“Let me put it this way. Suppose riots have broken out in an American town, and incendiary messages are being circulated through a messaging application owned by an Indian company. Were the company not to cooperate with law enforcement agencies, what would the U.S. government do?” asked the Indian official. The response from his American counterpart across the table was swift: “That company would be in very serious trouble.”
Earlier this month, when Indian and American negotiators >met in Washington D.C . for the bilateral Cyber Dialogue — after a gap of two years — they had a spirited exchange on the role of Internet companies during emergencies. The Indian government has often flagged the concern that data-mining giants based outside the country — Google, Twitter, Facebook and WhatsApp, to name a few — do not cooperate with law enforcement authorities during a security crisis. For their part, the companies argue that data-sharing with governments is a sensitive issue, especially as they are not privy to official reasons for monitoring and surveillance. At the Cyber Dialogue this year, India pointed to the 2013 Muzaffarnagar violence and the 2012 exodus of Northeasterners from Bengaluru as prime instances where social media played mischief, highlighting the need for closer cooperation between American companies and the government.
Clampdown in Gujarat
Hardly a week had passed since the dialogue when the anti-reservation protests in Gujarat >turned violent , prompting the State government to shut off mobile data services for a week. Following protests in Imphal this week over the Protection of Manipur People (PMP) Bill, 2015, the Manipur government too > blocked Internet access in several parts of the State. In Gujarat, the >Internet lockdown was in place in major cities like Ahmedabad till Tuesday, affecting the lives of tens of thousands.
Ordinary users and businesses were unable to send messages via 3G services, make payments through Internet banking portals, file taxes online, or use location-based apps for transport. The State government’s decision to ‘kill the Internet’, prompted by the concern that messages inciting violence could be circulated along online platforms, was disproportionate. But this overreach is a sign of the government’s vulnerability, not its enthusiasm to clamp down on speech.
A security crisis confers governments with wide legal latitude to restrict the flow of online information. They can do so in three ways: by targeting the content, medium or device. Content-specific restrictions usually take the form of DNS (Domain Name System) seizures, where governments ask a website host (say, GoDaddy or Bluehost) to de-register a domain name (say, www.yestogujaratviolence.com).
A second type of restriction could be aimed at the medium: governments can require Internet Service Providers (ISPs) to block access to websites peddling inflammatory content. A third kind of restriction targets the handheld device, where the government asks a phone manufacturer to create ‘back doors’ for monitoring and filtering content on its devices. All three methods are blunt, and could even be counterproductive.
A website could easily park its domain elsewhere after its registration has been withdrawn. ISP blocks can be circumvented through proxy servers and virtual private networks (VPNs). And creating online ‘back doors’ is a dangerous exercise because the security vulnerability so created can be exploited not just by governments but by miscreants as well.
The Indian government understands that these methods, while legally defensible during an emergency, are ineffective. This is why Gujarat blocked access to mobile Internet altogether rather than targeting those websites or platforms that were promoting violence. Consider the example of WhatsApp, a California-based company that has no presence in India. Its servers are located abroad. Until recently, the company did not even have a designated representative in the country. If WhatsApp is being used to promote incendiary messages, the government simply has no means to filter problematic content. As a result, law enforcement agencies deploy excessive measures.
Disclosure vs. privacy
Central and State governments in India share an adversarial relationship today with social media companies. Authorities say their compliance requests go mostly unheeded. Takedown notices published by Internet companies are often selective, highlighting the most egregious demands to paint governments in poor light. The argument that the private sector is standing up to government to protect user interests simply does not hold water. The privacy policies of some of the biggest Internet companies today leave much to be desired. Many platforms have failed to regulate hate speech. If that is not all, data collected by social media from India is being farmed abroad for commercial purposes.
It is in the public interest that foreign Internet companies cooperate with governments during security crises. Frustrated by unsuccessful attempts at targeting sensitive content, Indian officials have reached out to their counterparts in the U.S. and Europe, hoping to “nudge” foreign companies into compliance. New Delhi’s desperation is understandable, but conversations on online filtering or blocking cannot take place behind closed doors between governments. Similarly, data localisation laws that require companies to set up servers in India cannot be a substitute for sound privacy policies.
Without a sustained dialogue between both parties, the government will continue to deploy ham-handed measures as in Gujarat to meet its ends. They neither serve the interests of the user, whose daily activities are affected, nor those of social media platforms, which are missing out on an opportunity to be valuable conduits for life-saving information.
( Arun Mohan Sukumar heads the Cyber Initiative at the Observer Research Foundation, New Delhi .)
