Subscribe to South Asia Citizens Wire | feeds from | @sacw

India: Big Brother is looking over your shoulders

14 October 2011

print version of this article print version

The Hindu, October 13, 2011

Big Brother is looking over your shoulders

by Aparna Viswanathan

The government’s new guidelines for cybercafes will deepen the digital divide while doing nothing to curb terrorism.

Following last month’s tragic bomb blast at the Delhi High Court, in which over 13 people were killed, police traced an email from the ‘Harkat-ul-Jihad’ claiming responsibility for the attack to a cybercafe in Kishtwar, Jammu and Kashmir, and arrested three people, including the owner.

In fact, many recent terrorist attacks have been linked to emails sent from cybercafes. In September 2008, two months before the terror attacks on Mumbai, an email was reportedly sent to a Hindi TV channel in the name of ‘Al Mujahideen,’ specifically threatening attacks on the CST railway station and Churchgate. An email from a cybercafe was also reportedly sent in relation to the Jaipur blasts and the owner of a cybercafe was arrested in connection with the German Bakery attack in Pune in February 2010. Unfortunately, cybercafes are now being viewed as a place used by terrorists to plan their attacks rather than as a vehicle for the growth of rural India by providing access to education through the internet.

In a country of over a billion people, and where there are only seven million PCs and 60 per cent of internet users access the web at a cybercafe, the public interest in bridging the digital divide as well as anti-terrorist measures is of great importance. Nevertheless, the Information Technology (Guidelines for Cybercafe) Rules, 2011, notified by the Government of India on April 11, 2011, have been drafted in disregard of the fundamental principles of cyber law which, while threatening the future of cybercafes, do little to effectively curb terrorism.

In the 2009 amendments to the IT Act, cybercafes were included in the definition of “intermediaries,” that is any person who, on behalf of another person, receives, stores or transmits an electronic record or provides any service with respect to an electronic record. Since the seminal 1995 judgment of the U.S. District Court of Northern California in the Netcom case, the view in the U.S. has been that an intermediary, an ISP, is a passive service provider — much like a telephone company — and cannot be held liable for the content transmitted by it. Intermediaries are distinguished from newspapers, which are liable for the content published by them under civil and criminal laws such as defamation. This view arises from the fact that the intermediaries themselves have no control over the content created by their users.

This legal position was refined in the Digital Millennium Copyright Act (DMCA) in the U.S., which exempted intermediaries from copyright liability provided that the intermediary did not have actual knowledge that the material is infringing, was not aware of facts and circumstances from which the infringing activity is apparent and, in the event of having such knowledge, he acted expeditiously to disable such material. In order to avail himself of the exemption from liability, the service provider must also not have received a financial benefit directly attributable to the infringing activity. In other words, the liability of the intermediary is a secondary liability which attaches only when he actually facilitates the commission of a crime and not for only transmitting the message.

Following its amendment in 2009, Section 79 of the Indian IT Act provided that an intermediary will not be held liable for any third party information, data or communication link made available or hosted by him; however, this exemption will apply only if the following conditions are met. First, the function of the intermediary must be limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or hosted. Second, the intermediary does not initiate the transmission, select the receiver or select/modify the information contained in the transmission. The exemption will also not be applicable if (1) the intermediary has conspired, aided, abetted in or induced the commission of the unlawful act, or (2) upon receiving actual knowledge that any information, data or communication link residing in or connected to a computer resource controlled by the intermediary is being used to commit the unlawful act, the intermediary fails to expeditiously remove that material or disable access to it. In order to avail himself of the exemption under Section 79, the intermediary must “observe due diligence” while discharging his duties under the IT Act, 2000.

Under Section 79 of the IT Act, cybercafes, as intermediaries, would normally be entitled to the exemption from liability because they provide only access to the communication systems and they themselves do not send the email, select the recipient or create the contents of the email or other transmission. Therefore, cybercafe owners would be liable under Section 79 only if they conspired with the user to commit a crime or, upon becoming aware of such crime, fail to remove that material or disable access to it. Once again, the liability of the cybercafe owners has to be secondary and they can be held liable only if they facilitated the crime committed by its users.

However, the latest guidelines promulgated by the government have not been drafted taking into consideration the fact that, as per legal principles, the liability of the cybercafe owner can only be secondary. The guidelines have instead imposed primary liability on cybercafe owners by requiring them to conduct surveillance — and curb the acts — of the user, which can only result in excessive intrusion into the privacy of individuals.

The new guidelines require cybercafes to establish the identity of the user by requiring certain forms of identification and photographing the user through a web camera. A cybercafe must maintain the identity of the user in a log register for a minimum of one year. It is also responsible for storing and maintaining backups of the log records for each access or login by any user of its computers for at least one year, including the history of websites accessed and logs of proxy servers installed at the cybercafe.

In other words, cybercafe owners have to maintain a list of all the websites accessed by a user for one year and be held liable even if the user has not committed any crime. The guidelines, by not applying the theory of secondary liability of intermediaries, have created rules which result in the significant invasion of the privacy of citizens using a cybercafe, even where there is no doubt or suspicion regarding the user. The guidelines do not engage in the fine balancing required of the interests in privacy with the security interests of the state; instead, they are heavy-handed and intrusive. It is also impractical and unlikely that cybercafe owners will be able to maintain a record of all websites accessed by customers.

The guidelines further provide that the partitions of cubicles built or installed inside the cybercafe shall not exceed four-and-a-half feet in height from the floor level and the screens of all computers installed other than in partitions or cubicles shall face outward, that is, they shall face the common open space of the cybercafe. These provisions are intended to deter users from illegal acts as their activities will be more visible to others. Here again, the privacy rights of citizens are restricted, irrespective of any doubt or suspicion over their activities.

Moreover, all the computers must be equipped with filtering software to avoid access to websites relating to pornography or obscene information, and the cybercafe must display a board prohibiting them from viewing pornographic sites as well as copying or downloading information which is prohibited under the law. The government, accordingly, is now in the business of telling people which websites to access. If it was so concerned about pornography, it would prosecute all websites in India displaying child pornography and force such websites to shut down rather than prescribing the position of screens and the height of partitions.

In sum, the guidelines appear to have been drafted without keeping in mind the fact that the liability of intermediaries such as cybercafes is, by its nature, secondary and they cannot be held independently liable for the content transmitted on their premises. They can only be imposed with an obligation to disable access to their systems and report to the authorities where they have actual knowledge of illegal activity, or the same is apparent from the facts and circumstances. By disregarding these principles and imposing new obligations on cybercafes, the guidelines have only resulted in creating onerous and heavy-handed regulations which, while unlikely to reduce cybercrime, may lead to the invasion of privacy and even the closure of cybercafes, an unfortunate outcome in view of the fact that these small businesses are the primary means of access to the internet for most people in India.

(Aparna Viswanathan is with Viswanathan & Co., Advocates, New Delhi, Bangalore and Chennai.)


The above article from The Hindu is reproduced here for educational and non commercial use