In 2018, violent clashes broke out between upper caste Hindu and Dalit groups at Bhima Koregaon village in India during an annual celebratory gathering to commemorate the historic battle between the castes which took place in 1818. In the aftermath of the clashes, the police investigation centered on the role of two rightwing Hindutva activists – Sambhaji Bhide and Milind Ekbote, who were alleged to have incited the violence. But subsequently, the Pune police shifted the spotlight to the banned Naxalite-Maoist Communist party of India and the Elgaar Parishad, an event spearheaded by Ambedkarite groups.
The police accused the activists and organizers associated with the Parishad event of links with Maoist groups and being part of a conspiracy to bring down the government. In the following months, Maharashtra police arrested several activists and human rights defenders who work with Dalits and Adivasis in connection with the case. The arrested activists, referred to as the Bhima Koregaon 16, face terrorism charges under the Unlawful Activities (Prevention) Act (UAPA). Most are languishing in jail despite repeated appeals for bail. One of the 16 defendants, 84-year-old priest Stan Swamy, died in jail last year after contracting Covid-19. Rao, who is 81 years old and in poor health, has been released on medical bail, which expires next month. Of the other 14, only one has been granted bail.
In February 2021, Arsenal Consulting, a US-based digital forensics firm, revealed that the laptop of one of the arrested activists, Rona Wilson, had been compromised after he opened a mail from another arrested activist. Unidentified hackers used a malware called Netwire to plant more than 30 files, including an explosive letter mentioning a plot to assassinate Modi. Research from nonprofits like Citizen Lab and Amnesty had revealed that the evidence fabrication was not an isolated incident but part of a persistent and malicious hacking campaign against the Bhima Koregaon 16. They also confirmed that the hacking tool Pegasus, sold by the Israeli NSO Group, had been used by the hackers to target some of the activists’ smartphones.
Even though Arsenal’s 2021 investigation revealed that the incriminating documents had been planted on devices of defendants years before their alleged role in the Bhima Koregaon violence, the arresting agencies continue to use the incriminating files as evidence of terrorism and justification for the activists continued imprisonment.
In February 2022, the security firm SentinelOne published a report analyzing the malware and server infrastructure used in the hacking campaign, which they named ModifiedElephant. For nearly a decade ModifiedElephant targeted specific groups and individuals, including human rights activists, journalists, academics, and lawyers across India, with the objective of planting incriminating digital evidence. But in that report, SentinelOne stopped short of identifying any individual or organization behind the Modified Elephant hackers, writing only that the “activity aligns sharply with Indian state interests.”
Now Juan Andres Guerrero-Saade and Tom Hegel, researchers at SentinelOne have uncovered a provable connection between “the individuals who arrested these folks and the individuals who planted the evidence.” At the same time the email and phone number linked to a Pune City Police official were added as recovery accounts for three of the hacked activists accounts. Researchers believe that the recovery accounts were added to maintain access in case the password was changed by the targets. Wilson’s email account was then itself used to send out other phishing emails to targets in the Bhima Koregaon case for at least two months before Wilson was arrested in June of 2018. Zeshan Aziz, a security researcher, and J Scott-Railton at Citizen Lab confirmed that the Pune City Police controlled the recovery email and phone number used for the hacked accounts.
These findings highlight the dangers arising from law enforcement’s increasing use of intrusive tools and other forms of hacking as an investigation tool. The researchers hope by demonstrating police wrongdoing in the case, they are able to help the jailed activists and human rights defenders win back their freedom. The report also raises important questions for the courts to consider. Is there integrity in any evidence pulled from a computer that has been proven to be compromised as part of a hacking campaign linked to law enforcement? Has the Pune Police abused its investigative powers and collaborated with Modified Elephant hackers who planted the evidence on Rona Wilson’s personal devices? Is the use of malware by investigating agencies constitutional? Can we trust law enforcement with these sorts of operations? Is there a need for additional procedures, such as judicial review, for law enforcement’s use of malware? How can the courts ensure that the state meets its obligation to ensure that any criminal investigations are conducted in accordance with the principles of legality, necessity, and proportionality, as recognized in international human rights law.
India’s Submission to the UN Cybercrime Convention
The revelations discussed above bear close examination given that India is actively participating in negotiations for a convention on countering cybercrime.
From 30 May to 10 June, a UN-convened Ad Hoc Committee (AHC) committee of government experts from around the world met in Vienna to negotiate a comprehensive international convention to counter the use of information and communications technologies (ICTs) for criminal purposes. The AHC is expected to submit a draft convention to the General Assembly’s 78th session in 2023-24.
In contrast to the AHC’s first meeting, which was overshadowed by the Russian invasion of Ukraine, this was the first AHC meeting to delve into the substance of the potential treaty. Ahead of the negotiations member states were asked to provide input on three pre-selected topics: criminalization, general provisions, and law enforcement and procedural measures. The Indian delegation — comprising officials from the ministries of home, external affairs, and information technology — submitted their proposal on 12 May.
There is a pronounced lack of consensus among UN member states on the scope of the treaty, particularly which offenses it should aim to cover. The Indian delegation has defined cyber crime broadly as “crimes committed through the use of information communications technologies (ICTs).” India has proposed a wide array of offenses ranging from “damaging computer systems”, “illegal access”, “illegal interception”, “illegal interference”, use of “ransomware” and “computer misuse tools”, and “cyber terrorism”. Such cybercrimes are generally classified as “cyber-dependent crimes” i.e. those crimes that primarily target systems, networks, and data to compromise their confidentiality, integrity and availability. Notably, other offenses associated with this category such as hacking, malware creation, possession, and distribution, DoS and DDoS attacks; and website defacement are not covered in India’s submission.
India also proposes inclusion of “cyber-enabled” crimes, i.e. offenses that also occur offline but in which criminals may deploy technology to expand the reach or speed up the committing of a crime. Such crimes are generally committed “for personal or financial gain or harm” and “computer system or digital device is inherent to the modus operandi. India has called on the convention to include “tampering with computer source documents”, “dishonestly receiving stolen computer resource or communication device”, “spam”, “identity offences”, “ identity theft”, “cheating by personation by using computer resource”, “computer-related acts causing personal harm”, and intentionally or knowingly publishing or transmitting “image of a private area of any person without his or her consent”, “material containing sexually explicit images”, “material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons” and “depicting children in sexually explicit act”. Probably in response to the growing number of data leaks and data breaches in India, the delegation has recommended penalizing and criminalizing negligence in “implementing and maintaining reasonable security practices and procedures” to protect data by private or public companies handling any sensitive personal data.
What is most worrying is that India is advocating for the inclusion of content-related offenses under the convention. Content-related offenses cover cyber crimes involving content that is considered illegal universally like child sexual abuse material as well as specific types of content that are not are universally illegal but are prohibited under national laws such as “racist and xenophobic material” or “sending false information”.
In its submission to the AHC, India recommends that states should adopt “legislative and other measures” to criminalize publishing “information that is grossly offensive or has menacing character. The same goes for sending out information, “known to be false”, for the purposes of “causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred or ill will, persistently by making use of such computer resource or a communication device” and “electronic mail or electronic mail message that causes “annoyance, inconvenience or deceives/misleads”.
The language mirrors the restrictions on online speech that were imposed through Section 66A of the Indian Information Technology Act, which was struck down as unconstitutional by the Supreme Court in 2015. Under Section 66A transmitting “grossly offensive”, “menacing”, and incorrect information through a computer or communication service was “punishable with imprisonment for a term which may extend to three years and with fine”. The glaring ambiguity in terms such as “offensive” and “menacing in character” and the wide powers granted to law enforcement agencies under the provision resulted in the law being widely misused. Section 66A was used to arrest cartoonists, artists, journalists, activists and students for their social media posts criticizing various leaders.
In 2015 the Supreme Court of India termed Section 66A “unconstitutionally vague” and struck down in its entirety being violative of Article 19(1)(a) and not saved under Article 19(2). Section 66A continued to be invoked within police stations, and in cases before trial courts across India with as many as 1,300 cases lodged after its annulment. After the Supreme Court intervened the Union government wrote to state governments directing them stop registering cases under Section 66A and to drop the provision from registered cases. Despite these measures, law enforcement continues to use Section 66A, there have been calls for its reintroduction.
India’s proposal has raised concerns that if the UN treaty includes the language suggested by New Delhi, as a party to the binding convention, India will be able to introduce new legislation to bring back the language that was earlier declared “unconstitutional” by the Supreme Court. So far, India’s proposal has not received support by other member states. India is not the only country that is attempting to broaden the scope of the convention or to include broadly defined content-related offenses. Other member states have proposed the inclusion of provisions on incitement to terrorism, disinformation and hate speech. But as highlighted in a joint letter signed by more than 130 civil society organizations and experts, broadening the scope of the treaty poses real risks to fundamental human rights, including freedom of expression. As the use of Section 66 A has shown in India the the criminalization of speech through provisions that are vaguely worded or framed in overbroad terms can be misused to target critics and human rights defenders, creating a chilling effect on society. As noted by the U.N. Office of the High Commissioner for Human Rights (OHCHR) from a human rights perspective, content offenses should not be included in the proposed treaty.
There are many examples of narrowly focused cybercrime laws being used by states to target and persecute human rights defenders. The language used by India in its suggestion to criminalize unauthorized access to computer networks or systems or “disclosure of information in breach of lawful contract” is so broad that it can effectively be used to target researchers for identifying flaws in systems and to criminalize whistleblowing. As noted by Privacy International, Human Rights Watch, Electronic Frontier Foundation, when regulating core cybercrimes, malicious intent needs to be narrowly defined and safeguards such as a public interest defense to exclude legitimate activities by security researchers, whistleblowers, activists and journalists should be included.
India has used its submission to the AHC to demand expansion of the investigative powers for law enforcement. It wants to empower competent authorities to “search or seize any computer system or data stored within the computer system”, “collect real-time traffic data” and “intercept or compel service providers to intercept in real-time, content data of specified communications”, “order or similarly obtain the expeditious preservation of specified computer data, including traffic and content data”. It also wants the convention to put in place frameworks to “provide metadata expeditiously without the need of MLAT”.
The Indian delegation has called for the “development of international model provisions on investigative powers for electronic evidence with a view to supporting States in ensuring the necessary procedural tools for investigation of crimes involving electronic evidence.” Given Sentinel One’s revelations about law enforcement’s involvement in the use of intrusive tools in the Bhima Koregaon case, and with the courts refusing to step in to reform existing malpractices, an international treaty laying down robust procedural and human rights safeguards that govern criminal investigations may be the only way for protecting Indian citizens against disproportionate or unnecessary surveillance.
The convention should ensure that investigative powers for law enforcement comply with international standards on privacy and data protection including the principles of legality, necessity, and proportionality. It should also encourage member states to create and enforce robust and comprehensive privacy legislation and adopt additional safeguards like independent judicial authorization to limit law enforcement uses of surveillance tools.
India has also suggested that rather than a territorial based jurisdictional model, the convention should adopt “data-oriented jurisdiction” which means that the country whose citizen’s data is being stored/processed/screened/federated should have jurisdiction of the data regardless of where the data is located.
Exerting Control Over Content Moderation
The position articulated by India at the UN Ad Hoc committee reflects its domestic stance on the issue of regulation of digital technologies, data ownership and content governance.
Earlier this month, MEITY circulated a new draft of the IT Rules that proposes a government panel to hear user appeals against content-related decisions taken by social media platforms. India enforced new IT intermediary rules last year, mandating social media platforms to remove any content flagged by authorities within stipulated timelines, and set up a robust complaint redressal mechanism with an officer being based in the country. Social media companies are required to take down posts depicting nudity or morphed photos within 24 hours of receiving a complaint. Large social media companies — those with 50 million users or more — also have to publish a monthly compliance report disclosing details of complaints received and action taken, as also the contents removed proactively.
IT minister Ashwini Vaishnaw has said the proposal for an additional appeals panel to take final calls on social media content is a response to arbitrary content moderation, inaction, or takedown decisions of big tech companies. He added that at present, “there is no appellate mechanism provided by intermediaries nor is there any credible self-regulatory mechanism in place” and since it is not always practical or feasible for a citizen to approach a court, the appellate grievance redressal panel fills in the gap and is expected to bring greater accountability for big tech companies. After push back from experts the government has clarified, the proposed amendments are at a discussion stage and that it “is open to other effective solutions to tackle the problem”. The composition of the panel is yet to be decided but it has been reported that the government is hoping to finalize the amendments to the rules before July-end.
Restricting Access to Global Technologies
In May we had reported about India’s new cybersecurity directive which requires companies providing VPN ( virtual private networks) services to keep a log of their users including username, email id used while signing up for the service, contact number and internet protocol addresses among other details for a period of five years. The new rules also mandate all ‘body corporate’ to mandatorily retain logs for 180 days and firms to report a cyber breach of any form within six hours of noticing such cases. Critics of the directive have argued that since VPN providers are in the business of protecting privacy, forcing them to identify and collect data on their users, is a clever way of preventing VPNs from operating in India without actually banning them, like China and Russia did.
This is not the first time that India is targeting VPNs. Last year, a parliamentary committee had recommended banning VPNs altogether on the basis that VPN encryption was being used to commit crimes related to extremism, narcotics and child pornography. The directive is being justified by officials on the grounds that such rules are needed to respond to cybercrimes and data breaches. India saw a 4x rise in data breaches in the country in 2021 and 18 out of every 100 Indians have already faced some form of cyber breach. However, in the absence of robust protection mechanisms, these new provisions would breach the privacy and security of users could potentially lead to even more breaches within India
Despite pushback from VPN companies, multiple industry bodies, privacy activists, tech policy groups and cybersecurity experts, the Indian government is pressing ahead with the directive. The government has published FAQs on the directive which comes into effect this month, on June 28. Rajeev Chandrasekhar, the minister of state for IT, has stated that the production of evidence was an “unambiguous obligation” for VPN service providers, social media intermediaries, and instant messaging platforms, and they could not claim to not have the details that the law enforcement agency wanted because the platform was “end-to-end encrypted. Chandrasekhar also added that India was being “very generous” in giving firms six hours of time to report security incidents, in comparison to countries like Indonesia and Singapore that had stricter requirements and companies that do not adhere to the cyber-security guidelines are “free to leave India”.
Three VPN companies, ExpressVPN, Surfshark and NordVPN have quit India citing their inability to continue services in the country owing to the new rules. ProtonVPN, another popular VPN provider, has also said that it is committed to keeping its “no-logs policy.” While the fall-out on Indian users’ freedom and choice remains to be seen, VPN providers’ decision to leave India seems to be having some impact. The Ministry of Electronics and Information Technology invited VPN service providers and other stakeholders such as cybersecurity experts, legal experts and tech policy groups to discuss the cybersecurity guidelines.
Although the compliance burden of the directions on VPN service providers did not come up, an extension on compliance timelines for SMEs, a portal for reporting cybersecurity incidents, and a review of the directions 90 days after they go into force were discussed at the June 10 meeting. Now civil society and experts are calling upon the government to extend the consultations, to invite inputs from the public at large and to defer the implementation of the Directions until such consultation is concluded and suitable amendments are made.
India’s efforts to redistribute power over global technologies is being driven by its sovereignty-based approach to governance. While it is understandable that states want to control how people or things subject to their authority access or use, the way they go about doing it has profound implications for the global internet. India must understand that there is no “data-oriented jurisdiction” over which India can exercise supreme control and at best they can leverage their national laws and cyber directives over actors and devices in their territory to place restrictions or expand obligations. In the absence of safeguards against or clearly articulated limits to state power in cyberspace, such efforts shrinks freedom of expression and elevates national restrictions and control.
A sovereignty based approach creates conflict, compatibility problems and undermines the benefits of an interconnected and open information and communication environment. Abandoning the desire to make states the supreme authority in the governance of digital technologies is essential if India wants to provide a foundation for appropriate forms of governance going forward. As noted by Milton Mueller, “Turning away from sovereignty requires states to recognize their (and their societies’) co- existence in a shared space. Rather than justifying their actions through assertions of absolute authority over distinct “pieces” of cyberspace – a goal which will never be attainable – states would be led to participate in some form of joint governance.”