Parliamentary Committee questions FB, Google over compliance with IT Rules, traceability, privacy

In response, BJP MP Nishikant Dubey, it is learnt, asked how it detected that Israeli spyware Pegasus had been planted on phones of 121 Indians if it did not have access to the content of the messages. Facebook is said to have answered that the spyware was planted by a third party and that the platform had dealt with it. 

In its 2019 lawsuit against NSO Group, the Israeli company that creates and markets Pegasus, and University of Toronto-based Citizen Lab had said the NSO Group had exploited a vulnerability in WhatsApp that allowed it to plant spyware just by ringing the target’s device. The vulnerability was disclosed in May 2019 and subsequently patched. The Citizen Lab then aided WhatsApp in identifying the victims for which they looked at aberrant data exfiltration, not the content of the messages (which they won’t have access to), from users’ devices to shortlist possible victims. In addition, Citizen Lab tracked servers that have been historically linked to the NSO Group to identify whether illegal copies of WhatsApp (sideloaded versions) had been used to target victims.

As a result, WhatsApp and Citizen Lab concluded that more than 1,400 journalists, human rights activists and lawyers across the globe had had their devices compromised and all data from their devices exfiltrated without their knowledge. In India, of the 121 victims, most who have been identified are linked to the Bhima Koregaon case. Facebook, which owns WhatsApp, provides both infrastructure and security for WhatsApp.

The spyware basically hoovered up all decrypted messages on the victim’s phone but did not compromise end-to-end encryption. The manner in which end-to-end encryption works, especially the Signal protocol which WhatsApp uses, means that even if someone physically gets hold of WhatsApp servers, all that will be visible to them is gibberish. Because of the nature of the encryption (read about it here), they are unlikely to be able to decrypt that. They would also have to decrypt all messages individually because of forward secrecy.

All this while, the NSO Group has maintained that it only sells its products to legitimate governments and law enforcement agencies and not to individuals. The Indian government, on the other hand, has never categorically denied using Pegasus, and has instead maintained that there has been no “unlawful interception”. The closest the government gave to a categorical denial was stating in September 2020 that neither the government nor any of its agencies “have access to the data and voice messages circulated through WhatsApp”. Seventeen of the 22 publicly identified Indian victims had written to the Tharoor-led committee demanding answers on the subject but this issue has never been discussed at length in the parliamentary committee beyond stray questions to Facebook.

It is understood that members also raised questions about how WhatsApp adds “forwarded” label to messages if it does not track which content is going viral. Forbes India had earlier explained that the “forwarded” label is a counter that is specific to a message; WhatsApp is not privy to that information. Basically, each message has a counter that only identifies whether it is forwarded or not, ascertained by whether or not the sender chose the “forward” option. Once a message is forwarded, the counter would read one. When it is re-forwarded, it would read two, and so on and so forth. In this process, after crossing a certain threshold, the label would automatically change to “Forwarded many times”. Copy-pasting the message resets this counter.

Facebook India MD backs IT Rules

In an interesting turn of events, a few hours after the meeting ended, The Times of India published an article wherein Facebook India’s Managing Director Ajit Mohan said the Rules “make sense” and that the government’s move to regulate content moderation was an instance of “a legitimate scrutiny”. He reportedly said that limiting the misuse and abuse of social media platforms by bad actors is an agenda that Facebook is “entirely aligned with”.

In response to a query by Forbes India, a Facebook spokesperson reshared the company’s statement from May 27: “We aim to comply with the provisions of the IT rules and continue to discuss a few of the issues which need more engagement with the government. Pursuant to the IT Rules, we are working to implement operational processes and improve efficiencies. Facebook remains committed to people’s ability to freely and safely express themselves on our platform.”

This is interesting because Nick Clegg, former deputy prime minister of the UK and the current vice president of Facebook’s global affairs and communications, in a discussion hosted by Access Now had called these Rules “highly intrusive”, in particular the traceability requirement, which is why both Facebook and WhatsApp are challenging the requirement in the Delhi High Court. Clegg’s remarks, unlike Mohan’s, say the Rules in their entirety are bad but traceability is bad in particular.

Mohan’s comments are particularly vexing because, last year, The Wall Street Journal had reported that Facebook’s then head of public policy, Ankhi Das, had personally intervened to ensure that hate speech and content inciting violence from the BJP leaders is not taken down. That report had led to a maelstrom for Facebook with Mohan appearing before the Tharoor committee for deposition, Delhi Assembly’s Peace and Harmony Committee summoning Mohan and his refusal to appear, and Das’s eventual resignation. Mohan’s comments, with this historical, partisan baggage, are particularly ponderous.

Facebook’s compliance status: Forbes India had reported earlier that the address for Facebook and Instagram’s resident grievance officer is that for its external legal firm—Shardul Amarchand Mangaldas. On June 3, the platforms had updated their websites to reflect a name—Spoorthi Priya. Priya is a lawyer who, until last year, worked in the law chambers of now Senior Advocate Vivek Reddy. Reddy has represented Facebook and WhatsApp in the Madras High Court in the WhatsApp traceability case. While Facebook said that Priya “has been appointed” by Facebook Inc., it is not clear if she is an employee (as is the requirement). Multiple sources have told  Forbes India that her contract is currently under finalisation, suggesting she is currently not an employee.

WhatsApp’s resident grievance officer, Paresh B. Lal, too is a resident of India but not a WhatsApp employee. He is a senior associate at the law firm AZB & Partners and is an interim RGO. 

On June 28, Facebook had updated its transparency reports website for India and announced it would release an interim report in compliance with the Rules on July 2 for the period May 15 to June 15. This interim report will only include information about content that was taken down using automated tools, not specific complaints. The latter details will be provided in a final report on July 15 which will also contain data related to WhatsApp.

We will wait for Data Protection Act before new WhatsApp privacy policy: Facebook

WhatsApp’s contentious privacy policy, which was introduced in January this year and has been deferred multiple times since then because of the global backlash, was again brought up. It is understood that Facebook said it would wait for India’s Personal Data Protection Bill to be enacted before introducing a new privacy policy.

Google is a search engine, not a social media intermediary: Google to committee

It is understood that Google said that it is a search engine, not a social media intermediary, and thus should not be required to comply with the obligations of a significant social media intermediary. Most sources that Forbes India spoke to agreed with Google’s assessment. 

This is in line with what Google has maintained in its petition against a Delhi High Court judgement which asked it to use automated tools to take down content from its search results in a right to be forgotten case. It is important to note that the order took care to call Google a search engine, and not a social media intermediary, but Google has challenged the imposition of the obligations of a social media intermediary in court.

The confusion arises, as Forbes India  has reported earlier, because of the expansive definition of social media intermediaries in the Rules. As per the definition, any intermediary that enables online interaction between two or more users, and allows them to “create, upload, share, disseminate, modify or access information using its services” is a social media intermediary. While on the face of it, Google Search only indexes search results and does not enable online interaction, it has a feature that allows users to comment on things and review them, thereby arguably making the ‘search’ function itself a social media activity. For instance, if you search for the movie Inception, the search engine solicits ratings and reviews from the audience.  

Interestingly, while much of the meeting centred around compliance with the Intermediary Rules, Google-owned YouTube, which is definitely a social media intermediary, was not brought up.

Do you keep users’ data private, panel asks Google

There was significant discussion over Google’s data storage practices and who has access to information that Google collects, it is learnt. Google Assistant, which is activated using the phrase “Hey, Google”, was specifically mentioned. Google maintained that it stores all user data in an encrypted manner and does not share them with any third parties. The representatives further said that users can delete all the data from their devices, and that Google Assistant recordings are not retained by default.

According to Google’s privacy policy, users can choose to save their Google Assistant recordings and in case they do so, these recordings may be used by Google to improve their audio recognition technologies.

However, none of the sources Forbes India spoke to were satisfied with Google’s explanation. “Even if a user deletes it from their device, there is no way to know if the data has indeed been deleted from Google’s servers,” a source said. For that verification, Google’s data practices would have to be audited by an independent third party. Another source pointed out that if they do not have access to people’s data and emails, how can they give data about the accounts, and in some cases even copies of emails, to law enforcement agencies.

Moreover, even the new Rules require a long data retention period (180 days) in case a user deletes their account and require intermediaries to share information with government agencies within 72 hours.

Ugliest language issue

Forbes India can also independently confirm The Times of India’s report that Sumalatha, the BJP MP from Mandya (Karnataka), asked Google representatives why search results for “ugliest language in India” yielded Kannada in Google’s fact box. It is understood that both Jain and Duggal apologised about the issue and explained that the fact box is not written by Google but instead created on the basis of aggregated search results. Google also said that it will introduce “quality filters” to prevent such pejorative content from showing up.

This is not the first time that Google’s algorithms have made such blunders. In 2015, the search behemoth was criticised for an image-recognition algorithm that auto-tagged photos of black people as “gorillas”. Instead of resolving the issue, three years later, Wired reported that Google Photos and Google Lens simply stopped labelling any images as a gorilla, chimpanzee or monkey, even if the picture was indeed of the primate. 

Compliance status of Google: Google has not named a grievance officer for India on its website as it is supposed to under the Rules. It only has webforms for requesting content removals on YouTube and other Google products. Only one employee, Joe Grier, a member of Google’s Trust and Safety team, has been named here but his role better fits the role of a nodal contact person. He is also based out of California, not India.

Google released its first compliance report for April 2021 on Wednesday. As per the Rules, Google is supposed to mention details of complaints received and the action taken thereon, and it has to give the number of specific links that were taken down using automated tools. In the report, Google has given data only related to complaints received via its web forms, not for automatically taken down content. 

In response to queries from  Forbes India, a Google spokesperson said that there will be a two-month lag in reporting “to allow sufficient time for data processing and validation”. In subsequent reports, the company will include data on automatic content takedowns, and “data related to impersonation and graphic sexual content complaints received post May 25, 2021”. The spokesperson further said that this is the first transparency report published in compliance with the new Rules and the company “will continue to publish more details we refine our reporting processes for India”. 

As per the report, 27,762 complaints were received in April because of which it removed 59,350 URLs. 98.4% of these URLs were removed for violating copyright. The report doesn't mention how many complaints were actioned on and how many were not. In response to our query, the spokesperson said that this number covers “all Google platforms which will qualify under the SSMI’s [significant social media intermediaries] definition” which includes YouTube. Despite asking, the spokesperson did not specify which all Google platforms are included in this.