Vakasha Sachdeva (Logically): What are the ideas that you have taken from other jurisdictions?
RC: Listening to everybody ... why should I accept that some jurisdiction is better than us because there are so many smart people in this room and across this country
Bharat (Diners Club, ex NPCI): Banking is facing issues not because of issues with banking but because someone is issuing SIM cards with false KYC. TRAI passes rules sans consulting with RBI. In the regulatory space, it's almost like two police stations fighting over jurisdiction
RC: I am not in favour of a super regulator sitting on top of everybody. As consultation on DIA [begins in earnest], we will have consultations with all the sectoral regulators as well.
Vote of thanks by M. Sasikumar, ED of CDAC Mumbai.
About 70 people attended in person while at its highest, I saw about 211 people on Zoom. Representatives from Facebook, Google, Snap, etc. were visible.
Finito
There is always that one dude who wants to link Aadhaar to everything. *le sigh*
As I mentioned earlier, here're the facts: the traceability requirement that MoS IT RC mentioned does not apply to all intermediaries. It only applies to significant social
media intermediaries (ie social media platforms with more than 50 lakh users in India) that are primarily in the business of messaging. Thus, it definitely applies to WhatsApp but arguably not to Twitter (because it's primary business is not messaging).
WhatsApp and Facebook
Indian government to court over the traceability requirement because implementing it means breaking E2EE for everyone in this world and creating more privacy and security risks across the board.
The responses of companies such as WhatsApp and Signal are very different in
India and the UK. In India, WhatsApp took the govt to court. In UK, it has said that it will exit the country if it is forced to carry out client side scanning.
Now on the issue of Aadhaar. At least one court, the Madras HC, has already said that linking Aadhaar to social media
accounts would violate the SC judgement on Aadhaar.
Group Coordinator for Cyber Laws, Rakesh Maheshwari, mentioned that the Jan Vishwas Bill, currently before the Parliament, has also proposed amendments to the IT Act.
All screenshots until now are from the presentation being given by MoS IT Rajeev Chandasekhar. #DIA2023
MoS IT Rajeev Chandrasekhar: This is what the new framework of cyber laws will look like.
🚩2. XCheck does not work the way it was described
- multiple current and former employees were baffled by the sweeping powers described in article 1
- content moderation reports are NOT posted to
fb.workplace.com but reside on internalfb.com
- content moderation reports require some action to be taken which cannot be taken from Notes in Workplace
🚩3. fb.workplace.com is the Slack equivalent for internal FB communication; UI in video does not match
Facebook and WhatsApp have both filed petitions in the Delhi High Court against the traceability requirement in the Intermediary Rules. Both ask for the traceability rule to be declared ultra vires and for no criminal liability to be imposed if intermediaries do not comply with
Protection of rights to privacy and free speech extensively cited as arguments.
In an expected move (as I had reported on it earlier), Facebook's petition is actually a preemptive move to save the Secret Conversations feature. Read on to know why
Many of the arguments that have been made were also brought up by legal and technical experts in my previous reportage. Read those too: forbesindia.com/article/take-o…
Hello humans! Settle down as I summarise for you the #WhatsApptraceability case that will potentially set a global precedent for how governments approach encrypted communication. I have been reporting on it for @medianama
The latest: I spoke to IIT Madras's Dr Kamakoti about the submissions he has made to Madras HC. bit.ly/2KA4tqj
Kamakoti is very clear: "WhatsApp remains the same. Their end-to-end encryption remains the same. There’s nothing that we want to change. There’s nothing that warrants the change."
BUT
traceability is also important to prevent social harm, scams bit.ly/2KA4tqj