A report by an NGO, The India Child Protection Fund, about the sudden spurt in access to child pornography in India in the initial days of lockdown, surprisingly, neither showed any signs of uneasiness in the society nor did it trigger any debate on the issue. However, when screenshots of ‘bois locker room’ chat were leaked on social media, there were some certain knee-jerk reactions including filing of a petition in the Supreme Court.
In the first case, there was no anguish because pornography contents are not monitored and reported by any agency or Internet Service Provider (ISP) in India. In the second case, the details were sought by the police from Facebook as data is not stored locally. It is, therefore, necessary to review the Indian law on child pornography -- or child sexual abuse material (CSAM) -- vis-a-vis the model legislation which is necessary to fight this moral cancer which is proliferating every year with more and more children becoming victims.
The International Centre for Missing and Exploited Children (ICMEC), in its 2018 report on ‘Model Legislation & Global Review’, studied a set of criteria to gain full understanding of national legislation of 196 countries into six parts -- definition of child and CSAM, offences, mandatory reporting, industry responsibility, sanctions and sentencing and law enforcement and data retention.
Let us see how close India is to the model law on child pornography.
The Indian law is at par with the model law as far as definition of ‘child’ is concerned. It is true that while a person under the age of 18 may be able to freely consent to sexual relation, such an individual is not legally able to consent to any form of sexual exploitation, including CSAM. Therefore, defining ‘anyone under the age of 18 years as a child’ across the globe is a welcome move. The model law also requires the term “CSAM” to be defined separately rather than “child pornography” to more accurately describe the criminal nature of such material and to avoid any confusion regarding consent. It should also include technology-specific terminology, which India does.
In India, both the IT Act, 2000 (section 67-B) and the POCSO Act, 2012 (section 13) define “child pornography” separately. This has led to some differences like, the POCSO Act includes ‘representation of the sexual organs of a child’ for the purposes of sexual gratification as an offence under pornography but the IT Act does not. Similarly, whereas the IT Act defines offence and prescribes punishment in the same section, the POCSO Act does it separately. Therefore, if CSAM is defined separately, not only the need to define the term in each statute could be avoided, but variance with the model law can also be eliminated.
The model law requires that ‘knowing possession’ and ‘knowingly downloading or knowingly viewing’ should be an offence. The IT Act (Section 67-B) says that whoever ‘collects, seeks, browses, downloads’ child pornography is an offender. Whether the act is done accidentally or knowingly is left for court’s interpretation as there is a vital difference between inadvertently viewing an image and actively downloading. The POCSO Act punishes only those who store child pornographic material for commercial purposes. This caveat of ‘commercial purposes’ must go and mere possession of CSAM should be made a criminal offence. Similarly, offering information on where to find CSAM by providing a website address should also be criminalised, which is missing at present. ‘Grooming’ is included as a sub-section of section 67-B but not defined separately. It includes ‘cultivating, enticing or inducing children to online relationship for and on sexually explicit act’ but does not include sharing pornography images of the self or child which has been found most common for building relationship of trust.
There is no enhanced punishment for producing and transmitting child pornography. The punishment is up to five years imprisonment and ten lakh rupees fine for the first offence and seven years imprisonment and ten lakh rupees fine for the second or subsequent offence, both for adult as well as child pornography. Child pornography must be viewed as a more harmful and serious offence.
The Internet Watch Foundation (IWF) in its annual report has revealed that about one-third of CSAM in the year 2018 was transmitted in real-time, which is a dangerous trend. Therefore, transmission of ‘real-time’ CSAM should be made a distinct offence. Currently, recording abuse of self is only an offence. Similarly, an attempt to commit offence (of child pornography) has been made punishable under the IT Act (section 84-C) only when the act is committed in furtherance of attempt and not per se. This must be amended and attempt to commit offence of child pornography in itself be made punishable.
The third parameter of the model law is mandatory reporting of CSAM by the ISPs. ISPs are the channels through which proliferation of CSAM activities take place. It is, therefore, crucial that ISPs report illicit contents discovered on their networks to law enforcement agencies or another mandated agency as soon as they become aware of it. In the US, the National Centre for Missing and Exploited Children (NCMEC) reported that in 2017 alone, it received more than 10 million reports from the US-based ISPs, as it is mandatory under the federal law to notify such contents to the NCMEC.
However, in India, the intermediaries are not responsible for communicating third party information to any agency under the current law. In the Shreya Singhal case (2015), the Supreme Court (SC) held that either a court order or notification by the appropriate government or its agency is a must for the ISP to remove or disable access to illicit material. Thus, ISPs are not suo motu responsible for notifying the law enforcement agencies of any CSAM it carries through its channels.
Similarly, banks, credit card companies and others in the payment industry are under no obligation to report any money transfer to purchase CSAM. Financial companies must be vigilant and should be required to report CSAM transactions to law enforcement or another mandated agency whenever transactions are discovered. Though, the US Financial Coalition Against Child Pornography (FCACP) proactively coordinates with the law enforcement agencies to eradicate the commercial trade of CSAM online, India is yet to play a proactive role.
Fourthly, the technology companies must be obligated to utilise technology tools to scan their platforms and networks to identify and eliminate CSAM. Tools like PhotoDNA can detect CSAM being uploaded, shared and stored on devices connected to a network so that it can be removed. The Council of Europe’s Convention on the Protection of Children against Sexual Exploitation and Sexual Abuse (2007) requires each party to take necessary legislative or other measures to ensure effective investigation and prosecution of relevant offences. However, in India, there is no such instrument or law in place.
Data retention for a specific period is also the obligation of the ISPs. It should cover both: non-content data (i.e., IP address, date time, size, type, duration and source of communication, location data to help identify the subscriber) and content data (i.e., the text of emails, messages, contents of files such as image or video). Data preservation is the obligation to preserve stored data after a request by the law enforcement agency for a case under investigation. The legal framework must be in place so that the law enforcement agencies’ requirements are harmonised with the capabilities of the technology companies. Similarly, cross-sector coordination must also be encouraged.
In India, though a provision in the IT Act (section 67-C) exists but the type of information to be preserved and retained by intermediaries and its duration are yet to be notified by the Central Government.
Under ‘sanctions and sentencing’ parameters, the Indian law is largely satisfactory. The model law requires that there should be no criminal liability for children involved in CSAM and such should be clearly stated in national legislation. In India, there are two specific laws concerning children i.e., JJ Act, 2015 for delinquent children and the POCSO Act, 2012 for victim children. Though, the JJ Act does not decriminalise an offence committed by a child totally, it is a welfare oriented law. However, a specific provision can be incorporated to make the child immune from any criminal liability.
While there is a specific provision in the Indian law for repeat offenders, organised crime is not included as an aggravating factor. The POCSO Act does provide for enhanced and graded punishment depending upon the act of child abuse, the IT Act does not run parallel and is silent on the severity of online abuse.
Similarly, the model law requires property, proceeds or assets resulting from CSAM activities to be confiscated and used in support programs for exploited children, the Indian law is silent on this requirement.
Lastly, in order to effectively conduct investigation, law enforcement agencies regularly require access to computer data, but often discover that it has been deleted, making it difficult or sometimes impossible to find and prosecute the perpetrator. For reference, the objective of the EU’s Data Retention Directive (2006) was to harmonise the obligations of providers to retain non-content type of data as it was necessary for investigation of offences. More than 75 countries had data retention and preservation legislation in place by 2016. However, after the European Court of Justice declared the Data Retention Directive invalid in 2014 because of privacy concerns, the new General Data Protection Regulation (GDPR) which became effective in May 2018, addressed the issue squarely and made companies accountable for how they use and store the data. The data can be retained for ‘no longer than is necessary for the purposes for which the personal data are processed’. The appropriate time limits are to be specified by member states.
In India, the Personal Data Protection Bill, 2019 is yet to become law. However, the IT (Intermediaries Guidelines) Rules, 2011 mandate the intermediaries to preserve information and associated records for at least ninety days for investigation purposes when ISP is notified either through a court order or by the government or its agency. A separate policy on data retention and preservation is yet to materialise.
The internal research team of the ICMEC, after a status review of the existing legislation, has revealed that though the number of countries having legislation on child pornography have increased from 27 in 2006 to 118 (out of total surveyed 196) in 2018, more needs to be done to stop exploitation of children across the globe. In recent years, there has been an increase in the trade of illicit content including use of the dark net. Therefore, the global response to internet child pornography and safeguarding children from sexual abuse requires a collaborative strategy and standardisation of domestic legislation across the world. India must review its law on child pornography and address the gaps and make it comprehensive and harmonised with the international standards.
(The author is a senior IPS officer in Chhattisgarh. Views are personal)