India’s FOSS community files plea in Kerala High Court against IT Rules, challenges traceability mandate

A fresh petition, this time from the Indian FOSS community, has been filed before the Kerala High Court, praying that the court stay the implementation of IT Rules 2021, insofar as it concerns new requirements for internet intermediaries, including alarming mandates around traceability, proactive takedowns, and content removal.

The plea has been filed by Praveen Arimbrathodiyil, who works with other volunteers to maintain FOSS (free and open source software) domains such as fsci.com and codema.in and are part of the Free Software Community of India (FSCI). The domains and services managed by the petitioner and others like him provide a platform to users to post content and are intermediaries as per the IT Act.

Arimbrathodiyil has prayed for an interim stay on the implementation of the rules and direction that no coercive action will be initiated against him or others running FOSS products in India. It has further asked the court quash Part II of the IT Rules 2021 (which concerns due diligence for intermediaries), direct the government to form rules in line with IT Act 2000 and Shreya Singhal, and to declare right to encryption as a subset of the fundamental right to privacy. MediaNama has reviewed a copy of the petition. 

FOSS drives a majority of the world’s technological advancement in computer programming; it even serves as the building block of several proprietary software used by tech giants. WhatsApp, for instance, is based on the open-source cryptographic protocol Signal.

Arimbrathodiyil said he cannot bear the compliance burden of the Rules and will thus no longer be able to operate these services. The repercussion of the IT Rules 2021 on the petitioners as intermediaries is not “academic or theoretical but palpable and threatening”.

The IT Rules requirements for intermediaries impede the fundamental right to free speech and expression as well as the right to privacy. They also contravene the Supreme Court’s Shreya Singhal judgment and grants internet companies and services an adjudicatory role; Arimbrathodiyil, who also operates services that are intermediaries, says he is not equipped to play this adjudicatory role. 

Advertisement. Scroll to continue reading.

So far, at least five petitions have been filed against the IT Rules 2021, but this is the first one that specifically challenges the traceability requirement, and also the first one that presents it from the perspective of the FOSS community. Four of the five ongoing petitions have been filed by news organisations — The Quint, LiveLaw, The Wire and The News Minute’s Dhanya Rajendran, and by Pratidhvani. These petitions challenge the rules largely insofar as they apply to digital news publications.

We have laid down the gist of his arguments in the petition below. 

1. Ambiguous: The terms ‘defamatory’, ‘obscene’, ‘invasive of another’s privacy’, ‘racially or ethnically objectionable’, ‘harmful to child’ lack encompassing definitions leaving them open to ambiguity. The term ‘harmful to child’ is a broad phrase and could end up in censoring legitimate content. These phrases have been used without any guidance provided in the parent act, will lead to self-censorship thus violating free speech and expression. The Supreme Court had shot down Section 66A, which had similar phrases, for being vague and ambiguous. 
2. Impact on encryption: The Rules require intermediaries to take reasonable and practicable steps to remove or disable harmful content and to moderate content under private communications, which in many cases is protected with end-to-end encrypted or other kinds of encryption. Encryption and anonymity are useful for development and sharing of opinions exchanged online; since encryption ensures that only an intended recipient receives a person’s communications, it is particularly useful for journalists, researchers, academics, citizens, or dissidents. 
   1. However, the Rules violates right to encryption, which is a subset of the right to privacy. The government has attempted to burden intermediaries with compliances under the traceability requirements, impacting right to privacy. An intermediary cannot fulfill its obligations under Rule 4(2) of Rules without snooping on their users’ private communications, which is a flagrant violation of right to privacy. 
3. Nature of FOSS and kind of intermediaries: Unlike for-profit companies, the FOSS community includes enthusiasts, technologists contributing in individual capacities, and small organisations such as Signal, Tor, OONI; their work is backed by public funding and donations. The Rules do not take into account that many popular proprietary services today have been built on top of decentralized protocols. In addition, most FOSS developers are located across the globe and few of the server operators/owners are based in India. FOSS services further operate on a volunteer basis, do not earn profits from their services, are decentralized, and do not mine data for targeted ads. Owing to these significant differences, the FOSS community falls under separate classes of intermediaries despite performing similar functions. 
   1. Rule 6 arbitrarily empowers the government to issue an order and require any intermediary to comply with provisions applicable to significant social media intermediaries. There is also no compliance time defined, which means that an order under Rule 6 can require an intermediary to comply with Rule 4 immediately. 
   2. Significant social media intermediaries are mandated to appoint chief compliance officers, a nodal contact person, and a resident grievance officer in India. The petitioner volunteers with FSCI, hosting certain servers on Matrix, Diaspora, and Mastodon. It would be financially and resource-wise unviable to continue the operations of its servers which have a user base of 5,200. 
4. Proactive monitoring: The requirement for proactive monitoring using automated tools is non-exhaustive since it is limited to CSAM and rape material and does not include any other sexually explicity material such as pornographic content, which would amount to offences of similar nature under the IPC. This can potentially lead to confusion of takedowns by automated filters by significant social media intermediaries. There are also technological barriers to the correct implementation of automated filters even by Facebook. Volunteers like the petitioner would find it hard to implement these measures. The rules do not provide any safeguards against discriminatory algorithmic decision making. 
5. Voluntary verification of users, a requirement under the rule, can be easily bypassed using temporary email functionality making the entire process useless. 
6. Beyond the parent IT Act: The IT Act does not have any provision that authorises traceability and defacto imposition of automated filtering. The Rules are ultra vires since they are inconsistent with the parent act. 
7. The traceability requirement is vague and arbitrary and goes against the data protection principles. It is also in conflict with Section 69, which provides for decryption, monitoring, and interception of communications read with Section 87(2)(y) of the IT Act. 
8. Grants adjudicatory powers to intermediaries: In Shreya Singhal, the Supreme Court had observed that the Rules required intermediaries to apply a subjective interpretation of similar phrases under Section 66A, leaving the obligation to the intermediary without any legislative or regulatory guidance. The new Rules grant an adjudicatory role to intermediaries, something which is not contemplated under Section 79. 

Read more 

• IT Rules 2021: How will SaaS companies like Freshworks and Zoho be affected?
• IT Rules 2021 enable govt to dictate digital news content: The Quint’s petition
• Brief: Arguments made by LiveLaw in plea challenging Information Technology Rules 2021