India-China Series: Part V: The Technicalities behind the ban, and its enforcement

Introduction

In the wake of heightened tensions between India and China followed by the Galwan Valley clash, the Indian Government on 29th June came out with an unprecedented decision. The reason cited is to be safeguarding the national security and data protection of its citizens. A press release through the Ministry of Electronics and IT (MEITY) ordered 59 Chinese apps to be banned^[1]. There still lacks clarity with respect to the execution of such a ban. It has been allegedly reported that the Department of Telecommunications (DoT) has ordered all telecom operators and internet service providers (ISPs) to immediately block 59 Chinese apps, including Bytedance’s TikTok, Alibaba’s UC Browser, WeChat, Shareit and Mi Video by smartphone maker, Xiaomi.^[2] In this article, we will be discussing this enforcement of such a ban in the Indian context and the technicalities behind the same.

This power to ban these 59 apps has been conferred upon by Section 69A of the Information Technology Act, 2000 which contains the power to issue directions for blocking along with its grounds in its first subsection. The second-subsection to Section 69A contains a requirement to establish a process and safeguards under which the IT Blocking Rules, 2009 have been made. The basis of this direction to block is premised on purported complaints including a recommendation from the Indian Cyber Crime Coordination Committee, Ministry of Home Affairs, and complaints received by CERT-In. Further references are made to debates and comments made in Parliament.^[3]

It shall be noted that this practice of the government restricting access to certain websites or mobile applications is not new. The recent Internet shutdown in Jammu Kashmir in 2019 also saw the Principal Secretary in the Home Department of the Government of Jammu and Kashmir, in an order, pushing internet service providers (ISPs) to install “necessary firewalls and carry out ‘white-listing’ of sites that would enable access to Government websites. Also, websites dealing with essential services, e-banking, etc., excluding, however, access to all social media sites”.^[4] However, this time the idea of imposing this ban is to prevent stacking up of data of Indians by Chinese companies. As a measure to prevent this manipulation of data, the order of the government is to ban 59 mobile applications.

The question is why mobile apps instead of websites? This is because when an individual installs a mobile app they are asked to provide their personal information. To access the services of the app, the user also has to agree to the Terms & Conditions of the app. By agreeing to this they give implied consent to have control over their personal data. India lacking a robust Data Protection law leads to this data not being stored in India but easily accessible to foreign stakeholders involved with the working of the app. It is to prevent this transfer of data to Chinese companies has the Government of India come to a decision to ban these 59 mobile apps. However, having said that execution of such a blanket ban of these apps is still unclear.

Enforcement of the Ban

If the alleged media report of the order given by the DoT to telecom industries is to be believed, then the enforcement of this ban may be a daunting task. In any case of censorship of the internet by the State, the Government of India can legally order internet service providers (ISPs) operating in its jurisdiction to block access to certain websites for its users. Legal provisions in India, namely Section 69A and Section 79 of the Information Technology (IT) Act, allows the Central Government and the various courts in the country to issue website-blocking orders which those ISPs are legally bound to comply with^[5]. This provision provides certain liberty such as; the regulations do not mandate ISPs to use specific filtering mechanisms. Thus, ISPs are at liberty to employ various technical methods^[6]. Also, website-blocking orders, especially those issued by the Government, are rarely available in the public domain. ISPs are, in fact, mandated by regulations to maintain the confidentiality of certain website-blocking orders issued by the Government.^[7]

Coming to the banning of the 59 listed mobile applications, for enforcing such a ban it would mean blacklisting every hostname and domain name associated with these apps by ISP’s. It would also require Google and Apple to remove these apps from their stores.^[8] Users who have already downloaded these apps may see a message citing the Government’s order as the reason to restrict the user’s access. It remains to be seen how the ban will be implemented with respect to apps that do not require an active Internet connection, like say CamScanner. These apps are likely to be taken off from Google’s Play Store and Apple’s App Store.^[9]

Technicalities of the Ban

Many nations around the globe participate in some form of internet filtering^[10]. Whilst filtering and censorship can, to an extent, be open and transparent, their nature tends towards secrecy. In order to understand the extent and nature of filtering around the world, we shall examine the different techniques to filter the internet at a national level. It is also observed to counter this national filtering system, VPN software and proxy services are used to allow a remote computer to route through a given remote network, and well-known to anonymizing network providers a similar service specifically aimed at bypassing national-level filtering.

There are many technical approaches to internet filtering employed around the world, applied to a greater or lesser extent. The most well-known filter is almost certainly China’s “Golden Shield” commonly known as the “Great Firewall of China”, which represents arguably the largest and most technologically advanced filtering mechanism in use today. Many other countries, however, perform internet filtering with significantly lower budgets and technical investment. Technologies range from crude blocking of large portions of the internet to sophisticated and subtle blocking of specific content.^[11]

According to the alleged order by DoT to the Telecom industry, the method which shall be used to block those 59 apps is the “Blacklisting Domain Name System”. This is executed as DNS protocol maps human-readable names to IP addresses on the internet and is thus critical for most user-focused services such as the web. By altering DNS responses, returning either empty or false results, a filter can simply and cheaply block or redirect requests. This mechanism is simple to employ and maintain, but limits filter to entire websites and can be relatively easy to bypass for technical users. This approach is employed by, among others, the Turkish state when blocking websites.^[12] To put it in simple words, the Internet Service Providers will have to blacklist domain names which will prevent access to these apps. To solidify this filtering system, the government will try to have a similar firewall like the Chinese “Great Firewall” to monitor access to such apps by citizens. However, this is not a foolproof technique for blocking apps. In case of such IP blocking, a VPN will simply provide a fresh IP that is not on the blacklist and will allow access to these apps.

Is this a necessary step?

The selective banning of these 59 apps is due to a pattern of data security issues looming around these Apps. One of the biggest issues of such data theft comes from TikTok, a Chinese video-sharing app owned by a Beijing based company named ByteDance. TikTok has been under scrutiny by numerous nations over privacy concerns. In 2019, the US Government opened a national security investigation into Tik Tok, they were concerned that the Chinese company may be censoring politically sensitive content, and raising questions about how it stores personal data^[13] In June 2020, Tik Tok was facing broader scrutiny over its privacy policies, following a decision by the European Union’s data protection chiefs to coordinate potential investigations into the company’s policy to protect children’s data.^[14] The Italian Data Processing Authority in January 2020 launched a co-ordinated action to review the risks linked with TikTok. It called upon the European Data Protection Board (EDPB) to set up an ad-hoc force.^[15] It is not the first time Tik Tok has been ordered to be banned in India. In 2019, Madras High Court had asked the Central Government to ban the TikTok app saying it was “encouraging pornography”. Eventually, the Madras High Court lifted the ban in a week’s time citing the reason being India not having legislation like US COPPA to protect children in cyberspace.^[16] But this time the ban revolves around national security concern with a threat to data of millions of Indians. It comes as a welcome step that the government is taking necessary measures to ensure data protection of its citizens. Irrespective of the noble intention behind banning these 59 apps there seems to be procedural lapse by the government. They have failed to follow due process of such bans and there also lacks infrastructural development to enforce such a mass national-level ban which raises counterclaims of security concerns.

Shortcomings of the ban

As simple as it may be to announce a national level ban, the execution of it is an extremely tiresome job. It involves multiple risks that may or may not be tackled. In today’s day and age with the recent rapid development of technology, there exists a loophole in everything. With every domain name blocked at the national level, there is a corresponding user who will have access to these apps via Virtual Private Networks (VPN) or unofficial versions of the app available on the internet called APK’s. According to Prateek Waghre, a digital researcher, the feasibility of this ban is questionable since asking ISPs to block these apps would require someone to determine all hostnames which would lead to “over blocking” affecting other apps. Experts explained that technology companies upload the official version of their apps on App Store (Apple) and Play Store (Android), but even when these applications are taken down from these platforms, users can still download the unofficial versions of these apps from the web. This poses additional security threats since companies do not roll out updates for the unofficial version of these apps. Updates generally fix vulnerabilities, which otherwise can be exploited by hackers and cybercriminals.^[17]

India cannot build a digital infrastructure like the Chinese government to monitor access and usage of every individual. The reason for India not being able to build such a firewall is not because they lack the technical expertise but it is because unlike China, the Indian government mandatorily has to protect the fundamental rights of its citizens. A national-level firewall may be disguised as a tool to protect data theft of its citizens. However, In the present case, the ban can be easily side-stepped through the use of virtual private networks (VPNs). That means that to enforce the ban, the government must now monitor the online behavior of its people much more closely, including by possibly blocking VPNs. If all this comes to pass, India will be firmly on the high-road to internet surveillance – the opposite of protecting user privacy.^[18] It also restricts the right to access information. It violates the basic right to privacy of the citizens which is now protected under Article 21 of the Constitution following the landmark judgment of K.S Puttaswamy v. Union of India^[19]. Although, there remains a grey area between the right to privacy and restriction of these rights to maintain public order and protect national security.

Conclusion

The imposition of a ban by a press release ordered by the Ministry lacks transparency and disclosure. The ban on these 59 apps goes against the individualized nature of the blocking power under Section 69 A of the IT Act and Blocking Rules. The Blocking Rules, 2009 specifically provide for a defined process of notice, hearing, and reasoned order. Even though the reason for such a ban is to protect national security, it shall be achieved through regulatory processes. There is an alleged order which has been provided by the DoT to the telecom companies to block domain names. This enforcement of a ban without a foolproof legal and infrastructural support will lead to additional security concerns. The rise in the number of users downloading unofficial APK versions of the apps or using VPN’s to tamper their IP address and get access to these apps may put the security of citizens in jeopardy.

---

^[1] Ministry of Electronics & IT, 2020. [online] Available at: <https://pib.gov.in/PressReleseDetailm.aspx?PRID=1635206> [Accessed 29 June 2020].

^[2] Ishita Guha, DoT orders telcos, internet services providers to block 59 Chinese apps, LiveMint, Jul, 01, 2020. https://www.livemint.com/industry/telecom/dot-orders-telcos-internet-services-providers-to-block-59-chinese-apps-11593583240774.html

^[3] Banning 59 Apps sets a concerning precedent, Internet Freedom Foundation,  Jul, 01, 2020. https://internetfreedom.in/59-apps-blocked-our-statement-and-initial-action/ .

^[4] Nikhil Pahwa, Blocking, freedom of speech, Internet shutdowns, The Great Firewall of India, Jan. 15, 2020. https://www.medianama.com/2020/01/223-the-great-indian-firewall/ .

^[5] Kushagra Singh, Gurshabad Grover and Varun Bansal, How India Censors the Web, arXiv:1912.08590v2 (2020).

^[6] Tarun Kumar Yadav, Akshat Sinha, Devashish Gosain, Piyush Kumar Sharma, and Sambuddho Chakravarty. 2018. Where The Light Gets In: Analyzing Web Censorship Mechanisms in India. In Proceedings of the Internet Measurement Conference 2018 (IMC ’18). ACM, New York, NY, USA, 252–264. https://doi.org/10.1145/3278532.3278555 .

^[7] 2009. Rule 16, The Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules.

^[8] Anam Ajmal, Difficult to execute ban on Chinese apps: Digital experts, Times of India. Jun. 29, 2020. http://timesofindia.indiatimes.com/articleshow/76697565.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst

^[9] Pradeep Chakraborty, How will banning be implemented on apps that do not require an active Internet connection? Tanu Banerjee, Induslaw, DataQuest.  Jun. 30, 2020. https://www.dqindia.com/will-banning-implemented-apps-not-require-active-internet-connection-tanu-banerjee-induslaw/ .

^[10] R. J. Deibert, J. G. Palfrey, R. Rohozinski, and J. Zittrain. Access Denied: The Practice and Policy of Global Internet Filtering (Information Revolution and Global Politics). MIT Press, 2008.

^[11] Joss Wright, Tulio de Souza, Ian Brown, Fine-Grained Censorship Mapping Information Sources, Legality, and Ethics, https://static.usenix.org/event/foci11/tech/final_files/Wright.pdf

^[12] Supra note 5.

^[13] Greg Roumeliotis, Yingzhi Yang, Echo Wang, Alexandra Alper, Exclusive: U.S. opens national security investigation into TikTok – sources, Nov. 01, 2019. https://www.reuters.com/article/us-tiktok-cfius-exclusive/exclusive-u-s-opens-national-security-investigation-into-tiktok-sources-idUSKBN1XB4IL

^[14] Stephanie Bodoni, TikTok Faces Scrutiny From EU Watchdogs Over Data Practices, Jun. 10, 2020. https://www.bloomberg.com/news/articles/2020-06-10/tiktok-faces-scrutiny-from-eu-watchdogs-over-privacy-practices .

^[15] Dario Betti, TIK TOK under review by European Privacy authorities, Jan. 29, 2020. https://mobileecosystemforum.com/2020/01/29/tik-tok-under-review-by-european-privacy-authorities/ .

^[16] S Muthukumar v.  Telecom Regulatory Authority of India,  WP(MD) No.7855 of 2019 (India).

^[17] Supra note 5.

^[18]  Mohamed Zeeshan, India’s Great Firewall Against China Could Backfire, The Diplomat, Jul. 01, 2020. https://thediplomat.com/2020/07/indias-great-firewall-against-china-could-backfire/

^[19] (2017) 10 SCC 1 (India).