Freedom on the Net 2022 - India

/ 100
Obstacles to Access 13 / 25
Limits on Content 21 / 35
Violations of User Rights 17 / 40
49 / 100 Partly Free
Scores are based on a scale of 0 (least free) to 100 (most free). See the research methodology and report acknowledgements.


Internet freedom in India marginally improved over the last year, following four years of decline, as efforts to bridge the country’s digital divides expanded access to the internet. While the government continues to impose internet shutdowns, they have reduced in their frequency and intensity. Legal challenges to laws enabling the government to censor online content—including against the controversial Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021—have seen limits imposed on some powers. However, the state continues to block online content, and Indian internet users risk arrest for posts critical of the government. Misinformation and disinformation are frequently shared online, and journalists, nongovernmental organizations, and members of marginalized groups remain at risk of facing hate speech and online harassment.

India is a multiparty electoral democracy with frequent elections at the federal and state levels. The Indian constitution guarantees various fundamental rights including the freedom of speech and expression, freedom of religion, rights to form associations, and the right to privacy. The government has presided over discriminatory policies and increased violence affecting the Muslim population. Muslims, scheduled castes (Dalits), and scheduled tribes (Adivasis) remain economically and socially marginalized.

Indian Union Territory of Jammu and Kashmir is not covered in this report. Certain territories that are assessed separately in Freedom House's Freedom in the World report are excluded from the relevant country reports in Freedom on the Net, as conditions in such territories differ significantly from those in the rest of the country.

Editor's Note: Following the publication of this report, the Wire removed reporting on Tek Fog from its website pending an internal investigation. While described in this report, the outlet’s stories did not impact India’s score. References can be found in indicators B5 and C7, for which there was no score change in the 2022 report. These references have been updated to reflect the Wire’s modifications to its website. 

Key Developments, June 1, 2021 - May 31, 2022

  • Government programs to expand internet infrastructure have improved access to the internet, particularly in rural areas (see A1 and A2).
  • Officials imposed internet shutdowns throughout the coverage period, though they were primarily short-term, localized restrictions (see A3).
  • In April 2022, the cybersecurity authority released new rules requiring virtual private network (VPN) providers to store information about their users for 5 years, prompting a few providers to remove their servers from the country (see A5 and C4).
  • Government officials ordered websites blocked and content removed from social media platforms throughout the coverage period, including under the Intermediary Guidelines (see B1, B2, and B3).
  • Courts paused contentious provisions of the IT Rules that undermine press freedom, ordered an evaluation of the repressive colonial-era sedition law, and launched an investigation into government use of the spyware Pegasus (see B3, C1, C2, and C5).
  • Allegations emerged in the media that members of the ruling Bharatiya Janata Party (BJP) used an app called Tek Fog to shape public narratives by manipulating social media and coordinating online harassment campaigns. After this report’s publication, the Wire removed their reporting on Tek Fog from their website pending an internal investigation. (see B5 and C7).

A Obstacles to Access

A1 0-6 pts
Do infrastructural limitations restrict access to the internet or the speed and quality of internet connections? 3 / 6

While internet penetration among India’s nearly 1.4 billion population is relatively low, access to the internet continues to rise. According to the Telecom Regulatory Authority of India (TRAI), internet penetration stood at 60.46 percent as of December 2021, representing 829 million internet subscribers—an increase from 58.51 percent in the previous year.1 According to TRAI, 496 million are urban subscribers while 333 million are rural subscribers.2 The Department of Telecommunications has reported that over 558,500 of the more than 597,600 inhabited villages in India have wireless broadband coverage.3

By contrast, the digital analytics company Datareportal’s Digital 2022 analysis identified a national penetration rate of at least 47 percent as of January 2022.4

India’s median connection speed as of May 2022 was 14.28 Mbps for mobile internet and 47.19 Mbps for fixed broadband internet.5 Nearly 97 percent of subscribers accessed the internet through mobile devices as of December 2021, with only 26.58 million having wired internet connections, per TRAI data.6

Several public and private sector initiatives aim to improve internet access. The government has set up over 50,000 public Wi-Fi hotspots under the prime minister’s Wi-Fi Access Network Interface (PM-WANI) scheme, and is planning to set up around 2 million more.7 The finance minister announced in February 2022 that the government plans to launch fifth-generation (5G) mobile network spectrum by 2023, and aims to connect all villages in the country through optic fiber by 2025 to enable affordable broadband.8 Launched in 2011, the government’s BharatNet project has aimed to provide broadband connectivity to all the 250,000 gram panchayats (units of local self-governance at the village level) in India,9 but has faced several delays and challenges (see A2).10 As of February 2022, the initiative connects about 171,000 gram panchayats.11 RailTel, a public sector undertaking under the Ministry of Railways, aims to provide free Wi-Fi internet facilities at railway stations across the country, with 6,100 stations connected as of March 2022.12

The National Internet Exchange India (NIXI), a nonprofit organization set up to facilitate peering between ISPs and improve internet services, announced plans in March 2022 to establish 16 additional internet exchanges to improve internet access.13 In December 2021, 7 new internet exchange nodes were inaugurated in the state of Uttar Pradesh.14 Reliance Jio announced a joint venture with SES, a Luxembourg-based satellite solutions provider, in February, with the aim of providing affordable satellite-based communications services.15

A2 0-3 pts
Is access to the internet prohibitively expensive or beyond the reach of certain segments of the population for geographical, social, or other reasons? 2 / 3

Score Change: The score improved from 1 to 2 as government programs to expand access to affordable internet and address the urban-rural digital divide increased connectivity.

While mobile data plans in India are quite cheap, digital divides remain across geography, language, and gender. According to a 2022 report from the UK-based company Cable, the average cost of one month of broadband services in India is $15.59.16 The Inclusive Internet Index 2021 ranked India 13 out of 100 countries surveyed in the affordability index, defined by cost of access relative to income and the level of competition in the internet marketplace.17 Access to cheap mobile data has served to bridge the digital gender divide by allowing more women to access the internet to participate in markets, join community discourse, and build networks.18 The Indian government maintains its stance on net neutrality by barring differential pricing for data services.19

The rate of subscribers in rural areas is only 37.25 per 100 people, compared with 103.95 per 100 in urban areas.20 Several initiatives aim to narrow the urban-rural divide,21 such as the PM-WANI (see A1).22 The government’s Digital India Programme, launched in 2014,23 plans to extend fiber-optic cables to more rural areas,24 establish internet-connected common service centers (CSCs),25 and provide residents with e-literacy programs.26

Despite delays in implementation and uneven progress made among states,27 the government-led BharatNet project successfully connected almost 70 percent of gram panchayats as of February 2022.28 The Comptroller and Auditor General of India (CAG) reportedly found in July 2021 that the maintenance of cable and other infrastructure under the BharatNet project was inadequate in places, resulting in poor quality of service.29 CSCs initially provided free internet services under the project in 120,000 locations,30 and subsequently began charging users in March 2020 to reduce the project’s financial cost and extend the scope of the service.31 CSCs have trained 10,000 rural community members on the maintenance of the BharatNet telecom infrastructure as of January 2021, with 100,000 total planned, to enable public participation in digital governance.32 The deadline for completion of the BharatNet project has been extended to 2025.33

A significant gender divide persists, with women only making up about a third of Indian internet users.34 According to the 2019–21 National Family Health Survey, only 33 percent of adult women have access to the internet, as opposed to 57.1 percent of men in the country.35 The divide is particularly pronounced in rural areas, and rates of access also vary between states.36 However, the GSMA, a trade body that represents mobile network operators worldwide, noted that the percentage of women who were aware of mobile internet services rose from 19 percent in 2017 to 53 percent in 2021.37 In 2015, Google and Tata Trusts launched the Internet Saathi program to promote digital literacy and provide digital skills training among women.38

With 22 official languages, language remains a barrier to access in India. As of February 2021, the .bharat domain was available in all 22 official languages.39 In December 2020, Google introduced various capabilities to make it easier to use Google services in Indian languages.40 According to a study by Meta, 91 percent of online interaction by women is conducted in English, indicating that access to social media is limited to English-speaking women.41

A3 0-6 pts
Does the government exercise technical or legal control over internet infrastructure for the purposes of restricting connectivity? 2 / 6

Score Change: The score increased from 1 to 2 because the government imposed no severe internet shutdowns during the coverage period—though shutdowns remain common, usually at the local level and for a short term.

India is a global leader in the number of internet shutdowns imposed,42 and local authorities have restricted connectivity since at least 2010.43 While the frequency, geographic distribution, and duration of internet shutdowns had previously been increasing, the number of internet shutdowns has reduced in recent years: 132 internet shutdowns were recorded in 2020, 101 in 2021, and 67 between January and August 2022, according to the Software Freedom Law Center (SFLC). 44 Because the government does not track internet shutdowns across the country, they are monitored by civil society organizations using newspaper reports, right to information requests, and anecdotal evidence.45 Authorities typically justify shutdowns as cautionary measures to maintain law and order, quell potential violence or communal tensions,46 restrict protests,47 prevent the spread of disinformation, or stop cheating on school exams.48 According to a TopVPN report, the Indian government imposed a total of 1,157 hours of connectivity restrictions in 2021, comprising 317.5 hours of total internet blackouts and 840 hours of bandwidth throttling.49

In January and February 2021, during the previous coverage period, internet access was restricted repeatedly in and around Delhi as farmers protested against controversial agricultural bills. For example, on January 26, 2021, the internet was reportedly restricted for 12 hours in several of the city’s districts,50 to “maintain public safety and avert public emergency.”51 The shutdown affected more than 50 million mobile subscribers in the area.52 Previously, in late 2019 and early 2020, during large-scale protests against the controversial Citizenship Amendment Act (CAA), a number of network shutdowns were also imposed across the country.53

In the Jammu and Kashmir region, which is excluded from this report’s scoring criteria (see Overview), the state administration repeatedly orders restrictions on internet services.54 Between August 2019 and January 2020, the government of Jammu and Kashmir ordered the longest internet shutdown in India—a total of 213 days—in the wake of the central government’s abrogation of Article 370 of the Indian Constitution, which provides special status to the state.55

Most of India’s internet infrastructure is privately owned by service providers, thus the government relies on legislative and statutory mechanisms to order shutdowns. Orders to restrict connectivity have been justified under Section 144 of the Code of Criminal Procedure, 1973 (CrPC), which permits state actions to maintain law and order.56 Though courts had previously upheld the use of this law to order shutdowns and had refused legal challenges on this basis, observations by the Supreme Court in 2020 have resulted in some experts suggesting that Section 144 should no longer be utilized to authorize shutdowns.57

The 2017 Temporary Suspension of Telecom Services (Public Emergency or Public Safety) Rules, under the Telegraph Act, 58 authorize only national- or state-level officials of a certain rank to order temporary suspensions in times of public emergency or threats to public safety,59 and mandate that each order must be justified and be forwarded to a review committee for assessment.60 However, several shutdown orders since 2017 were issued under Section 144 of the CrPC by officials not designated under the Telegraph Act rules,61 sparking concerns from civil society groups that procedural safeguards and checks were not followed.62 In November 2020, the government amended the rules to specify that a shutdown order could not be in effect for more than 15 days, but such orders could be renewed.63 Civil society criticized a lack of consultation and public participation in crafting the amendment, and condemned the provision allowing authorities to continually renew the order.64

Courts have directly ruled on the legality of restrictions and in some cases ordered restored services.65 In March 2022, for example, the Calcutta High Court stayed an internet shutdown order issued by the state of West Bengal to prevent cheating in school exams—only the second time an Indian court has stayed such an order, according to the Internet Freedom Foundation (IFF).66 The judges held that in their preliminary view, the order was issued by an authority that was not empowered to do so under Section 144, and that it did not disclose why the internet would need to be suspended.67 High Courts in other states had proceedings relating to the validity of frequent internet shutdown orders pending as of the end of the coverage period.68

In response to the months-long shutdown in Jammu and Kashmir,69 the Supreme Court ruled in January 2021 that orders for connectivity restrictions must be publicly available and should be well reasoned, proportionate, temporary, and present the least-restrictive alternative.70 However, compliance with the ruling remains unclear.71 For example, in October 2020, the Gujarat State government refused a right-to-information request from IFF to publish shutdown orders.72 In February 2022, the government stated in response to a query by a member of Parliament that records of internet shutdowns ordered by state governments are not maintained.73

The government has ordered the blocking of over 200 mobile apps since 2020,74 primarily apps owned by companies based in China, citing concerns related to national security, public order, and the country’s sovereignty (see B2).75 The government banned 54 such apps in February 2022.76 In January 2021, MeitY announced that blocks on 59 of the apps, including TikTok, would become permanent,77 stating that the companies’ responses to government complaints about legal compliance and privacy were unsatisfactory.78

A4 0-6 pts
Are there legal, regulatory, or economic obstacles that restrict the diversity of service providers? 4 / 6

Internet users have a range of choices for mobile and internet connections. While fees to enter the market have served as an economic barrier for some providers, there are no significant obstacles to entry for service providers.

As of December 2021, there were 639 operational ISPs in India.79 The largest service provider, Reliance Jio, had an almost 51 percent share of the market as of December 2021; the top three ISPs—Reliance Jio, Bharti Airtel, and Vodafone—together control nearly 95 percent of the market.80 Reliance Jo also controls the majority of the wireless market, with 36 percent of the market share, followed by Bharti Airtel at 30.8 percent and Vodafone at 23 percent.81 In April 2020, Facebook invested in a 9.9 percent stake in Reliance Jio,82 and the Competition Commission of India (CCI) approved Google’s purchase of a 7.7 percent stake in Jio Platforms (the owner of Reliance Jio) in November 2020.83 In January 2022, Google announced an investment of up to $1 billion in Bharti Airtel, comprising an equity investment of $700 million for a 1.28 percent stake in the company and up to $300 million towards potential multiyear commercial agreements.84

A 2014 universal license framework85 reduced legal and regulatory obstacles by combining mobile phone and ISP licenses. Licensees pay a high one-time entry fee, a performance bank guarantee,86 and annual license fees adjusted for revenue.87

In October 2019, a Supreme Court decision clarified that the percentage of revenues that license holders must pay the government is calculated on the basis of the entire revenue of the license holder, and not just revenue from telecom services.88 In September 2020, the court passed an order giving telecom companies 10 years to pay their dues.89 Both Vodafone Idea and Bharti Airtel are expected to pay millions in overdue fees, raising concerns over their financial stability and the impact on the telecom market.90 As of the end of the coverage period, Vodafone Idea and Bharti Airtel’s challenge before the appellate tribunal for telecommunications disputes, in separate cases, remained pending; the companies challenged a notice from the telecom regulator instructing the companies to pay a cumulative penalty of $374,000 (30,500,00 rupees) for previously denying network interconnectivity to Reliance Jio.91

Roughly 15 submarine cables connect India to the global internet,92 most of which are consortium-owned.93 There are at least 15 landing stations where the cables meet the mainland, spread across five cities,94 with 8 more landing stations expected to be ready by 2025.95 Currently, Tata Communications owns five cable landing stations, Reliance Jio owns two, and Bharti Airtel owns three.96 The state-run telecom operator BSNL owns three landing stations, and Vodafone, Sify, and Global Cloud Exchange own one each.97

A5 0-4 pts
Do national regulatory bodies that oversee service providers and digital technology fail to operate in a free, fair, and independent manner? 2 / 4

The Ministry of Electronics and Information Technology (MeitY) formulates policy relating to information technology, electronics, and the internet.98 The Department of Telecommunications (DoT), under the Ministry of Communications, manages the overall development of the telecommunications sector, licenses internet and mobile service providers, and manages spectrum allocation.99

The TRAI regulates the telecommunications, broadcast, and cable television sectors.100 The TRAI Act mandates transparency in the exercise of its operations, which includes monitoring licensing terms, compliance, and service quality.101 Its reports are published online, usually preceded by a multistakeholder consultation.102 A 2000 amendment to the TRAI Act established a three-member Telecommunications Dispute Settlement and Appellate Tribunal.103

There have been some reservations about TRAI’s independence.104 The central government makes appointment and salary decisions for its members.105 Amendments to the TRAI Act enacted in 2014 allow former government officials to join the regulator two years after resigning from office, or earlier with government permission.106

TRAI opinions, however, are generally perceived as free of undue influence, and the regulator engages in public consultations.107 For example, TRAI sought stakeholder comments in December 2021 on creating a licensing framework to establish satellite gateways, which would help increase access to broadband services in India.108

MeitY has engaged in public consultations around proposed policy and legislative initiatives, including around the various draft data protection bills (see C6).109 In 2018, MeitY held a public consultation on a draft of the Information Technology [Intermediaries Guidelines (Amendment) Rules], which were further updated in 2021 and notified in their renewed form.110 However, critics have pointed out that the subsequently adopted 2021 Information Technology Rules have an expanded scope from the 2018 draft rules, and were notified and enforced without conducting fresh public consultation on the broadened scope and new provisions (see B3, B6, C4, and C6).111

In April 2022, the Indian Computer Emergency Response Team (CERT-In) issued new cybersecurity directions (see C4 and C8), which were released by MeitY without public consultations.112 In response to criticism,113 MeitY invited industry and legal experts and other stakeholders for a closed-door consultation in June 2022 .114 In May, MeitY also invited comments on its draft National Data Governance Framework.115

B Limits on Content

B1 0-6 pts
Does the state block or filter, or compel service providers to block or filter, internet content, particularly material that is protected by international human rights standards? 3 / 6

Political and social information has been blocked by court or government orders in India. Although these orders are not always publicly released, government data show an increasing number of requests. In February 2022, the Minister of Electronics and Information Technology stated in Parliament that in 2021, 6,069 accounts, websites, and URLs had been restricted on government orders under section 69A of the IT Act; the disclosure likely represents both website blocks and takedowns from content hosts (see B2).116 Previously the government stated that it had banned 16,283 websites between 2018 and 2020, including 9,849 websites in 2020.117 Content was blocked for allegedly seeking to stoke anti-India sentiment, or to damage public order, the security of the state, and the interest and defense of India’s sovereignty and integrity.118

The Intermediary Guidelines 2021 provide a regulatory framework for online publishers of news and current affairs and curated audiovisual content. They also give the state emergency powers to block content without a hearing, and authorities have invoked this authority at times.119 From December 2021 to April 2022, the Ministry of Information and Broadcasting issued orders under emergency blocking powers to block 78 YouTube channels, including 18 India-based channels, as well as social media accounts on Twitter and Facebook.120 There have been multiple challenges to the enforcement of these rules, and two high courts ordered interim stays on the application of parts of the IT rules (see B3).121

Several reports have clarified the technology used to block websites in India. The Open Observatory of Network Interference and the Centre for Internet & Society reported that Airtel and Jio use server name indication (SNI)–based filtering to restrict access to websites on government orders.122 In April 2018, Citizen Lab found that India was using internet-filtering technology from the Canadian-based company Netsweeper.123 Service providers appear to restrict different sets of websites. For instance, security researchers identified over 5,000 websites blocked on Atria Convergence Technology’s fixed-broadband services and over 2,000 websites blocked on Bharti Airtel’s networks, per a December 2021 report.124

B2 0-4 pts
Do state or nonstate actors employ legal, administrative, or other means to force publishers, content hosts, or digital platforms to delete content, particularly material that is protected by international human rights standards? 2 / 4

Government actors order social media and other online platforms to remove content, including material protected under international human rights standards. Content restricted under Section 69A of the IT Act decreased in 2021, with 6,096 blocked websites and accounts disclosed that year, compared to a peak of 9,859 in 2020, according to MeitY disclosures; the disclosure likely represents both website blocks and takedowns from content hosts (see B1).125 Moreover, the Intermediary Rules, 2021 have changed the regulatory environment for intermediary liability and require large social media companies to proactively identify and remove offending categories of content, including rape and child sexual abuse imagery, among others (see B3, B6, C4, and C6).126

In June 2022, after the coverage period, Twitter withheld posts and accounts in India following government orders issued throughout 2021. According to Twitter disclosures, the orders related to content from Congress and Aam Aadmi Party (AAP) politicians, journalists including Rana Ayuub, and activists linked to the farmers’ protests, as well as posts from Freedom House.127 In July, Twitter filed a lawsuit over the orders (see B3).

During the farmers’ protests in early 2021, Indian media outlets reported that Twitter briefly complied with orders to block 257 India-based accounts, including those of the journalism magazine Caravan and the farmer’s unions coalition Kisan Ekta Morcha, for allegedly provoking violence, threatening public order, or “making fake, intimidatory, and provocative tweets.”128 It later reversed its decision, citing free expression standards.129 MeitY then cited Section 69A of the IT Act in ordering Twitter to block 1,178 accounts; Twitter complied in part, but did not restrict accounts related to news outlets, journalists, activists, or politicians.130 Twitter was reportedly told that noncompliance could result in imprisonment of up to seven years for employees or financial penalty under Section 69A(3) of the IT Act.131 YouTube also removed music videos in support of the protests, reportedly following a demand by the government.132

Subsequent to the Intermediary Rules being notified in February 2021, MeitY stated that Twitter India had lost its safe-harbor protection under Section 79 of the IT Act for failure to comply with the new IT Rules within the stipulated time, though it subsequently noted that Twitter “appears to be in compliance” (see B6).133 Twitter did not face legal consequences as a result of this incident. In June 2021, police in Uttar Pradesh filed a first information report (FIR) against Twitter and Twitter India, alleging that the platform failed to take down a video of an elderly Muslim man in Loni, Uttar Pradesh (UP), being assaulted, that is alleged to have promoted religious enmity. The FIR also named several journalists, Congress politicians, and the news outlet the Wire.134 The police later issued a notice to the managing director of Twitter, requiring him to physically appear before the investigating officer in UP, but the order was set aside by the Karnataka High Court 135 and the matter is currently pending before the Supreme Court.136

Amid a second wave of COVID-19 in April 2021, MeitY reportedly ordered Facebook, Instagram, and Twitter to restrict an estimated 100 posts, including comments from opposition politicians137 and other public figures, as well as content criticizing the government’s pandemic response and shortages of oxygen and hospital beds.138 The Home Ministry claimed that the posts were spreading misinformation, inciting panic, and hampering the government’s response.139 Facebook also reportedly blocked the #ResignModi hashtag, which referenced Prime Minister Narendra Modi, for a few hours, but claimed it was accidental.140 In May 2021, Reuters reported that MeitY had issued a letter to social media companies asking for the removal of content that used the name or implied the existence of an “Indian variant” of COVID-19.141

After the government banned 59 mobile applications with links to China in June 2020, during the previous coverage period, Google and Apple removed the apps from their respective app stores in India (see A3).142 The government reportedly directed the companies that owned the apps to comply,143 stating that their continued availability would constitute a legal offense.144

Meta’s appeal against a Delhi High Court order to remove videos uploaded from India related to popular religious leader Baba Ramdev and his business, which he claimed were defamatory, remained under consideration during the coverage period.145 In October 2019, the Delhi High Court had ordered Facebook, Google, YouTube, Twitter, and other unidentified internet intermediaries to remove the videos around the world.146

In October 2021, the Andhra Pradesh High Court ordered Facebook, Twitter, YouTube, and other social media intermediaries to remove within 36 hours posts that the court deemed to be objectionable and derogatory against the judiciary and some High Court judges.147 In January 2022, the Central Bureau of Investigation (CBI) claimed that Twitter had not complied with the order since the posts were still visible to users outside the country, and the High Court warned Twitter that it would initiate action if this continued.148 Subsequently, Twitter informed the court that it had taken the necessary steps to remove content flagged by the CBI.149

A 2008 IT Act amendment protected technology companies from legal liability for content posted to their platforms, with reasonable exceptions to prevent criminal acts or privacy violations.150 Intermediary guidelines issued in 2021 require intermediaries to remove access to certain content within 36 hours of a government or legal order under Section 79 of the IT Act (see B3).151 In the 2015 Shreya Singhal v. Union of India ruling, the Supreme Court had reduced the scope of the 2011 intermediary guidelines, and companies were only to act on court and government take-down orders and not on user complaints. The court also clarified that unlawful content beyond the scope of Article 19(2) (restrictions on the right to the freedom of speech and expression) of the Indian Constitution cannot be restricted.152

Intermediaries can separately be held liable for infringing the Copyright Act, 1957,153 under the law and licensing agreements.154 A 2012 amendment limited the liability for intermediaries that link users to material copied illegally, but mandated that they disable public access for 21 days within 36 hours of receiving written notice from the copyright holder, pending a court order to remove the link. Intermediaries can assess the legitimacy of the notice from the copyright holder and refuse to comply.155

B3 0-4 pts
Do restrictions on the internet and digital content lack transparency, proportionality to the stated aims, or an independent appeals process? 2 / 4

In February 2021, the MeitY enacted the Intermediary Rules 2021 (see B2, B6, C4, and C6).156 Significant social media intermediaries—defined as companies whose platforms host at least five million users—have 36 hours from being notified to remove content that is unlawful, including that which undermines state sovereignty, friendly relationships with other states, security, public order, decency, or morality.157 Content that shows nudity or is a depiction of a sexual act must be removed within 24 hours of receiving a complaint.158 Significant social media intermediaries are also required to deploy automated moderation tools to proactively identify and remove offending categories of content, particularly child sexual abuse imagery.159 When content is removed pursuant to terms of use, the companies must notify users, provide clear reasons for the decision, and offer an avenue for appeal.160

Significant social media intermediaries must appoint certain India-based officers. A nodal person of contact is required to coordinate with law enforcement, while a chief compliance officer must comply with takedown orders from a court, government agency, or any other competent authority within 36 hours, and can face potential criminal prosecution under provisions of the IT Act and the Indian Penal Code.161

Separately, social media intermediaries, regardless of their size, must create grievance redressal mechanisms under the Intermediary Rules 2021. A grievance officer must acknowledge complaints about content from any user within 24 hours and resolve them within 15 days.162 The officer is also responsible for orders issued by competent authorities, courts, or other government agencies. The law also empowers authorities to issue emergency blocking orders, but does not specify time limits for the operation of blocking orders or provide affected parties the right to a hearing.163

Additionally, the rules subject digital news media and over-the-top (OTT) platforms to a regulation system and a code of ethics.164 The code instructs content creators to consider whether content affects India’s sovereignty, jeopardizes security, or affects friendly relations with foreign countries.165 OTT platforms are cautioned to consider India’s multireligious and multiracial society and be mindful of content that relates to religion and race.166 A self-regulation body and interdepartmental committee are granted enforcement powers, including recommending that the government block content under the IT Act.

Civil society groups, industry experts, and tech companies have broadly criticized the rules for the increased power they provide the government and potential for adverse impact on free expression, privacy, and access to information.167 Ambiguity around the rules’ definitions and implementation, such as uncertainty as to which entities are considered digital news platforms, has further fueled concern.168 Several legal challenges have been lodged against the rules, questioning their constitutionality (see C4);169 the Bombay and Madras High Courts stayed clauses relating to operation of the code of ethics and the grievance redressal mechanisms in August and September 2021, respectively.170 The impact of these orders on the rules’ information-sharing provisions, which require digital news media publishers to furnish information to the Ministry of Information and Broadcasting (MIB) about themselves, is not immediately clear (see B6).171

OTT streaming platforms undertook some self-regulatory efforts before the Intermediary Rules 2021 were introduced. In February 2021, 17 such platforms—including Netflix, Amazon Prime, and Disney Plus Hotstar—announced they would implement a code for self-regulation proposed in September 2020, under the authority of the Internet and Mobile Association of India.172 However, the code was made redundant with the passing of the Intermediary Rules 2021, which the platforms are obliged to follow.

Blocking of websites takes place under Section 69A of the IT Act and the 2009 Blocking Rules,173 which empower the central government to direct any agency or intermediary to block access to information when satisfied that it is “necessary or expedient” in the interest of the “sovereignty and integrity of India, defense of India, security of the state, friendly relations with foreign states or public order, or for preventing incitement to the commission of any cognizable offence relating to above.”174 Intermediaries’ failure to comply is punishable with fines and prison terms of up to seven years.175

The Blocking Rules apply to orders issued by government agencies, who must appoint a nodal officer to send in requests and demonstrate that they are necessary or expedient under Section 69A.176 The rules provide an extensive review procedure for blocking requests, including a notice provision to impacted parties and an opportunity for appeal,177 but provide exceptions for emergencies.178

The constitutionality of Section 69A and the Blocking Rules of the IT Act was challenged in the landmark 2015 Shreya Singhal case.179 The Supreme Court upheld the constitutionality of both, but read the Blocking Rules180 to include both the right to be heard and the right to appeal. Blocking orders must provide a written explanation and allow for reasonable efforts to contact the originator of the content for a hearing.181 However, the rules continue to require that the orders and actions based on them be kept "strictly confidential”182 ; hence there is no information on the extent of compliance with the judgment.

In September 2018, MeitY ordered the blocking of, a website using satire to criticize the practice of dowry.183 The owner of the website was reportedly not provided with a hearing or the right to appeal, in contravention of Shreya Singhal.184 In consideration of a lawsuit challenging the blocking order, in May 2022 the Delhi High Court directed the government to provide the owner of with a copy of the original blocking order and the opportunity for a hearing.185 The Internet Freedom Foundation noted that this was the first time that MeitY has been required to provide its blocking order to a petitioner, and is one of the rare instances in which a hearing has been provided in a blocking case.186

In August 2021, MeitY refused to respond to Right to Information Act requests relating to blocking orders issued to Twitter against the actor Shushant Singh’s account, stating that blocking information is confidential under the 2009 Blocking Rules and claiming an exemption under the Right to Information Act, 2005.187

In July 2022, after the coverage period, Twitter filed a lawsuit in the Karnataka High Court challenging removal orders issued throughout 2021 (see B2). The lawsuit contends the orders rested on an overbroad interpretation of the IT Act.188

Indian courts can also order content takedowns.189 In 2021, the High Court of Andhra Pradesh ordered the removal of alleged objectionable and derogatory posts against the judiciary and some High Court judges (see B2). Since 2011, courts have blocked content relating to copyright violations through broad John Doe orders, which can be issued preemptively and do not name a defendant.190 ISPs have occasionally implemented such orders by blocking entire websites instead of individual URLs, regardless of whether the websites were hosting pirated material.191 The judiciary has noted that John Doe orders can lead to excessive blocking,192 and civil society has called for greater transparency.193

The IT Act and the Indian Penal Code, 1860 (IPC) prohibit the production and transmission of “obscene material,”194 but there is no specific law against viewing pornography in India. The Delhi High Court in April 2021 heard a matter where an individual’s photos were taken from private social media accounts and uploaded onto pornographic websites without her consent. It outlined a template for how directions should be issued in similar cases, suggesting that websites or online platforms be obliged to immediately remove the content upon receipt of a court order. It further suggested that search engines should deindex and dereference such content, and proactively monitor for and disable access to identical content, among other recommendations.195

There is no legally established right to be forgotten in India, despite several attempts in recent years to codify this principle.196 The draft Data Protection Bill 2021, which was tabled in December 2021 and withdrawn in August 2022, included a provision establishing the right to be forgotten (see C6).197

Social media platforms’ removal of content has lacked transparency and consistency. For example, the Wall Street Journal reported in August 2020 that a Facebook executive in India opposed applying the platforms’ content-moderation rules to at least one member of the ruling party and several other individuals and groups, due to the platform’s business interests.198 Facebook denied claims of bias and stated that the application of their policies was open, transparent, and nonpartisan.199

B4 0-4 pts
Do online journalists, commentators, and ordinary users practice self-censorship? 3 / 4

Threats of criminal charges and increased online harassment have reportedly contributed to more self-censorship among individual people and news outlets, as has the growing influence of the BJP and its recent popular electoral mandates.200 Civil society groups have expressed concern that the Intermediary Rules 2021 may also lead to self-censorship by digital media and OTT platforms.201 Content creators are reportedly wary of increased scrutiny by the government and other stakeholders, particularly in relation to more sensitive topics such as politics and religion.202

Self-censorship over Jammu and Kashmir and COVID-19 in particular has been reportedly common in recent years.203 The Caravan magazine reported that the central government had repeatedly signaled to the media to refrain from publishing criticism of the government’s response to the pandemic.204

However, many independent online outlets, individual journalists, and ordinary users, including those from marginalized communities, continue to report on and speak publicly about controversial or political topics.205

B5 0-4 pts
Are online sources of information controlled or manipulated by the government or other powerful actors to advance a particular political interest? 2 / 4

Manipulated content and disinformation spread by domestic actors, including political parties and leaders, continues to permeate the online environment in India.

Reports from the Oxford Internet Institute (OII) connected manipulated content online to the country’s political parties, noting that major political parties manipulate information on Facebook, Twitter, and WhatsApp to amplify their messaging, attack the opposition, and create division. The OII has noted increasing capacity for online content manipulation from 2019 to 2021, with actors employing greater resources and involving full-time staff dedicated to shaping the information space.206 Both paid commentators and volunteers disseminate disinformation across social media and respond to political developments in real time.207

In February 2021, Newslaundry published a report detailing how the “Hindu Ecosystem” group, created by a member of the BJP, spread content supporting them on social media.208 The report discusses how a network of over 20,000 participants is given content to spread on Twitter at pre-decided times in order to artificially cause certain hashtags to trend. For example, one group admin reportedly requested members to post against the Tandav television show on Twitter using the hashtag #BanTandavNow, which later trended.209

The Facebook Papers, a collection of leaked internal documents from Facebook released in October 2021,210 revealed that Facebook employees had found that bots and fake accounts tied to the ruling party and opposition figures had potentially affected elections in India, and that misinformation was exacerbated by measures aimed at increasing meaningful interaction on the platform.211 A March 2022 Al Jazeera report found that Jio Platforms exploited a loophole in electoral regulations to promote surrogate advertisements for the ruling party on Facebook during the 2019 Lok Sabha elections, and that the party had benefited from how content was promoted via the platform’s algorithmic recommendation systems.212

In December 2020, the EU Disinfo Lab reported on a 15-year domestic and international disinformation operation that aimed to boost international perceptions of India and harm domestic perceptions of the Pakistani and Chinese governments. The campaign was spearheaded by the opaque India-based company the Srivastava Group and amplified by the Indian news organization ANI.213 EU Disinfo Lab found over 750 fake media outlets and over 550 domain names operating in 95 countries.214 The Indian government denied involvement in the operation.215

In January 2022, following a two-year investigation based on information provided by a whistleblower working with the ruling party’s IT Cell, the Wire reported that the ruling party was allegedly using an app called Tek Fog to shape public narratives by manipulating social media trends, automating political messaging, modifying news and articles, phishing inactive WhatsApp accounts, and targeting groups and individuals with abusive and derogatory content, among other actions.216 The government denied the account.217  As of October 2022, the Wire has removed their reporting on Tek Fog from their website pending an internal investigation.

In a 2020 report, Reporters Without Borders (RSF) ranked India as medium-to-high risk for political control over online and offline media distribution networks,218 citing concerns about outlets majority owned or controlled by political officials and factions, or by a politically connected owner.219

B6 0-3 pts
Are there economic or regulatory constraints that negatively affect users’ ability to publish content online? 2 / 3

Online news outlets, blogs, and other publishing platforms were previously not required to register, obtain licenses, or provide information to the state to publish content. However, the Intermediary Rules 2021 imposed new obligations on digital news publishers and OTT platforms to furnish details about their entities to the MIB and provide a monthly report of grievances they have received, along with information about any actions they took in response.220

The MIB issued a notification in May 2021 requiring digital news organizations and OTT platforms to furnish the specified information,221 and later disclosed that over 2,100 such platforms had done so as of January 2022.222 The IFF said it was unclear if the provisions under which the MIB issued the relevant notifications is operational, since high courts have stayed provisions of the IT rules that affect digital media organizations and OTT platforms (see B3).223

The 2019 amendments to the Foreign Direct Investment Policy (FDI Policy) imposed a 26 percent cap for foreign investment in digital media companies, broadly defined as companies that upload or stream news and current affairs through digital media.224 Digital media platforms were given time until October 2021 to comply with the cap.225 In August 2021, Yahoo, which is now owned by US-based Apollo Global Management, announced that it would discontinue its news websites in India, including Yahoo News, due to the FDI policy’s restrictions on foreign investment in digital media companies.226 In November 2020, during the previous coverage period, HuffPost India, the Indian edition of US-based Huffington Post, announced that it was shutting down operations in India due to the FDI policy.227

The government mandated in 2020 that digital media companies must receive preapproval for foreign investment from certain neighboring countries, including China, and introduced regulatory approvals necessary for transfer of shares of Indian digital media companies.228

The Net Neutrality Rules, adopted in July 2018 by the Indian government, are considered among the world’s strongest.229 With only some exceptions, the rules prevent internet providers from interfering with content, including through blocking, throttling, and zero-rating.230 In September 2020, TRAI recommended that the DoT establish a multistakeholder body to monitor ISPs’ compliance with the rules.231 As of November 2021, the recommendations had not yet been implemented.232

The government released updates to the Central Media Accreditation Guidelines in February 2022, which outline accreditation terms for journalists and for eligible news sites. The guidelines have a new clause on the withdrawal of journalists’ accreditation if they act in a manner prejudicial to the country’s security, sovereignty, and integrity; friendly relations with foreign states; or public order; or are charged with a serious offense.233 Press freedom and internet freedom groups raised concerns the guidelines could be abused to censor journalists critical of the government.234

B7 0-4 pts
Does the online information landscape lack diversity and reliability? 3 / 4

Online media content in India is diverse and debate is lively. While digital divides persist, users can increasingly access local-language content (see A2).235 At least one estimate claimed that 70 percent of Indian users could access online news in their local language at the end of 2020.236

Online spaces for the LGBT+ community are growing,237 and there is some representation of LGBT+ people in mainstream digital advertisements, television, and media.238 Nevertheless, civil society groups noted that LGBT+ people and experiences are still not proportionately covered online, particularly during the pandemic.239

Use of virtual private networks (VPNs) is increasing, enabling people to evade government censorship and access more diverse internet content.240 In 2021, the Parliamentary Standing Committee on Home Affairs recommended that the government ban the use of VPNs on the grounds that it allows criminals to remain anonymous online (see B1 and C4).241 However, this proposal has been criticized for having the potential to violate privacy rights, security, net neutrality, and internet access, as well as for being unlikely to deter criminal activity online.242

Misinformation undermines users’ ability to access reliable information.243 False and misleading information about the COVID-19 pandemic has been rampant on social media platforms, especially WhatsApp.244 A 2021 study found that India was the most prevalent source of COVID-19 misinformation debunked by fact-checkers, out of the 138 surveyed countries.245

Unreliable information regarding the death toll of Chinese soldiers also spread online amid the India-China border dispute in June 2020, during the previous coverage period.246 Misinformation and doctored videos have led to offline violence.247 Earlier, at least 24 people were reportedly killed in 2018 alone in connection to rumors spread on WhatsApp, often about child kidnappings.248

B8 0-6 pts
Do conditions impede users’ ability to mobilize, form communities, and campaign, particularly on political and social issues? 4 / 6

Digital activism has driven important social debates and at times has helped usher in policy changes. However, local authorities continued to impose internet shutdowns amid protests.

Internet users led online campaigns during the coverage period. For example, in December 2021, doctors across the country used online communication and other tools to mobilize over severe staff shortages caused by a delay in the admission process for new resident doctors.249

In 2021, amid the farmers’ protests, the government ordered multiple internet shutdowns for areas in and around New Delhi,250 and ordered Twitter to restrict access to the accounts of several individuals and organizations that were sharing protest-related information.251 Local police reportedly monitored social media platforms for accounts spreading purported misinformation and “incendiary” content,252 and several journalists and users, including member of parliament Shashi Tharoor,253 faced legal action over protest-related posts .254

In September 2021, the Haryana government reportedly ordered internet shutdowns for at least a day in 5 districts of the state in response to the farmers’ protests.255 However, despite the increased censorship and other attempts to limit mobilization, social media and other digital platforms were used extensively to disseminate information about the agricultural laws and live updates on the protests, and to spur national and international conversation.256 In December 2021, in response to the digital and on-ground mobilization and opposition from farmers, the government repealed the contentious laws that had prompted the farmers’ protests.257

Online campaigns related to the COVID-19 pandemic also continued. When the Indian health care system was overwhelmed amid a second wave in April 2021, people turned to social media to help organize relief efforts.258 During this period, the Supreme Court ordered state governments and the police to not clamp down on calls for help or related information sharing on social media.259

C Violations of User Rights

C1 0-6 pts
Do the constitution or other laws fail to protect rights such as freedom of expression, access to information, and press freedom, including on the internet, and are they enforced by a judiciary that lacks independence? 4 / 6

The Constitution of India grants citizens the fundamental right to freedom of speech and expression,260 including the right to gather information and exchange thoughts within and outside India.261 The right to access information is also recognized as an inalienable component of free expression rights,262 and press freedom has been read into the freedom of speech and expression clauses.263 These freedoms can be restricted by law (but not by executive action) in the interests of state security, friendly relations with foreign states, public order, decency and morality, and the sovereignty and integrity of India, as well as in instances related to contempt of court, defamation, and incitement.264

The judiciary is independent. Although commentators have argued that the courts show signs of politicization,265 judgments continue to protect free expression and other constitutional rights. Throughout the coverage period, high courts in different states have stayed the application of different parts of the IT Rules to protect the rights of the media (see B3 and B6).266 In May 2022, the Supreme Court ordered that the sedition law under Section 124A of the Indian Penal Code to be effectively kept in abeyance until the government evaluates that provision (see C2).267

A 2015 Supreme Court ruling struck down a broad provision of Section 66A of the IT Act that criminalized information causing "annoyance,” “inconvenience,” or “danger,” among other ill-defined categories. Nevertheless, cases continue to be registered under this provision, and the Supreme Court has issued notice requiring high courts to report all cases filed under Section 66A (see C2). Additionally, the court in the Shreya Singhal judgment268 affirmed that free speech online is equal to free speech offline (see B3).269

Courts have also addressed the right to internet access. In September 2019, a single-judge bench of the Kerala High Court found that freedom of expression includes access to the internet and internet infrastructure.270 The Supreme Court’s January 2020 Anuradha Bhasin judgment placed limits on restrictions to internet access (see A3).271

C2 0-4 pts
Are there laws that assign criminal penalties or civil liability for online activities, particularly those that are protected under international human rights standards? 2 / 4

The Indian Penal Code (IPC) criminalizes several kinds of speech. Individuals can be sentenced to between two and seven years in prison for speech that is found to be seditious,272 obscene,273 defamatory,274 to promote “enmity between different groups on ground of religion, race, place of birth, residence, language,”275 is deemed “prejudicial to maintenance of harmony,”276 or consists of statements, rumors, or reports that may cause fear or alarm, disturb public tranquility, or promote enmity or ill will.277 A 2016 Supreme Court judgment ruled that laws criminalizing defamation (Sections 499 and 500 of the IPC and Section 119 of the CrPC) are constitutional.278 A June 2021 Supreme Court ruling that quashed a sedition lawsuit against journalist Vinod Dua for comments criticizing the prime minister in a YouTube video may reflect the court’s concern about the constitutionality of the sedition clause (see C1).279

The Official Secrets Act criminalizes communication of information that may have an adverse effect on the sovereignty and integrity of India.280 The National Security Act allows the police to detain an accused person for up to one year without charge, and has been invoked in relation to speech online.281

Section 67 of the IT Act bans the publication or transmission of obscene or sexually explicit content in electronic form, and Section 66D punishes the use of computer resources to impersonate someone else to commit fraud. While the Supreme Court in 2015 struck down Section 66A (see C1) for being vague and overbroad, similar complaints continue to be registered under the provision, as well as under Sections 67, 66D, and the IPC (see C3).282 In August 2021, the Supreme Court issued a notice to all high courts to report cases filed under section 66A, in a case pertaining to the continued use of the provision by law enforcement agencies and the lower judiciary, stating “this cannot continue.”283

Uttar Pradesh’s chief minister reportedly directed state officials to charge people under the National Security Act and Gangsters Act for spreading “rumors” about oxygen shortages.284 In May 2021, the Supreme Court directed state officials and police to not take legal action for social media posts seeking to obtain medical supplies (see C3).285

C3 0-6 pts
Are individuals penalized for online activities, particularly those that are protected under international human rights standards? 2 / 6

Users and journalists risk being arrested and detained for political, social, and religious speech or other forms of online content authorities deem objectionable or derogatory, especially during major political events.

Journalists were arrested for their online posts during the coverage period.286 In June 2021, the police filed charges against various journalists, Twitter and Twitter India, and the media organization the Wire, among others, for sharing videos of violence against an elderly Muslim man in the state of Uttar Pradesh (see B2).287 Police stated that the video was related to a financial dispute and was not motivated by religion,288 and that the social media posts may amount to criminal conspiracy and attempts to destroy communal harmony and spread false news.289 Journalist Rana Ayyub approached the Bombay High Court and was granted temporary protection from arrest for four weeks through anticipatory bail;290 a number of charges were filed against her, but she was not arrested. Others against whom charges were filed were questioned by the police, including Mohammed Zubair, cofounder of the fact-checking website AltNews.291

Similarly, in November 2021, Samriddhi Sakunia and Swarna Jha, both journalists with the online outlet HW News Network, were reportedly arrested by the Tripura police for tweets relating to their investigation of alleged religious vandalism in the state of Tripura.292 The police alleged that videos posted by the two journalists, where they claimed that a prayer hall was burnt down and a religious text was damaged, had been doctored.293 They were arrested on charges of criminal conspiracy, spreading communal disharmony, and breach of peace, and were later granted bail.294 In a separate incident related to the same violence, the Tripura police also reportedly registered cases against four lawyers under the Unlawful Activities Prevention Act, 1967 (UAPA) and the Indian Penal Code for allegedly promoting communal disharmony for their social media posts on the incident.295 The Tripura police also served notices to 102 individuals under the UAPA for their social media posts on the violence, and sent letters to social media companies requesting details of the account holders.296

In June 2022, after the coverage period, Delhi police arrested Zubair, of Alt News, a prominent fact-checking website, after a Twitter user filed an FIR over a 2018 post. Police filed charges alleging that the tweet, which purportedly showed an image of a hotel board referencing a Hindu god, promoted enmity between different groups and outraged religious feelings under the penal code.297 In July 2022, the Supreme Court ordered Zubair’s release on bail.298

In October 2020, Siddique Kappan, a journalist for the news website Azhimukham, was reportedly arrested and initially remanded for 14 days on charges of sedition and violating the Unlawful Activities Prevention Act while he was on his way to cover a murder and sexual assault (see C7).299 In September 2022, after the coverage period, the Supreme Court ordered Kappan released on bail, subject to stringent conditions, and affirmed right to freedom of expression. Kappan remained detained on charges of money laundering registered against him by the Directorate of Enforcement.300

In October 2021, three Kashmiri students in Agra were reportedly arrested for allegedly sending anti-India WhatsApp messages after Pakistan's victory in a T-20 cricket World Cup match.301 They were granted bail in March 2022 and released from custody after 5 months of pretrial detention, after being charged for sedition under the penal code and cyber-terrorism under the IT Act, among other charges.302 In a separate incident, a teacher from Udaipur was also reportedly arrested for posting celebratory status messages on WhatsApp after the match.303 The teacher was later released on bail and the school that she was teaching at subsequently terminated her employment.304 In May 2021, a professor from Delhi University was reportedly arrested for posting a satirical tweet about the alleged discovery of a Hindu religious structure inside the Gyanvapi mosque in Uttar Pradesh.305 While he was granted bail, he was also instructed by the court to refrain from posting on social media or providing interviews on the controversy.306

During the reporting period, individuals were penalized for publishing or sharing content concerning politicians in India. In March 2022, a member of the ruling party’s youth wing was reportedly arrested for defamation in the state of Tamil Nadu for his tweet claiming that a jacket worn by Tamil Nadu chief minister MK Stalin cost around an exorbitant amount of money attributing that information to the state’s finance minister.307 He is currently in judicial custody for his remarks.308

Similarly, in April 2022, a member of the legislative assembly from Gujarat was reportedly arrested for posting a tweet about the prime minster that purportedly claimed he was a supporter of Nathuram Godse, who assassinated Mahatma Gandhi.309 After being provided bail, he was rearrested in a separate case,310 but was granted bail in the second case as well.311

Research by human rights and media organizations found that many journalists, activists, and ordinary users were criminally charged and arrested for their online posts amid the farmers’ protests in 2021.312 Numerous people were also reportedly arrested, charged, or threatened with legal sanction in relation to online speech during the country’s second wave of COVID-19 in 2021.313

C4 0-4 pts
Does the government place restrictions on anonymous communication or encryption? 2 / 4

Some laws risk undermining end-to-end encryption and limiting anonymity online. Prepaid and postpaid mobile customers have their identification verified before connections are activated.314 There is a legal requirement to submit identification at cybercafés315 and when subscribing to internet connections.

The Intermediary Rules 2021 impose certain restrictions for anonymity and encryption (see B3, B6, and C6).316 Significant social media intermediaries must allow users to “voluntarily” verify their accounts, including through mobile numbers, and clearly mark which users have done so. Digital rights organizations have expressed concerns that this verification could be made mandatory in the future.317 The rules also require that significant intermediaries be able to identify the first originator of information if requested by a competent authority or court in certain cases related to public order, sexually explicit or child abuse material, and India’s sovereignty, integrity, and security.318 Technical experts have raised concerns that such traceability is not possible without breaking end-to-end encryption319 as this would require the intermediaries to track every message being sent over the platform,320 despite the government’s claim that it did not intend to undermine the technology.321 The government released a list of frequently asked questions on the Intermediary Rules in November 2021, which stated that the intent of the rule on identifying the first originator of a message was not intended to break or weaken encryption.322 The state has not subsequently undertaken any steps to ensure the traceability of the first originator of information.323

In April 2022, the Indian Computer Emergency Response Team (CERT-In) issued a set of directions under the IT Act requiring cloud service providers and cryptocurrency exchanges to log user data for five years.324 While the use of VPNs remains legal in India, VPN providers now need to store user names, addresses, contact numbers, period of subscription, email and IP addresses, and the purpose of using their services.325 Companies have argued that logging such information would violate their users’ privacy and may also be technically unfeasible.326 After the directions were issued, VPN providers including ExpressVPN and SurfShark announced that they are shutting down India-based servers;327 others, including TunnelBear, announced their services would no longer be available to users in India.328 Clarifications on the rules issued in May clarify that the provisions would not be applicable to corporate and enterprise VPNs.329

In May 2021, WhatsApp filed a suit against the government in the Delhi High Court, arguing that the message traceability provisions of the IT Rules violated the right to privacy.330 The matter is still pending before the Delhi High Court, and the government reportedly filed an affidavit arguing that WhatsApp—as a foreign company with no Indian entity—could not avail of certain fundamental rights, or challenge the constitutionality of an Indian law.331

In October 2020, the Indian government joined those in Japan, the United Kingdom, United States, Canada, Australia, and New Zealand in a statement requesting that social media platforms like Facebook and WhatsApp allow law enforcement access to encrypted communications and provide content in a “readable and usable format.”332

ISPs setting up cable-landing stations are required to install infrastructure for surveillance and keyword scanning of all traffic passing through each gateway.333 The ISP license bars internet providers from deploying bulk encryption; restricts the level of encryption for individuals, groups, or organizations to a key length of 40 bits;334 and mandates prior approval from the DoT or a designated officer to install encryption equipment.335

C5 0-6 pts
Does state surveillance of internet activities infringe on users’ right to privacy? 1 / 6

In August 2017, a landmark Supreme Court ruling affirmed privacy as a fundamental right embedded in the right to life and liberty, and intrinsically linked to other fundamental rights like free expression.336 State surveillance can nevertheless infringe on this right. 337

Communications surveillance may be conducted under the Telegraph Act338 and the IT Act339 to protect defense, national security, sovereignty, friendly relations with foreign states, public order, and to prevent incitement to a cognizable offense. Section 69 of the IT Act broadly allows surveillance for “the investigation of any offense.”340

The home secretary at the central or state level issues interception orders based on procedural safeguards established by the Supreme Court and the Telegraph Act.341 These orders are reviewed by a committee of government officials.342 Interception orders are limited to 60 days, and renewable for up to 180 days.343 In emergencies, phone tapping may take place for up to 72 hours without clearance; records must be destroyed if the home secretary subsequently denies permission.344

In December 2021, amid searches by income tax authorities, an opposition leader alleged that the Uttar Pradesh state government was tapping the phones of members of his party ahead of the state’s March 2022 elections.345 Police are also investigating two alleged instances of unauthorized phone tapping conducted by the state investigation department against political leaders in the state of Maharashtra.346

The Central Monitoring System (CMS) reportedly allows government agencies to intercept any online activities, including phone calls, text messages, and Voice-over-Internet-Protocol (VoIP) communication.347 A petition filed by the Centre for Public Interest Litigation and the Software Freedom Law Centre in December 2020 argued that CMS and two other programs (the surveillance software NETRA or Network Traffic Analysis348 and the integrated intelligence grid NATGRID) should be discontinued because they allow bulk surveillance and data collection.349 The matter is currently pending before the court and was due to be heard in September 2022.350 In February 2021, the Ministry of Home Affairs in an affidavit before the Delhi High Court claimed that agencies are not granted “blanket permission” for surveillance, that surveillance programs are necessary to monitor “terrorism, radicalization, cybercrime, [and] drug cartels,”351 and that there is sufficient oversight on such surveillance activities.352

The Indian government is suspected of using sophisticated spyware technology against citizens. In October 2019, WhatsApp claimed that Pegasus software from the Israeli NSO Group was used to spy on at least two dozen activists, lawyers, academics, and journalists in India in May 2019.353 In July 2021, Amnesty International and Forbidden Stories reported that more than 1,000 phone numbers in India—including those belonging to politicians with the Congress party, activists, journalists, public health experts, and Tibetan exiles—appeared in a leaked data set of possible Pegasus targets.354 While it is unclear how many phones were targeted by Pegasus, preliminary reporting indicates that the spyware infiltrated the devices of at least 149 people in India.355

While NSO claims to only work with state agencies, government officials have repeatedly denied purchasing its software.356 However, when questioned about the claims, the minister of state in the Ministry of Home Affairs argued that Section 69 of the IT Act and Section 5 of the Telegraph Act allow certain authorities to intercept, monitor, or decrypt “any information from any computer resource” in the country.357 The Internet Freedom Foundation has reported that state investigations into the hack remain confidential.358

In August 2022, after the coverage period, a panel convened by the Supreme Court in October 2021 submitted its report following an independent probe into claims the government used Pegasus. The Supreme Court noted that the government did not cooperate with the investigation.359 As of September 2022, the report had not been publicly released, though the court has stated that it plans to do so.360

Separately, Citizen Lab and Amnesty International reported finding evidence that at least nine academics, lawyers, writers, and activists were targeted between January and October 2019 in a spear-phishing campaign to install the spyware NetWire.361 The targeted individuals included human rights defenders calling for the release of activists arrested for allegedly participating in protests and violence in Maharashtra, including prominent activists Rona Wilson and Anand Teltumbde.362 In February 2022, cybersecurity firm SentinelOne attributed the campaign to a threat actor dubbed ModifiedElephant.363

The government uses the Aadhaar national biometric database for the provision of multiple public services, including food stamps and various scholarships and employment schemes.364 The system’s use poses concerns regarding data privacy and security.365 Breaches of Aadhaar data were reported in 2017,366 2018,367 2019,368 2020,369 and 2021.370 In March 2020, it was reported that the government planned to build a database called the National Social Registry that will use data from Aadhaar371 and capture a vast amount of other personal information including individuals’ marital status, financial status, and property owned.372 Critics, including Manorajan Kumar, the civil servant who first proposed the National Social Registry, have expressed concerns about privacy and potential data manipulation arising from the system’s envisioned implementation.373

In September 2018, the Supreme Court set limits on Aadhaar’s use.374 The ruling held that it was legitimate for the program to be mandatory for welfare schemes and that Indians must link their Aadhaar number to income tax filings and permanent account numbers, but that it cannot be required for services such as obtaining a SIM card, opening a bank account, and receiving educational grants. Despite this, Parliament passed in July 2019 the Aadhaar and Other Laws (Amendment) Bill,375 which civil society groups argue ignores the Supreme Court ruling.376 As of the end of the coverage period, a case challenging the law was pending in the Supreme Court.377 The court has also directed that a larger bench be set up to review the 2018 judgment, but the bench has not yet been constituted.378

The Data Protection Bill, 2021 has been criticized for providing extensive powers and exemptions to the central government (see C6).379 Clause 35 exempts state agencies from complying with limitations if surveillance is “necessary and expedient” or “in the interest of sovereignty and integrity of India, the security of the state, friendly relations with foreign states, [and] public order,” and for preventing incitement to offenses relating to the foregoing.

There has been a lack of transparency and oversight, and in some cases an insufficient legal framework, to ensure that COVID-19-related technology does not undermine privacy.380 For example, the contact-tracing app Aarogya Setu, the use of which was active until June 2022,381 uses data gleaned from Global Positioning System (GPS) and Bluetooth technology.382 Government agencies are permitted access to information stored on a centralized database.383 The app has poor encryption standards.384

C6 0-6 pts
Does monitoring and collection of user data by service providers and other technology companies infringe on users’ right to privacy? 2 / 6

Technology companies are required to collect extensive personal data, and a variety of laws provide government agencies the ability to access this information.

Ten separate intelligence bodies are authorized to issue surveillance orders to service providers.385 Online intermediaries are required by law to “intercept, monitor, or decrypt” or otherwise provide user information to officials.386 The Telegraph Act levies civil penalties or license revocation for noncompliance,387 and violations of the IT Act can lead to a maximum 10-year jail term.388 Unlawful interception is punishable by a lesser sentence of three years.389

The Intermediary Rules 2021 changed the way companies must share information with government agencies in certain circumstances (see B3, B6, and C4). The rules require intermediaries to provide the government with data within 72 hours of receipt of a written order to verify identity, or for the prevention, detection, investigation, or prosecution of offences under domestic law.390 The rules also impose new data-retention policies requiring intermediaries to store information for 180 days. 391

India does not have a data-protection law in force. In December 2021, the Joint Parliamentary Committee submitted its report on the Personal Data Protection Bill, 2019 before Parliament and introduced a revised Data Protection Bill, 2021 (DPB 2021).392 The government withdrew the bill in August 2022, after the coverage period, stating plans to draft a “comprehensive legal framework” instead.393

The DPB 2021 reaffirmed the importance of consent in personal-data protection and required consent for processing. The law permitted nonconsensual data processing in some circumstances, including "for the performance of any function of the state authorized by law."394 The bill also contained broad exemptions for state agencies, including when deemed “necessary and expedient” for issues ranging from the sovereignty and security of India, security of the state, and public order, to preventing the incitement of specific kinds of offenses.395 These exemptions were criticized—including by members of Parliament who submitted dissent notes to the JPC report—as providing blanket exemptions to the government and making it easier for authorities to sidestep the jurisdiction of a data-protection law.396 Experts also raised concerns about the independence, transparency, and accountability of the proposed regulator, the Data Protection Authority, which would be responsible for ensuring compliance with the DPB 2021.397 The bill also proposed a hybrid data-localization model,398 and the JPC report calls on the government to produce a data-localization policy.

Standard Operating Procedures for Lawful Interception and Monitoring of Telecom Service Providers—regulations issued in 2014399 —restricted interception to a service provider’s chief nodal officer, and mandated that interception orders be made in writing.400 Rules issued in 2011 under the IT Act provided for greater protection of personal data handled by companies,401 but do not apply to the government.

The telecom license agreements require service providers to guarantee the designated security agency or licensor remote access to information for monitoring;402 ensure that their equipment can provide for centralized interception and monitoring; and provide the geographic location of any subscriber at a given point in time.403 A 2011 Equipment Security Agreement requires telecom operators to develop the capacity to pinpoint any customer’s location within 50 meters.404

Between January and December 2021, India was the second-highest requester of user data from Twitter and Facebook, while also being one of its biggest markets.405 In the period from July to December 2021, Facebook received 50,382 such requests involving 81,501 users and accounts from the Indian government, and complied with 64 percent.406 During the same period, Microsoft reported 722 legal requests from law enforcement agencies in India and provided noncontent data in 19.94 percent of cases.407 In the same period, Twitter received 2,211 information requests from the Indian government relating to 7,768 accounts, and complied with 5.6 percent.408

C7 0-5 pts
Are individuals subject to extralegal intimidation or physical violence by state authorities or any other actor in relation to their online activities? 2 / 5

Trolling and violent threats for online activity continued in the reporting period. Journalists continued to face intimidation, coming in the form of criminal charges and lawsuits, as well as extralegal harassment.

Media outlets have reported widespread online harassment and trolling of investigative journalist Rana Ayyub in response to her work.409 In February 2022, the Enforcement Directorate, one of the government’s financial investigation agencies, reportedly launched a money-laundering investigation against Ayyub in relation to alleged misappropriation of COVID-19 relief funds raised primarily through crowdfunding platform Ketto.410 . Ayyub has called the investigation a baseless smear campaign.411

Indian media outlets have reported incidents of police intimidating and harassing other journalists for their work. The Uttar Pradesh police filed an FIR in June 2021 against three prominent journalists and writers—Ayyub, Saba Naqvi, and Mohammed Zubair—for tweeting a video of an elderly Muslim man being assaulted (see B2 and C3).412 In June and July 2021, Haryana police harassed, threatened, and obstructed journalists—including reporters from the Wire, the new site Newslick, and the YouTube news channels Mojo Story and the Tsunami—attempting to report on the demolition of homes in a village of Khori Gaon and associated protests; the officers prevented them from recording footage and conducting interviews.413

Members of political parties have been accused of directly disseminating incendiary content or other violent threats online. The Wall Street Journal reported in August 2020 that a BJP politician’s violent and Islamophobic content on Facebook, including calls for Rohingya Muslims to be shot, violated the platform’s policies.414 In February 2021, a YouTube video calling for certain journalists to be executed was reportedly shared widely on Twitter, including by some leaders of the ruling party.415 In September 2020, a navy veteran was reportedly beaten by affiliates of the Shiv Sena party for sharing a cartoon mocking the chief minister of Maharashtra on WhatsApp.416

In November 2021, journalist and right to information activist Buddinath Jha, who reported for his Facebook news page BNN News Benipatti, was found burnt to death. Jha had previously received death threats and offers of bribes in relation to his reporting on corruption in local health care clinics.417 In August 2021, Chenna Kesavulu, a journalist who had exposed the corruption of a local police officer in a series of YouTube videos, was stabbed to death by the officer and his brother.418

Abuse and trolling are worse when the victim is a woman, is an adherent of a minority religion, is from a lower caste, or otherwise identifies within a marginalized group.419 A January 2020 Amnesty International report stated that one in seven tweets directed at women politicians were abusive in nature, amounting to an average of 113 abusive tweets per day per woman.420 Women from marginalized communities faced the worst of the abuse: Muslim women faced 94 percent more ethnic and religious slurs, and women from Bahujan backgrounds received 59 percent more abusive caste-based tweets compared to women from upper-caste backgrounds.421

An investigation conducted by the Wire reported that social media operatives allegedly linked with the ruling party used an app called Tek Fog to target journalists, individuals, and other groups with phishing attacks and other harassment, as well as to spread propaganda and hijack twitter trends (see B5).422  As of October 2022, the Wire has removed their reporting on Tek Fog from their website pending an internal investigation. 

Other apps have reportedly been used to coordinate online harassment campaigns against prominent Muslim women. In January 2022, an app called “Bulli Bai” surfaced, which reportedly used photographs and deepfakes of prominent Indian Muslim woman journalists and ordinary women to “auction” the women online.423 The “Sulli Deals” app, which surfaced in July 2021, reportedly created online profiles and uploaded photos of over 80 Muslim women, including activists, journalists and politicians, describing them as "deals of the day."424 Both apps are named after colloquial slurs for Muslim women, and have targeted women with a prominent digital presence.425 The creators of both apps have been arrested and charged with promoting enmity between groups, sexual harassment, and causing disharmony, among other offenses.426

C8 0-3 pts
Are websites, governmental and private entities, service providers, or individual users subject to widespread hacking and other forms of cyberattack? 2 / 3

India remained a frequent target of cyberattacks during the coverage period,427 Many cyberattacks are suspected to emanate from actors in China.428 Hackers based in China reportedly attempted 40,300 cyberattacks against Indian IT and banking infrastructure—including distributed denial of service (DDoS) attacks, phishing attempts, and attempts to hijack IP addresses—across five days in June 2020, amid a border dispute between China and India.429 In February 2021, the National Critical Infrastructure Protection Centre warned about attempts by a Chinese-based hacking group to break into the Telangana grid control systems.430 State-backed attacks originating in Pakistan431 and Iran432 have reportedly also targeted Indian government systems.

Reports suggest that cybersecurity attacks and breaches increased dramatically since March 2020.433 In October 2020, Mumbai suffered a multihour power outage that affected hospitals, transportation, and other critical services.434 In November 2021, a server vulnerability in the Punjab National Bank (PNB) allegedly left its entire banking systems open to access, though the bank stated that the affected servers did not have any sensitive or critical information, and denied that the vulnerability threatened customer data.435 In January 2022, it was reported that the contact information and COVID-19 test results of thousands of people in India had been leaked from a government server and subsequently put on sale on a website notorious for hosting material from large-scale database leaks.436

According to MeitY, the number of ransomware incidents in India has been increasing in recent years, and more than doubled from 54 incidents in 2020 to 132 incidents in 2021.437

The Information Technology Act is the primary legislation governing cybersecurity, and lays out penalties for damaging computers and computer systems.438 The IT Act penalizes hacking, introducing malware, and DDoS attacks that result in significant damage or disruption to essential services.439 The law also allows the government to define resources as “critical information infrastructure.”440 In August 2020, the prime minister announced that the government is developing a new cybersecurity policy to counter increased cyberattacks.441 As of the end of the coverage period, the policy, known as the National Cyber Security Strategy 2021, remained pending. The policy aims to create a multistakeholder organizational framework with a dedicated authority for cybersecurity concerns.442 The April 2022 CERT-IN directive (C4) also requires all service providers, intermediaries, data centers, companies and government organizations in India to report cybersecurity incidents within six hours. 443