Expanding Freedom and Democracy
Freedom on the Net 2023

India

Partly Free
50
100
A Obstacles to Access 13 25
B Limits on Content 20 35
C Violations of User Rights 17 40
Last Year's Score & Status
51 100 Partly Free
Scores are based on a scale of 0 (least free) to 100 (most free). See the research methodology and report acknowledgements.

header1 Overview

Internet freedom in India worsened during the coverage period, following marginal improvement the previous year, when efforts to bridge the country’s digital divides expanded access to the internet. The government continues to impose internet shutdowns and is considering legislation that would expand its legal authority for such restrictions. Legal challenges to laws enabling the government to censor online content—including against the controversial Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (IT Rules)—have seen limits imposed on some powers. However, the state continues to block online content at an increasing pace, and Indian internet users risk arrest for posts critical of the government. Misinformation and disinformation are frequently shared online, and journalists, nongovernmental organizations (NGOs), and members of marginalized groups remain at risk of being targeted by hate speech and harassment online.

India is a multiparty electoral democracy with frequent elections at the federal and state levels. The Indian constitution guarantees various fundamental rights including the freedom of speech and expression, freedom of religion, rights to form associations, and the right to privacy. The government led by Prime Minister Narendra Modi and the Bharatiya Janata Party (BJP) has presided over discriminatory policies and increased violence affecting the country’s Muslim population. Muslims, scheduled castes (Dalits), and scheduled tribes (Adivasis) remain economically and socially marginalized.

Indian Union Territory of Jammu and Kashmir is not covered in this report. Certain territories that are assessed separately in Freedom House's Freedom in the World report are excluded from the relevant country reports in Freedom on the Net, as conditions in such territories differ significantly from those in the rest of the country.

header2 Key Developments, June 1, 2022 - May 31, 2023

  • The government of Punjab restricted access to the internet across the state for four days in March 2023, while authorities in Manipur imposed a statewide shutdown in May 2023 that lasted for several months (see A3).
  • The government released the draft Indian Telecommunication Bill, 2022 and the draft Digital Personal Data Protection Bill, 2022 (DPDPB), which together would overhaul India’s existing legal architecture for internet regulation (see A4, B6, C4, and C6).
  • In September 2022, new rules requiring virtual private network (VPN) providers to store information about their users for five years came into effect, prompting a few providers to remove their servers from the country (see A5 and C4).
  • Government officials increasingly ordered content removed from social media platforms under the emergency provisions of the Intermediary Guidelines, including a British Broadcasting Corporation (BBC) documentary about communal violence during Modi’s tenure as chief minister of Gujarat (see B2 and B3).
  • Two laws amending the IT Rules permit the government to establish a state fact-checking unit and committees that hear appeals against decisions taken by social media platforms to remove content, raising further concerns about government limits on online expression (see B3).
  • Journalists, activists, and everyday internet users continued to be arrested and harassed online over real or perceived criticism of the ruling party (see C3 and C7).

A Obstacles to Access

A1 1.00-6.00 pts0-6 pts
Do infrastructural limitations restrict access to the internet or the speed and quality of internet connections? 3.003 6.006

While internet penetration among India’s population of nearly 1.4 billion is relatively low, access to the internet continues to rise. According to the Telecom Regulatory Authority of India (TRAI), internet penetration stood at 62.56 percent as of December 2022, representing 865.9 million internet subscribers—an increase from 60.46 percent in the previous year.1 By contrast, the digital analytics company DataReportal’s Digital 2023 analysis identified a national penetration rate of at least 48.7 percent as of February 2023.2 The Department of Telecommunications (DoT) has reported that 608,353 of the more than 644,000 villages in India have wireless broadband coverage.3

The yearly growth rate of internet subscription has declined in recent years, from 18.95 percent in 2019 to 4.29 percent in 2021.4 Some analysts attribute the slowing growth of mobile internet penetration to a decline in smartphone purchases, with industry figures indicating a 9 percent decrease in the smartphone market in 2022.5

India’s median connection speed as of April 2023 was 36.35 megabits per second (Mbps) for mobile internet and 51.12 Mbps for fixed broadband internet.6 Nearly 97 percent of subscribers accessed the internet through mobile devices as of December 2022, with only 32.38 million having wired internet connections, per TRAI data.7

Several public and private sector initiatives aim to improve internet access. The government has set up over 149,000 public Wi-Fi hotspots under the prime minister’s Wi-Fi Access Network Interface (PM–WANI) scheme as of August 2023.8 The finance minister announced in February 2022 that the government plans to launch fifth-generation (5G) mobile network spectrum by 2023, and aims to connect all villages in the country through optic fiber by 2025 to enable affordable broadband.9 As of May 2023, 200,000 5G sites have been rolled out across India.10

Launched in 2011, the government’s BharatNet project has aimed to provide broadband connectivity to all the 250,000 gram panchayats (units of local self-governance at the village level) in India,11 but has faced several delays and challenges (see A2).12 As of May 2023, the initiative connects over 192,000 gram panchayats.13 RailTel, a public sector undertaking under the Ministry of Railways, aims to provide free Wi-Fi internet facilities at railway stations across the country, with 6,100 stations connected as of March 2022.14

The National Internet Exchange India (NIXI), a nonprofit organization set up to facilitate peering between internet service providers (ISPs) and improve internet services, announced plans in March 2022 to establish 16 additional internet exchanges to improve internet access.15 In December 2021, seven new internet exchange nodes were inaugurated in the state of Uttar Pradesh.16 Reliance Jio announced a joint venture with SES, a Luxembourg-based satellite solutions provider, in February 2022, with the aim of providing affordable satellite-based communications services.17

A2 1.00-3.00 pts0-3 pts
Is access to the internet prohibitively expensive or beyond the reach of certain segments of the population for geographical, social, or other reasons? 2.002 3.003

While mobile data plans in India are quite cheap, digital divides remain across geography, language, economic class, and gender.1 According to a 2023 report from the UK–based company Cable, the average cost of one month of broadband services in India is $10.11.2 Access to cheap mobile data has served to bridge the digital gender divide by allowing more women to access the internet to participate in markets, join community discourse, and build networks.3 The Indian government maintains its stance on net neutrality by barring differential pricing for data services.4

TRAI reported 516.37 million internet subscribers in urban areas and 349.53 million rural subscribers as of December 2022, representing 106.2 percent internet penetration in urban areas and 38.9 percent internet penetration rate in rural. 5 Several initiatives aim to narrow the urban-rural divide,6 such as the PM–WANI (see A1).7 The government’s Digital India Programme, launched in 2014,8 plans to extend fiber-optic cables to more rural areas,9 establish internet-connected common service centers (CSCs),10 and provide residents with e-literacy programs.11

Despite delays in implementation and uneven progress made among states,12 the government-led BharatNet project has successfully connected almost 75 percent of gram panchayats as of April 2023.13 The comptroller and auditor general of India (CAG) reportedly found in July 2021 that the maintenance of cable and other infrastructure under the BharatNet project was inadequate in places, resulting in poor quality of service.14 CSCs initially provided free internet services under the project in 120,000 locations,15 and subsequently began charging users in March 2020 to reduce the project’s financial cost and extend the scope of the service.16 CSCs have trained 10,000 rural community members on the maintenance of the BharatNet telecom infrastructure as of January 2021, with 100,000 total planned, to enable public participation in digital governance.17 As of June 2022, the CSCs had halted maintenance after their contract with BharatNet ended over a dispute over payments.18 The deadline for completion of the BharatNet project has been extended to 2025.19 However, subsequent reports suggest that the project will not be able to meet the 2025 target..20

A significant gender divide persists, with women only making up about a third of Indian internet users.21 According to the 2019–21 National Family Health Survey, only 33 percent of adult women have access to the internet, as opposed to 57.1 percent of men in the country.22 The divide is particularly pronounced in rural areas, and rates of access also vary between states.23 However, the GSMA, a trade body that represents mobile network operators worldwide, noted that the percentage of women who were aware of mobile internet services rose from 19 percent in 2017 to 53 percent in 2021.24

With 22 official languages, language remains a barrier to access in India. As of February 2021, the .bharat domain was available in all 22 official languages.25 According to a December 2021 study by Meta, 91 percent of online interaction by women is conducted in English, indicating that access to social media is functionally limited to English-speaking women.26

A3 1.00-6.00 pts0-6 pts
Does the government exercise technical or legal control over internet infrastructure for the purposes of restricting connectivity? 2.002 6.006

India has been the global leader in the number of internet shutdowns imposed for the last five years,1 and local authorities have restricted connectivity since at least 2010.2 While the frequency, geographic distribution, and duration of internet shutdowns had previously been increasing, the number of internet shutdowns has reduced in recent years: the Software Freedom Law Center’s (SFLC’s) Internet Shutdown Tracker reported 132 internet shutdowns in 2020, 101 in 2021, and 77 in 2022, while Access Now reported 109 internet shutdowns in 2020, 106 in 2021, and 84 in 2022.3 Since the government does not track internet shutdowns across the country, they are monitored by civil society organizations using newspaper reports, right to information requests, and anecdotal evidence. Authorities typically justify shutdowns as cautionary measures to maintain law and order,4 quell potential violence or communal tensions,5 restrict protests,6 prevent the spread of disinformation, or stop cheating in school exams.7

Authorities restricted internet access across the state of Manipur in May 2023 as violence broke out between the Meitiei and Kuki communities. The Manipur government restored some fixed broadband connections subject to certain conditions in July 2023, after the coverage period, and access more broadly in September 2023.8 The shutdown impeded the documentation of and response to acts of violence, including sexual violence, perpetrated during the conflict.9

In March 2023, the government of the state of Punjab imposed a statewide shutdown affecting 27 million people as the police searched for Amritpal Singh, a Khalistan separatist movement leader. The shutdown was implemented for four days, and extended an additional two days in some parts of the state.10 In April 2023, internet services were suspended in the city of Jamshedpur, Jharkhand after communal violence broke out between two groups resulting in stone pelting and arson.11

Authorities in the state of Haryana suspended mobile internet services for two weeks in August 2023, after the coverage period, and again for two days in September. The shutdowns were imposed following the outbreak of violence after the Hindu nationalist Vishva Hindu Parishad (VHP) group organized a processional through a Muslim-majority neighborhood.12

In the Jammu and Kashmir region, which is excluded from this report’s scoring (see Overview), the state administration regularly orders restrictions on internet services.13 Between August 2019 and January 2020, the government of Jammu and Kashmir ordered the longest internet shutdown in India—a total of 213 days—in the wake of the central government’s abrogation of Article 370 of the Indian Constitution, which provides special status to the state.14

Most of India’s internet infrastructure is privately owned by service providers, and the government relies on legislative and statutory mechanisms to order shutdowns. Orders to restrict connectivity have been justified under Section 144 of the Code of Criminal Procedure, 1973 (CrPC), which permits state actions to maintain law and order.15 Though courts had previously upheld the use of this law to order shutdowns and had refused legal challenges on this basis, observations by the Supreme Court in 2020 have resulted in some experts suggesting that Section 144 should no longer be utilized to authorize shutdowns.16

Authorities in India also use Section 5(2) of the Telegraph Act, 1885 to order internet shutdowns. Section 5(2) provides government authorities with the power to stop the transmission of messages or classes of messages in the event of a public emergency or for public safety.17 The 2017 Temporary Suspension of Telecom Services (Public Emergency or Public Safety) Rules, under Section 7 of the Telegraph Act, 18 authorize only national- or state-level officials of a certain rank to order temporary suspensions in times of public emergency or threats to public safety,19 and mandate that each order must be justified and be forwarded to a review committee for assessment.20 However, several shutdown orders since 2017 were issued under Section 144 of the CrPC by officials not designated under the Telegraph Act rules,21 sparking concerns from civil society groups that procedural safeguards and checks were not followed.22 In November 2020, the government amended the rules to specify that a shutdown order could not be in effect for more than 15 days, but such orders could be renewed.23 Civil society criticized a lack of consultation and public participation in crafting the amendment, and condemned the provision allowing authorities to continually renew the order.24

The draft Indian Telecommunication Bill (see A4) would authorize the government to order internet shutdowns more directly than any previous Indian law. The bill fails to put in place any safeguards on the use of shutdowns.25 Separately, the Parliamentary Standing Committee on Information Technology recommended in February 2023 that the government create a database for internet shutdown orders and conduct a review of the legal regime governing such restrictions. 26

Courts have directly ruled on the legality of restrictions and in some cases ordered restored services.27 In March 2022, during the previous coverage period, the Calcutta High Court stayed an internet shutdown order issued by the state of West Bengal to prevent cheating in school exams—only the second time an Indian court stayed such an order, according to the Internet Freedom Foundation (IFF).28

In response to the months-long shutdown in Jammu and Kashmir,29 the Supreme Court ruled in January 2021 that orders for connectivity restrictions must be publicly available and should be well reasoned, proportionate, temporary, and present the least-restrictive alternative.30 However, compliance with the ruling remains unclear.31 In February 2022, the government stated in response to a query by a member of Parliament that records of internet shutdowns ordered by state governments are not maintained.32 In September 2023, after the coverage period, the Jharkhand High Court ordered the state to publish all past internet shutdown orders.33

The government has ordered the blocking of almost 400 mobile apps since 2020,34 primarily those owned by companies based in China, citing concerns related to national security, public order, and Indian sovereignty.35 The government banned 232 apps, some of them owned by companies based in China, in February 2023 for money laundering and improper cross-border data transfers.36 In May 2023, the Union government directed service providers to block 14 applications—including messaging apps Threema, Firefly, and Briar and file transfer software Mediafire—in the state of Jammu and Kashmir, which is excluded from this report’s scoring, alleging that terrorist groups used them to communicate in the region.37

A4 1.00-6.00 pts0-6 pts
Are there legal, regulatory, or economic obstacles that restrict the diversity of service providers? 4.004 6.006

Internet users have a range of choices for mobile and internet connections. While fees to enter the market have served as an economic barrier for some providers, there are no significant obstacles to entry for service providers.

As of December 2022, there were 921 operational ISPs in India.1 The largest service provider, Reliance Jio, had an almost 51 percent share of the market as of December 2022; the top three ISPs—Reliance Jio, Bharti Airtel, and Vodafone—together control nearly 95 percent of the market. Reliance Jio also controls the majority of the wireless market, with 37.14 percent of the market share, followed by Bharti Airtel at 32.16 percent and Vodafone at 21.11 percent. In April 2020, Facebook invested in a 9.9 percent stake in Reliance Jio,2 and the Competition Commission of India (CCI) approved Google’s purchase of a 7.7 percent stake in Jio Platforms, which owns Reliance Jio, in November 2020.3 In January 2022, Google announced an investment of up to $1 billion in Bharti Airtel, comprising an equity investment of $700 million for a 1.28 percent stake in the company and up to $300 million towards potential multiyear commercial agreements.4

A 2014 universal license framework5 reduced legal and regulatory obstacles by combining mobile phone and ISP licenses. Licensees pay a high one-time entry fee, a performance bank guarantee,6 and annual license fees adjusted for revenue.7 The draft Indian Telecommunication Bill, released in September 2022, would establish an “exclusive privilege” for the Indian government to provide telecommunication services in India. The bill defined “telecommunication services” to include fixed-line and mobile internet, as well as email, over-the-top (OTT) communication, broadcasting, and a range of other communications and media services. In order to obtain and retain licenses for telecommunications service provision, companies would be required to comply with the bill’s onerous obligations for internet suspension, communications interception, and user identification (see A3, C4, and C5).8 In August 2023, after the coverage period, the cabinet approved a version of the bill that reportedly relaxed the regulation of OTT services, among other changes.9

In October 2019, a Supreme Court decision clarified that the percentage of revenues that license holders must pay the government is calculated on the basis of the entire revenue of the license holder, and not just revenue from telecom services.10 In September 2020, the court passed an order giving telecom companies 10 years to pay their dues.11 Both Vodafone Idea and Bharti Airtel are expected to pay millions in overdue fees, raising concerns over their financial stability and the impact on the telecom market.12 As of the end of the coverage period, Vodafone Idea and Bharti Airtel’s challenge before the appellate tribunal for telecommunications disputes, in separate cases, remained pending.13

Roughly 15 submarine cables connect India to the global internet,14 most of which are consortium-owned.15 There are at least 15 landing stations where the cables meet the mainland, spread across five cities,16 with eight more landing stations expected to be ready by 2025.17 Currently, Tata Communications owns five cable landing stations, Reliance Jio owns two, and Bharti Airtel owns three.18 The state-run telecom operator Bharat Sanchar Nigam Limited (BSNL) owns three landing stations, and Vodafone, Sify, and Global Cloud Exchange own one each.19

A5 1.00-4.00 pts0-4 pts
Do national regulatory bodies that oversee service providers and digital technology fail to operate in a free, fair, and independent manner? 2.002 4.004

The Ministry of Electronics and Information Technology (MeitY) formulates policy relating to information technology, electronics, and the internet.1 The DoT, under the Ministry of Communications, manages the overall development of the telecommunications sector, licenses internet and mobile service providers, and manages spectrum allocation.2

The TRAI regulates the telecommunications, broadcast, and cable television sectors.3 The TRAI Act mandates transparency in the exercise of its operations, which includes monitoring licensing terms, compliance, and service quality.4 Its reports are published online, usually preceded by a multistakeholder consultation.5 A 2000 amendment to the TRAI Act established a three-member Telecommunications Dispute Settlement and Appellate Tribunal.6

There have been some reservations about TRAI’s independence.7 The central government makes appointment and salary decisions for its members.8 Amendments to the TRAI Act enacted in 2014 allow former government officials to join the regulator two years after resigning from office, or earlier with government permission.9 Amendments to the TRAI Act under the draft India Telecommunications Bill, 2022 would limit the agency’s consultation and oversight authorities.10

TRAI opinions, however, are generally perceived as free of undue influence, and the regulator engages in public consultations.11 For example, TRAI sought stakeholder comments in December 2021 on creating a licensing framework to establish satellite gateways, which would help increase access to broadband services in India.12

MeitY has engaged in public consultations around proposed policy and legislative initiatives, including around the various draft data-protection bills (see C6).13 In April 2022, the Indian Computer Emergency Response Team (CERT–In) issued new cybersecurity directions, which were released by MeitY without public consultations.14 In response to criticism,15 MeitY invited industry and legal experts and other stakeholders for a closed-door consultation in June 2022.16 Earlier, in May 2022, MeitY invited comments on its draft National Data Governance Framework.17

MeitY’s Grievance Appellate Committees (GACs) became operational in March 2023, and will allow users to appeal decisions taken by social media platforms on content moderation (see B3). Three GACs established in January 2023 are comprised primarily of former military officials, police, and civil servants,18 raising concerns about the committees’ independence.

B Limits on Content

B1 1.00-6.00 pts0-6 pts
Does the state block or filter, or compel service providers to block or filter, internet content, particularly material that is protected by international human rights standards? 3.003 6.006

Political and social information is regularly blocked by court or government orders in India. Although these orders are not always publicly released, government data show an increasing number of requests.

In February 2023, the minister of electronics and information technology stated in Parliament that 6,775 accounts, websites, and URLs had been restricted on government orders in 2022 under Rule 8(6) and Rule 9(2) of the Information Technology (Procedure and Safeguards for Blocking for Access of Information for Public) Rules, 2009.1 Previously, the government stated that it had banned a cumulative 22,379 websites between 2018 and 2021, including 6,096 websites in 2021. Content was blocked for allegedly seeking to stoke anti-India sentiment, or to damage public order, the security of the state, and the interest and defense of India’s sovereignty and integrity.2 For example, in August 2023, after the coverage period, Indian authorities blocked access to the Jammu and Kashmir–based outlet Kashmir Walla.3

Authorities sometimes restrict access to social media platforms. In June 2022, authorities in Bihar restricted access to social media platforms, including Facebook and WhatsApp, amid widespread protests over changes to military recruitment policy.4

Several reports have clarified the technology used to block websites in India. The SFLC reported in January 2023 that techniques used by ISPs to implement website blocking include domain name system (DNS) tampering, HTTP blocking, transmission control protocol/internet protocol (TCP/IP blocking), transport layer security–server name indication (TLS–SNI) blocking, and QUIC network blocking.5 The Open Observatory of Network Interference (OONI) and the Centre for Internet and Society previously reported that Airtel and Jio use server name indication (SNI)–based filtering to restrict access to websites on government orders.6 In April 2018, Canadian internet watchdog Citizen Lab found that India was using internet-filtering technology from the Canada-based company Netsweeper.7

Service providers appear to restrict different sets of websites. For instance, security researchers identified over 5,000 websites blocked on Atria Convergence Technology’s fixed-broadband services and over 2,000 websites blocked on Bharti Airtel’s networks, per a December 2021 report.8

B2 1.00-4.00 pts0-4 pts
Do state or nonstate actors employ legal, administrative, or other means to force publishers, content hosts, or digital platforms to delete content, particularly material that is protected by international human rights standards? 1.001 4.004

Score Change: The score declined from 2 to 1 because the Indian government has increasingly used emergency powers to order the removal of online content.

Government actors regularly order social media and other online platforms to remove content, including material protected under international human rights standards. The IT Rules, 2021 provide a regulatory framework for online publishers of news and current affairs and curated audiovisual content (see B3). They also give the state emergency powers to block content without a hearing, which have been invoked by the authorities at times.1

As of December 2022, the Ministry of Information and Broadcasting had issued orders under the emergency blocking powers of the IT Rules to block 104 YouTube channels, 45 videos, and 25 social media accounts, posts, apps, and websites of digital news publishers.2 In January 2023, the government used emergency blocking powers to order YouTube and Twitter to withhold posts in India sharing India: The Modi Question, a BBC documentary on the 2002 communal violence in Gujarat, during which Modi was chief minister of the state.3

Content restricted under Section 69A of the IT Act increased in 2022, with 6,775 blocked websites and accounts disclosed that year, compared to a 6,096 in 2021, according to MeitY disclosures; the disclosures likely represent both website blocks and takedowns from content hosts (see B1).4

Analysis from news site Rest of World found that—according to Twitter’s public disclosures in the Lumen database—Twitter complied in full or in part with all 44 removal orders filed by the Indian government from the time that the platform was acquired by Elon Musk in late October 2022 to late April 2023..5 For example, in March 2023, the government ordered Twitter to restrict over 120 accounts in India, many of which belonged to journalists, politicians, and activists who had criticized the government’s internet shutdown in Punjab or its broader effort to arrest Amritpal Singh (see A3).6

In September 2022, the government ordered Twitter, Facebook, Instagram, and other social media companies to permanently block accounts associated with the newly outlawed Popular Front of India (PFI) group and its satellite organizations. These actions were taken under the Unlawful Activities Prevention Act (UAPA), ostensibly to prevent these organizations from propagating their activities.7

In July 2022, Twitter removed a post from filmmaker Leena Manimekalai that contained an image depicting the Indian goddess Kali smoking and holding a rainbow flag in response to a legal demand.8 In June 2022, Twitter withheld posts and accounts in India following government orders issued throughout 2021. According to Twitter disclosures, the orders related to content from Indian National Congress and Aam Aadmi Party (AAP) politicians, journalists including Rana Ayyub, and activists linked to the farmers’ protests, as well as posts from Freedom House.9 Twitter filed a lawsuit over the orders the following month (see B3).

A 2008 IT Act amendment protected technology companies from legal liability for content posted to their platforms, with reasonable exceptions to prevent criminal acts or privacy violations.10 The IT Rules issued in 2021 require intermediaries to remove access to certain content within 36 hours of a government or legal order under Section 79 of the IT Act (see B3).11 In the 2015 Shreya Singhal v. Union of India ruling, the Supreme Court had reduced the scope of the 2011 intermediary guidelines, and companies were only to act on court and government takedown orders and not on user complaints. The court also clarified that unlawful content beyond the scope of Article 19(2) of the Indian Constitution—which sets forth certain restrictions on the right to the freedom of speech and expression—cannot be restricted.12 Moreover, the IT Rules, 2021 require large social media companies to proactively identify and remove offending categories of content, including rape and child sexual abuse imagery, among others.13

Intermediaries can separately be held liable for infringing the Copyright Act, 1957,14 under the law and licensing agreements.15 A 2012 amendment limited the liability for intermediaries that link users to material copied illegally, but mandated that they disable public access for 21 days within 36 hours of receiving written notice from the copyright holder, pending a court order to remove the link. Intermediaries can assess the legitimacy of the notice from the copyright holder and refuse to comply.16

B3 1.00-4.00 pts0-4 pts
Do restrictions on the internet and digital content lack transparency, proportionality to the stated aims, or an independent appeals process? 2.002 4.004

In February 2021, the MeitY enacted the IT Rules 2021 (see B2, B6, C4, and C6).1 Significant social media intermediaries—defined as companies whose platforms host at least five million users—have 36 hours from being notified to remove content that is unlawful, including that which undermines state sovereignty, friendly relationships with other states, security, public order, decency, or morality.2 Content that shows nudity or is a depiction of a sexual act must be removed within 24 hours of receiving a complaint.3 Significant social media intermediaries are also required to deploy automated moderation tools to proactively identify and remove offending categories of content, particularly child sexual abuse imagery.4 When content is removed pursuant to terms of use, the companies must notify users, provide clear reasons for the decision, and offer an avenue for appeal.5

Significant social media intermediaries must appoint certain India-based officers. A nodal person of contact is required to coordinate with law enforcement, while a chief compliance officer must comply with takedown orders from a court, government agency, or any other competent authority within 36 hours, and can face potential criminal prosecution under provisions of the IT Act and the Indian Penal Code.6

Separately, social media intermediaries, regardless of their size, must create grievance redressal mechanisms under the Intermediary Rules 2021. A grievance officer must acknowledge complaints about content from any user within 24 hours and resolve them within 15 days.7 The officer is also responsible for orders issued by competent authorities, courts, or other government agencies. The law also empowers authorities to issue emergency blocking orders, but does not specify time limits for the operation of blocking orders or provide affected parties the right to a hearing.8

Additionally, the rules subject digital news media and OTT platforms to a regulation system and a code of ethics.9 The code instructs content creators to consider whether content affects India’s sovereignty, jeopardizes security, or affects friendly relations with foreign countries.10 OTT platforms are cautioned to consider India’s multireligious and multiracial society and be mindful of content that relates to religion and race.11 A self-regulation body and interdepartmental committee are granted enforcement powers, including recommending that the government block content under the IT Act.

The government passed several amendments to the IT Rules, 2021 during the coverage period. Amendments passed in October 2022 established rules for Grievance Appellate Committees (GAC), a government body which will hear appeals against decisions taken by social media platforms to remove content. The GACs became functional on March 1, 2023.12 Further, they have placed an additional burden on social media platforms to make “reasonable efforts” to ensure users comply with the IT Rules as well. Amendments passed in April 2023 require intermediaries to remove information identified as “fake or false” by a government “fact-checking” unit. The April 2023 amendments also expand the scope of the IT Rules to cover online gaming platforms.13 Satirist Kumal Kamra challenged the fact-checking provision of the April 2023 amendments before the Bombay High Court on free expression grounds.14 In response to the lawsuit, MeitY stated that the provisions would only apply to information about government policies and programs.15

Civil society groups, industry experts, and tech companies have broadly criticized the rules for the increased powers they grant the government and their potential to adversely affect free expression, privacy, and access to information.16 Ambiguity around the rules’ definitions and implementation, such as uncertainty as to which entities are considered digital news platforms, has further fueled concern.17 Over 15 legal challenges have been lodged against the rules, questioning their constitutionality (see C4).18 The Bombay and Madras high courts stayed clauses relating to the operation of the code of ethics and the grievance redressal mechanisms in August and September 2021, respectively.19 The impact of these orders on the rules’ information-sharing provisions, which require digital news media publishers to furnish information about themselves to the Ministry of Information and Broadcasting (MIB), is not immediately clear (see B6).20 In May 2022, the Supreme Court stayed further proceedings before the high courts in order to consolidate the challenges.21

Blocking of websites takes place under Section 69A of the IT Act and the 2009 Blocking Rules,22 which empower the central government to direct any agency or intermediary to block access to information when satisfied that it is “necessary or expedient” in the interest of the “sovereignty and integrity of India, defense of India, security of the state, friendly relations with foreign states or public order, or for preventing incitement to the commission of any cognizable offence relating to above.”23 Intermediaries’ failure to comply is punishable with fines and prison terms of up to seven years.24

The Blocking Rules apply to orders issued by government agencies, who must appoint a nodal officer to send in requests and demonstrate that they are necessary or expedient under Section 69A.25 The rules provide an extensive review procedure for blocking requests, including a notice provision to impacted parties and an opportunity for appeal,26 but provide exceptions for emergencies.27

The constitutionality of Section 69A and the Blocking Rules of the IT Act was challenged in the landmark 2015 Shreya Singhal case.28 The Supreme Court upheld the constitutionality of both, but read the Blocking Rules29 to include both the right to be heard and the right to appeal. Blocking orders must provide a written explanation and allow for reasonable efforts to contact the originator of the content for a hearing.30 However, the rules continue to require that the orders and actions based on them be kept "strictly confidential”;31 hence, there is no information on the extent of compliance with the judgment.

A lawsuit over MeitY’s September 2018 blocking of DowryCalculator.com, a website using satire to criticize the practice of dowry,32 remained ongoing during the coverage period.33 In consideration of the lawsuit challenging the blocking order, in May 2022 the Delhi High Court directed the government to provide the owner of DowryCalculator.com with a copy of the original blocking order and the opportunity for a hearing.34 The Internet Freedom Foundation (IFF) noted that this was the first time that MeitY has been required to provide its blocking order to a petitioner, and is one of the rare instances in which a hearing has been provided in a blocking case.35

In July 2022, Twitter filed a lawsuit in the Karnataka High Court challenging removal orders issued throughout 2021 (see B2). The lawsuit contends the orders rested on an overly broad interpretation of the IT Act.36 The court dismissed the lawsuit in June 2023, after the coverage period, and criticized the company’s delay in complying with the removal orders.37

Indian courts can also order content takedowns.38 Since 2011, courts have blocked content relating to copyright violations through broad John Doe orders, which can be issued preemptively and do not name a defendant.39 ISPs have occasionally implemented such orders by blocking entire websites instead of individual URLs, regardless of whether the websites were hosting pirated material.40 The judiciary has noted that John Doe orders can lead to excessive blocking,41 and civil society has called for greater transparency.42

The IT Act and the Indian Penal Code, 1860 (IPC) prohibit the production and transmission of “obscene material,”43 but there is no specific law against viewing pornography in India. The Delhi High Court in April 2021 heard a matter where an individual’s photos were taken from private social media accounts and uploaded onto pornographic websites without her consent. It outlined a template for how directions should be issued in similar cases, suggesting that websites or online platforms be obliged to immediately remove the content upon receipt of a court order. It further suggested that search engines should de-index and de-reference such content, and proactively monitor for and disable access to identical content, among other recommendations.44

There is no legally established right to be forgotten in India, despite several attempts in recent years to codify this principle.45 The draft Data Protection Bill 2021, which was tabled in December 2021 and withdrawn in August 2022, included a provision establishing the right to be forgotten (see C6).46

Social media platforms’ removal of content has lacked transparency and consistency. For example, the Wall Street Journal reported in August 2020 that a Facebook executive in India opposed applying the platform’s content-moderation rules to at least one member of the ruling party and several other individuals and groups, due to the platform’s business interests.47 Facebook denied claims of bias and stated that the application of their policies was open, transparent, and nonpartisan.48

B4 1.00-4.00 pts0-4 pts
Do online journalists, commentators, and ordinary users practice self-censorship? 3.003 4.004

Threats of criminal charges and increased online harassment (see C3 and C7) have reportedly contributed to more self-censorship among both individuals and news outlets, as has the growing influence of the BJP and its recent popular electoral mandates.1 Civil society groups have expressed concern that the Intermediary Rules 2021 may also lead to self-censorship by digital media and OTT platforms.2 Content creators are reportedly wary of increased scrutiny by the government and other stakeholders, particularly in relation to more sensitive topics such as politics and religion.3

Journalists and commentators have reported self-censoring in response to increased government pressure on the media. For example, after authorities ordered social media platforms to remove the BBC documentary India: The Modi Question (see B2), some commentators stated that they avoided reporting on the removal.4 Media organizations and journalists also face tax investigations,5 arrests, and online harassment relating to their work (see C3 and C7). Programs like the Cyber Crime Volunteer Program, which invites ordinary people to report on their peers by flagging “unlawful content” but does not define the term, may also chill online expression.6

Self-censorship, particularly on the topics of Jammu and Kashmir and COVID-19, has reportedly been common in recent years.7 In March 2020, Caravan magazine reported that the central government had repeatedly signaled to the media to refrain from publishing criticism of the government’s response to the pandemic.8

However, many independent online outlets, individual journalists, and ordinary users, including those from marginalized communities, continue to report on and speak publicly about controversial or political topics.9

B5 1.00-4.00 pts0-4 pts
Are online sources of information controlled or manipulated by the government or other powerful actors to advance a particular political interest? 2.002 4.004

Manipulated content and disinformation spread by domestic actors, including political parties and leaders, continues to permeate the online environment in India. Analysts have raised concerns about the potential increase of content manipulation efforts ahead of the 2024 national elections.1

Disinformation linked to prominent political matters spread throughout the coverage period. For example, BJP leaders and supporters amplified false and misleading information about migrant laborers from the north Indian Hindu majority state of Bihar being harmed in the south Indian state of Karnataka.2 BJP officials and BJP–linked accounts disseminated misleading information and manipulated media about opposition leader Rahul Gandhi throughout the coverage period; Gandhi’s Bharat Jodo Yatra, a march across the country coordinated by his Congress party in late 2022 and early 2023, was one target of such misinformation.3

In August 2022, Twitter suspended a network of accounts, many of which claimed to be Kashmiri, that spread pro-Indian military and anti-Pakistan narratives, sometimes aimed at Indian politicians.4 In September 2023, after the coverage period, former Twitter head of trust and safety Yoel Roth disclosed that Twitter had linked the network to the Indian military.5

Reports from the Oxford Internet Institute (OII) connected manipulated content online to the country’s political parties, noting that major political parties manipulate information on Facebook, Twitter, and WhatsApp to amplify their messaging, attack the opposition, and create division.6 Both paid commentators and volunteers disseminate disinformation across social media and respond to political developments in real time.7

In February 2021, Newslaundry published a report detailing how the “Hindu Ecosystem” group, created by a member of the BJP, spread content supporting them on social media.8 The report discusses how a network of over 20,000 participants is given content to spread on Twitter at pre-decided times in order to artificially cause certain hashtags to trend. For example, one group administrator reportedly requested that members post against the Tandav television show on Twitter using the hashtag #BanTandavNow, which later trended.9

The Facebook Papers, a collection of leaked internal documents from Facebook released in October 2021,10 revealed that Facebook employees had found that bots and fake accounts tied to the ruling party and opposition figures had potentially affected elections in India, had found that anti-Muslim hate was on the rise, and that misinformation was exacerbated by measures aimed at increasing meaningful interaction on the platform.11 A March 2022 Al Jazeera report found that Jio Platforms exploited a loophole in electoral regulations to promote surrogate advertisements for the ruling party on Facebook during the 2019 Lok Sabha elections, and that the party had benefited from how content was promoted via the platform’s algorithmic recommendation systems.12

B6 1.00-3.00 pts0-3 pts
Are there economic or regulatory constraints that negatively affect users’ ability to publish content online? 2.002 3.003

Online news outlets, blogs, and other publishing platforms were previously not required to register, obtain licenses, or provide information to the state to publish content. However, the Intermediary Rules 2021 imposed new obligations on digital news publishers and OTT platforms to furnish details about their entities to the MIB and provide a monthly report of grievances they have received, along with information about any actions they took in response.1 The draft Indian Telecommunication Bill, 2022 establishes an expansive licensing regime over a broad range of online services, including internet-based communication services and OTT communication services. The requirements under the bill present onerous obligations that may impede their operations (see A4 and C4).2

The MIB issued a notification in May 2021 requiring digital news organizations and OTT platforms to furnish the specified information,3 and later disclosed that over 2,100 such platforms had done so as of January 2022.4 The IFF said it was unclear if the provisions under which the MIB issued the relevant notifications are operational, since high courts have stayed provisions of the IT Rules that affect digital media organizations and OTT platforms (see B3).5

The 2019 amendments to the Foreign Direct Investment Policy (FDI Policy) imposed a 26 percent cap for foreign investment in digital media companies, broadly defined as companies that upload or stream news and current affairs through digital media.6 Digital media platforms were given until October 2021 to comply with the cap.7 During the previous coverage period, Yahoo, which is now owned by US–based Apollo Global Management, announced that it would discontinue its news websites in India, including Yahoo News, due to the FDI Policy’s restrictions on foreign investment in digital media companies.8 The government mandated in 2020 that digital media companies must receive preapproval for foreign investment from certain neighboring countries, including China, and introduced regulatory approvals necessary for the transfer of shares of Indian digital media companies.9

The Foreign Contribution Regulation Act (FCRA) regulates foreign funding of domestic NGOs. Since 2014, FCRA regulations have been tightened several times, making it increasingly difficult for civil society organizations in India to receive funding. The FCRA licenses of about 19,000 NGOs have been canceled, according to a report by the International Commission of Jurists, silencing “critical voices” and impeding their ability to conduct their activities online.10

The Net Neutrality Rules, adopted in July 2018 by the Indian government, are considered among the world’s strongest.11 With only some exceptions, the rules prevent internet providers from interfering with content, including through blocking, throttling, and zero-rating.12 In September 2020, TRAI recommended that the DoT establish a multistakeholder body to monitor ISPs’ compliance with the rules.13 As of March 2023, the recommendations had not yet been implemented.

The government released updates to the Central Media Accreditation Guidelines in February 2022, which outline accreditation terms for journalists and for eligible news sites. The guidelines have a new clause on the withdrawal of journalists’ accreditation if they act in a manner prejudicial to the country’s security, sovereignty, and integrity; friendly relations with foreign states; or public order; or are charged with a serious offense.14 Press freedom and internet freedom groups raised concerns that the guidelines could be abused to censor journalists critical of the government.15

B7 1.00-4.00 pts0-4 pts
Does the online information landscape lack diversity and reliability? 3.003 4.004

Online media content in India is diverse and debate is lively. While digital divides persist, users can increasingly access local-language content (see A2).1 At least one estimate claimed that 70 percent of Indian users could access online news in their local language at the end of 2020.2

Online spaces for the LGBT+ community are growing,3 and there is some representation of LGBT+ people in mainstream digital advertisements, television, and media.4 Nevertheless, civil society groups noted that LGBT+ people and experiences are still not proportionately covered online, particularly during the pandemic.5

Use of virtual private networks (VPNs) is increasing, enabling people to evade government censorship and access more diverse internet content.6 Directions issued by the Indian Computer Emergency Response Team (CERT–In) in April 2022 required VPN providers to store user data, leading to some providers withdrawing servers from or restricting services in India (see C4). In 2021, the Parliamentary Standing Committee on Home Affairs recommended that the government ban the use of VPNs on the grounds that it allows criminals to remain anonymous online (see B1 and C4).7 However, this proposal has been criticized for having the potential to violate privacy rights, security, net neutrality, and internet access, as well as for being unlikely to deter criminal activity online.8

Misinformation about the conflict in Manipur circulated widely during the crisis (see A3).9 False information and doctored videos have led to offline violence.10 According to one tally, at least 31 people were reportedly killed between 2014 and 2018 in connection to rumors spread on WhatsApp, often about child kidnappings.11

Increasing media polarization, which also undermines access to reliable information online, has been on the rise in the last decade. Reporting critical of the Union government and its affiliates is often met with harsh pushback, creating a chilling effect on critical coverage.12 News outlets and commentators that criticize the government face the risk of politicized government intervention, such as tax raids. In November 2022, NDTV, one of India’s last independent news media organizations, was bought by Gautam Adani, a long-standing ally of Prime Minister Modi, raising concerns over the organization’s continued independence and the status of press freedom in India generally.13

B8 1.00-6.00 pts0-6 pts
Do conditions impede users’ ability to mobilize, form communities, and campaign, particularly on political and social issues? 4.004 6.006

Digital activism has driven important social debates and at times has helped usher in policy changes. However, local authorities have continued to impose internet shutdowns amid protests.

In March 2023, authorities in Punjab suspended internet services throughout the state, in part to prevent the mobilization of Amritpal Singh’s supporters (see A3).1 In June 2022, authorities in Bihar restricted access to social media platforms, including Facebook and WhatsApp, amid widespread protests over changes to military recruitment policy.2

People use social media to lead campaigns. For example, in July 2023, after the coverage period, environmental activists mobilized online and in person across the country to protest a proposed law that would roll back conservation protections for forests.3

C Violations of User Rights

C1 1.00-6.00 pts0-6 pts
Do the constitution or other laws fail to protect rights such as freedom of expression, access to information, and press freedom, including on the internet, and are they enforced by a judiciary that lacks independence? 4.004 6.006

The Constitution of India grants citizens the fundamental right to freedom of speech and expression,1 including the right to gather information and exchange thoughts within and outside India.2 The right to access information is also recognized as an inalienable component of free expression rights,3 and press freedom has been read into the freedom of speech and expression clauses.4 These freedoms can be restricted by law (but not by executive action) in the interests of state security, friendly relations with foreign states, public order, decency and morality, and the sovereignty and integrity of India, as well as in instances related to contempt of court, defamation, and incitement.5

The Digital Personal Data Protection Bill, 2022 (DPDPB) (see C6), which was released in November 2022, would amend the Right to Information Act, 2005 to exempt a greater degree of information about public officials from the transparency law.6 The proposal has been widely criticized by civil society and the opposition for limiting government accountability efforts.7

The judiciary is independent. Although commentators have argued that the courts show signs of politicization,8 judgments continue to protect free expression and other constitutional rights in most cases. A 2015 Supreme Court ruling struck down a broad provision of Section 66A of the IT Act that criminalized information causing "annoyance,” “inconvenience,” or “danger,” among other ill-defined categories. Nevertheless, cases continue to be registered under this provision, and the Supreme Court has issued notice requiring high courts to report all cases filed under Section 66A (see C2). Additionally, the court in the Shreya Singhal judgment9 affirmed that free speech online is equal to free speech offline (see B3).10

Courts have also addressed the right to internet access. In September 2019, a single-judge bench of the Kerala High Court found that freedom of expression includes access to the internet and internet infrastructure.11 The Supreme Court’s January 2020 Anuradha Bhasin judgment placed limits on restrictions to internet access (see A3),12 although compliance with the decision has been an issue.13

However, there have also been instances where the courts have failed to adequately protect citizen rights. In December 2022, the Supreme Court declined to hear an appeal regarding the use of a journalist’s phone contents for the purposes of a law enforcement investigation, hampering the journalist’s ability to protect her work and sources.14

C2 1.00-4.00 pts0-4 pts
Are there laws that assign criminal penalties or civil liability for online activities, particularly those that are protected under international human rights standards? 2.002 4.004

The Indian Penal Code (IPC) criminalizes several kinds of speech. Individuals can be sentenced to between two and seven years in prison for speech that is found to be seditious,1 obscene,2 or defamatory;3 to promote “enmity between different groups on ground of religion, race, place of birth, residence, language”;4 is deemed “prejudicial to maintenance of harmony”;5 or consists of statements, rumors, or reports that may cause fear or alarm, disturb public tranquility, or promote enmity or ill will.6 A 2016 Supreme Court judgment ruled that laws criminalizing defamation (Sections 499 and 500 of the IPC and Section 119 of the CrPC) are constitutional.7

The Official Secrets Act criminalizes communication of information that may have an adverse effect on the sovereignty and integrity of India.8 The National Security Act allows the police to detain an accused person for up to one year without charge, and has been invoked in relation to speech online.9

Section 67 of the IT Act bans the publication or transmission of obscene or sexually explicit content in electronic form, and Section 66D punishes the use of computer resources to impersonate someone else to commit fraud. While the Supreme Court in 2015 struck down Section 66A (see C1) for being vague and overbroad, similar complaints continue to be registered under the provision, as well as under Sections 67 and 66D and the IPC (see C3).10 In August 2021, the Supreme Court issued a notice to all high courts to report cases filed under Section 66A, in a case pertaining to the continued use of the provision by law enforcement agencies and the lower judiciary, stating “this cannot continue.”11 In October 2022, the Supreme Court issued fresh directions ordering states to stop prosecuting people on the basis of Section 66A and held that all ongoing 66A cases should stand deleted.12

In August 2023, after the coverage period, the government announced a slate of criminal procedure reforms, including the repeal of Section 124A of the IPC, which relates to sedition. However, the reforms would introduce a new provision that would criminalize conduct that “endangers [the] sovereignty or unity and integrity of India,” among other broadly defined terms, with a punishment of imprisonment for life or with imprisonment of up to seven years. Legal experts described the new provision as a more extreme form of Section 124A.13 In May 2022, the Supreme Court ordered that Section 124A be temporarily suspended until the Union government reconsiders the colonial-era law. The stay came as a relief to many journalists who had been targeted through the provision.14

C3 1.00-6.00 pts0-6 pts
Are individuals penalized for online activities, particularly those that are protected under international human rights standards? 2.002 6.006

People risk being arrested and detained for political, social, and religious speech or other forms of online content authorities deem objectionable or derogatory, especially during major political events.

Journalists were arrested for their online posts during the coverage period.1 In March 2023, journalist Jaspal Singh was arrested in Haryana after the son of a local BJP legislator, Lakshman Napa, filed a complaint against Singh for allegedly defaming Napa on WhatsApp and Facebook.2

In June 2022, Delhi police arrested Mohammed Zubair, cofounder of fact-checking website Alt News, after a Twitter user lodged a complaint over a 2018 post. Police filed charges alleging that the tweet, which purportedly showed an image of a hotel board referencing a Hindu god, promoted enmity between different groups and outraged religious feelings under the penal code.3 In July 2022, the Supreme Court ordered Zubair to be released on bail.4

In October 2020, Siddique Kappan, a journalist for the news website Azhimukham, was reportedly arrested and initially remanded for 14 days on charges of sedition and violating the UAPA while he was on his way to cover a murder and sexual assault.5 In September 2022, the Supreme Court ordered Kappan released on bail, subject to stringent conditions, and affirmed the right to freedom of expression. However, Kappan remained in custody on charges of money laundering registered against him by the Directorate of Enforcement.6 He was ultimately released on bail in February 2023.7

Activists and human rights defenders also face arrest for their online activities. Right to information activist Pradeep Bhalekar was arrested by the Mumbai Police in August 2022 and again in October for posting allegedly defamatory content about Maharashtra officials and BJP leaders.8 Bhalekar has alleged that his family has been harassed and that he is being targeted for criticizing the state government.9 In October 2022, Sunil Bajilakeri, a Mangaluru-based activist and BJP critic, was arrested by the Karnataka Police after he posted an image of a leopard superimposed on the face of a pregnant woman dressed in traditional Indian clothes to mock the government’s project to reintroduce cheetahs to India. Bajilakeri was arrested after a woman complained that this was an insult to pregnant women and Indian culture; he was later released on bail.10

In December 2022, Saket Gokhale, national spokesperson for the Trinamool Congress party, was arrested by Gujarat police after a complaint was made regarding a tweet he had posted about the prime minister’s visit to the site of the Morbi bridge collapse. The complaint alleges that Gokhale’s post contained false information about the cost of the visit.11 Gokhale was released on bail two days later, but shortly thereafter was rearrested on new charges related to the post; he was arrested a third time later that month on charges relating to misuse of crowdfunded money.12

People are penalized for publishing or sharing content concerning politicians and religious groups in India. For example, in June 2022, a man in Uttar Pradesh was arrested over posting purportedly objectionable comments against Uttar Pradesh chief minister Yogi Adityanath as his status on WhatsApp.13 The following month, another man in Uttar Pradesh was arrested for posting objectionable comments against Prime Minister Modi on social media.14 In November 2022, Tamil Nadu police arrested Kishore K Swamy, a pro-BJP social media commentator known for his provocative language, over a Twitter post that criticized Tamil Nadu chief minister M.K. Stalin.15

In January 2023, a man in Haryana was arrested for sharing on Facebook a manipulated screenshot of a tweet by the Haryana chief minister. He was subsequently released on bail.16 In March 2023, Kannada actor Chetan Kumar was arrested for a tweet in which he stated that Hindutva ideology is “built on lies.”17 The following month, the Ministry of Home Affairs revoked Kumar’s Overseas Citizen of India (OCI) status, which grants noncitizens permanent residency, citing his previous social media posts.18

Journalists in Jammu and Kashmir, which is excluded from this report’s scoring, frequently face such restrictions on their online activities. In March 2023, a special National Investigation Agency (NIA) court filed charges of sedition against academic Abdul Aala Fazili and Fahad Shah, editor of the news site the Kashmir Walla. The charges, filed under the UAPA, were brought against the two in relation to an article written by Fazili—titled “The Shackles of Slavery Will Break”—published on the news site in 2011. Fazili and Shah, who were arrested in April and February 2022, respectively, remained in detention as of the end of the coverage period, despite Shah having been granted bail.19 Kashmir Walla journalist Sajad Gul was arrested in January 2022 for posting a video online that showed a family shouting anti-India slogans while protesting over the death of at least one relative who was allegedly killed in a gunfight with security forces.20

C4 1.00-4.00 pts0-4 pts
Does the government place restrictions on anonymous communication or encryption? 2.002 4.004

Some laws risk undermining end-to-end encryption and limiting anonymity online. Prepaid and postpaid mobile customers have their identification verified before connections are activated.1 There is a legal requirement to submit identification at cybercafés2 and when subscribing to internet connections.

In February 2023, the Department of Telecommunications confirmed a report from MediaNama that it had developed and deployed a face-recognition system that analyzes the identification submitted by people when activating connections. The system, which is confirmed to be in use in Haryana, is purportedly used to combat SIM card fraud.3

Provisions of the draft Indian Telecommunication Bill (see A4) are likely to undermine end-to-end encryption. In September 2022, the DoT released the draft Indian Telecommunication Bill, 2022 for public consultation.4 Under Clauses 4(7) and 4(8), telecommunication service providers—including companies that provide interpersonal communications services, like end-to-end encrypted platforms WhatsApp and Signal— are required to identify users and make the identities of all senders of messages available to those who receive it. Under Clause 24(2)(a), telecommunication service providers shall be required to stop the transmission of, intercept, detain, or disclose any message or class of messages being transmitted by them, which would require telecommunication service providers to break end-to-end encryption.5

Civil society organizations have raised concerns that the draft DPDPB (see C6)—which would impose requirements on people seeking to exercise their rights under the act—would undermine online anonymity.6

The Intermediary Rules 2021 impose certain restrictions for anonymity and encryption,7 though it appears that the government has not enforced some of those measures.8 Significant social media intermediaries must allow users to “voluntarily” verify their accounts, including through mobile numbers, and clearly mark which users have done so. Digital rights organizations have expressed concerns that this verification could be made mandatory in the future.9 The rules also require that significant intermediaries be able to identify the first originator of information if requested by a competent authority or court in certain cases related to public order, sexually explicit or child abuse material, and India’s sovereignty, integrity, and security.10 Technical experts have raised concerns that such traceability is not possible without breaking end-to-end encryption,11 as this would require the intermediaries to track every message being sent over the platform,12 despite the government’s claim that it did not intend to undermine the technology.13 The government released a list of frequently asked questions on the Intermediary Rules in November 2021, which stated that the intent of the rule on identifying the first originator of a message was not intended to break or weaken encryption.14

In April 2022, the Indian Computer Emergency Response Team (CERT–In) issued a set of directions under the IT Act requiring cloud service providers and cryptocurrency exchanges to log user data for five years.15 While the use of VPNs remains legal in India, VPN providers now need to store users’ names, addresses, contact numbers, period of subscription, email and IP addresses, and the purpose of using their services.16 Companies have argued that logging such information would violate their users’ privacy and may also be technically unfeasible.17 Clarifications on the rules issued in May 2022 clarify that the provisions would not be applicable to corporate and enterprise VPNs.18 The directions, which came into force on September 25, 2022, have led several VPN service providers such as Proton AG, NordVPN, Surfshark, ExpressVPN, and IPVanish to withdraw their servers from India;.19 others, including TunnelBear, announced their services would no longer be available to users in India.

An Indian VPN service provider, SnTHostings, has challenged the legality of the directions before the Delhi High Court.20 In May 2023, it was reported that Surfshark and several other VPN service providers had received notices from CERT–In inquiring about compliance with the directions.21

In May 2021, WhatsApp filed a suit against the government in the Delhi High Court, arguing that the message traceability provisions of the IT Rules violated the right to privacy.22 The matter was still pending before the Delhi High Court during the coverage period, and the government reportedly filed an affidavit arguing that WhatsApp—as a foreign company with no Indian entity—could not avail of certain fundamental rights, or challenge the constitutionality of an Indian law.23

ISPs setting up cable-landing stations are required to install infrastructure for surveillance and keyword scanning of all traffic passing through each gateway.24 The ISP license bars internet providers from deploying bulk encryption; restricts the level of encryption for individuals, groups, or organizations to a key length of 40 bits;25 and mandates prior approval from the DoT or a designated officer to install encryption equipment.26

C5 1.00-6.00 pts0-6 pts
Does state surveillance of internet activities infringe on users’ right to privacy? 1.001 6.006

In August 2017, a landmark Supreme Court ruling affirmed privacy as a fundamental right embedded in the right to life and liberty, and intrinsically linked to other fundamental rights like free expression.1 State surveillance can nevertheless infringe on this right,2 and private companies offering spyware or hack-for-hire services have flourished.3

Communications surveillance may be conducted under the Telegraph Act4 and the IT Act5 to protect defense, national security, sovereignty, friendly relations with foreign states, public order, and to prevent incitement to a cognizable offense. Section 69 of the IT Act broadly allows surveillance for “the investigation of any offense.”6

The home secretary at the central or state level issues interception orders based on procedural safeguards established by the Supreme Court and the Telegraph Act.7 These orders are reviewed by a committee of government officials.8 Interception orders are limited to 60 days, and renewable for up to 180 days.9 In emergencies, phone tapping may take place for up to 72 hours without clearance; records must be destroyed if the home secretary subsequently denies permission.10

The existing surveillance architecture in India concentrates surveillance powers in the executive branch of the government and does not provide for meaningful oversight or review, either judicial or parliamentary, of surveillance activities.11 Draft legislation under consideration—namely the Indian Telecommunication Bill, 2022 and the Digital India Bill—would revamp the country’s legal framework for surveillance, along with the recently passed DPDPB (see C6). The draft legislation fails to limit overbroad government surveillance.

The Central Monitoring System (CMS) reportedly allows government agencies to intercept any online activities, including phone calls, text messages, and Voice-over-Internet-Protocol (VoIP) communication.12 A petition filed by the Centre for Public Interest Litigation (CPIL) and the SFLC in December 2020 argued that CMS and two other programs (the surveillance software Network Traffic Analysis [NETRA]13 and the integrated National Intelligence Grid [NATGRID]) should be discontinued because they allow bulk surveillance and data collection.14 The matter was due to be heard in September 2022, but remained pending before the court during the coverage period.15 In February 2021, the Ministry of Home Affairs in an affidavit before the Delhi High Court claimed that agencies are not granted “blanket permission” for surveillance; that surveillance programs are necessary to monitor “terrorism, radicalization, cybercrime, [and] drug cartels”;16 and that there is sufficient oversight on such surveillance activities.17

The Indian government is suspected of using sophisticated spyware technology against citizens. In October 2019, WhatsApp claimed that Pegasus software from the Israeli NSO Group was used to spy on at least two dozen activists, lawyers, academics, and journalists in India in May 2019.18 In July 2021, Amnesty International and Forbidden Stories reported that more than 1,000 phone numbers in India—including those belonging to politicians with the Congress party, activists, journalists, public health experts, and Tibetan exiles—appeared in a leaked data set of possible Pegasus targets.19 While it is unclear how many phones were targeted by Pegasus, preliminary reporting indicates that the spyware infiltrated the devices of at least 149 people in India.20

While NSO claims to only work with state agencies, government officials have repeatedly denied purchasing its software.21 However, when questioned about the claims, the minister of state in the Ministry of Home Affairs argued that Section 69 of the IT Act and Section 5 of the Telegraph Act allow certain authorities to intercept, monitor, or decrypt “any information from any computer resource” in the country.22 The IFF has reported that state investigations into the hack remain confidential.23

In August 2022, a panel convened by the Supreme Court in October 2021 submitted its report following an independent probe into claims that the government used Pegasus. The Supreme Court noted that the government did not cooperate with the investigation.24 As of April 2023, the report had not been publicly released, though the court has stated that it plans to do so.25

In March 2023, the Financial Times reported that the Indian officials were seeking spyware tools from companies with a lower profile than the NSO Group.26 Separately, Citizen Lab and Amnesty International reported finding evidence that at least nine academics, lawyers, writers, and activists were targeted between January and October 2019 in a spear-phishing campaign to install the spyware NetWire.27 The targeted individuals included human rights defenders calling for the release of activists arrested for allegedly participating in protests and violence in Maharashtra, known collectively as the BK16, including prominent activists Rona Wilson and Anand Teltumbde.28 In February 2022, cybersecurity firm SentinelOne attributed the campaign to a threat actor dubbed ModifiedElephant, which allegedly planted fabricated evidence on the personal devices of the BK16.29 Subsequent reporting linked police in Pune to ModifiedElephant.30

The government uses the Aadhaar national biometric database for the provision of multiple public services, including food stamps and various scholarships and employment schemes.31 The system’s use poses concerns regarding data privacy and security.32 Breaches of Aadhaar data were reported in 2017,33 2018,34 2019,35 2020,36 and 2021.37 In March 2020, it was reported that the government planned to build a database called the National Social Registry that will use data from Aadhaar38 and capture a vast amount of other personal information, including individuals’ marital status, financial status, and property owned.39 Critics, including Manorajan Kumar, the civil servant who first proposed the National Social Registry, have expressed concerns about privacy and potential data manipulation arising from the system’s envisioned implementation.40

In September 2018, the Supreme Court set limits on Aadhaar’s use.41 The ruling held that it was legitimate for the program to be mandatory for welfare schemes and that Indians must link their Aadhaar number to income tax filings and permanent account numbers, but that it cannot be required for services such as obtaining a SIM card, opening a bank account, and receiving educational grants. Despite this, Parliament passed in July 2019 the Aadhaar and Other Laws (Amendment) Bill,42 which civil society groups argue ignores the Supreme Court ruling.43 As of the end of the coverage period, a case challenging the law was pending in the Supreme Court.44 The court has also directed that a larger bench be set up to review the 2018 judgment, but the bench has not yet been constituted.45

There has been a lack of transparency and oversight, and in some cases an insufficient legal framework, to ensure that COVID-19-related technology does not undermine privacy.46 For example, the contact-tracing app Aarogya Setu, which was active until June 2022,47 uses data gleaned from Global Positioning System (GPS) and Bluetooth technology.48 Government agencies are permitted access to information stored on a centralized database.49 The app has poor encryption standards.50

Police also conduct manual searches of electronic devices. In October 2021, during the previous coverage period, police in Hyderabad and Bengaluru were reported for randomly checking the phones of citizens on the street.51

C6 1.00-6.00 pts0-6 pts
Does monitoring and collection of user data by service providers and other technology companies infringe on users’ right to privacy? 2.002 6.006

Technology companies are required to collect extensive personal data, and a variety of laws provide government agencies the ability to access this information.

Ten separate intelligence bodies are authorized to issue surveillance orders to service providers.1 Online intermediaries are required by law to “intercept, monitor, or decrypt” or otherwise provide user information to officials.2 The Telegraph Act levies civil penalties or license revocation for noncompliance,3 and violations of the IT Act can lead to a maximum 10-year jail term.4 Unlawful interception is punishable by a lesser sentence of three years.5

The IT Rules 2021 changed the way companies must share information with government agencies in certain circumstances. The rules require intermediaries to provide the government with data within 72 hours of receipt of a written order to verify identity, or for the prevention, detection, investigation, or prosecution of offenses under domestic law.6 The rules also impose new data-retention policies requiring intermediaries to store information for 180 days.7

India does not have a data-protection law in force. In November 2022, MeitY published the draft DPDPB for public consultation. The draft DPDPB was criticized for various provisions that failed to sufficiently safeguard personal data. These include provisions such as the deemed consent clause, which allows for nonconsensual processing of data, and the exemptions clause, which grants wide exemptions from the application of the draft bill to state and private actors.8 A version of the DPDPB was passed in August 2023, after the coverage period, the provisions of which raised similar concerns; the law will come into effect once notified.9

The 2022 draft departs from the Data Protection Bill, 2021, which was introduced in December 2021 to replace the earlier Personal Data Protection Bill, 2019 and subsequently withdrawn in August 2022. The 2022 draft dilutes the role of the Data Protection Board, which is not independent and performs only an adjudicatory function, compared to the regulator under the 2021 draft.10 The 2021 bill mandated data localization; the 2022 version allows for cross-border data transfer. It has been reported that the Indian government may block the transfer of data from India to a number of “disapproved” countries.11

Standard Operating Procedures for Lawful Interception and Monitoring of Telecom Service Providers—regulations issued in 201412 —restricted interception to a service provider’s chief nodal officer, and mandated that interception orders be made in writing.13 Rules issued in 2011 under the IT Act provided for greater protection of personal data handled by companies,14 but do not apply to the government.

The telecom license agreements require service providers to guarantee the designated security agency or licensor remote access to information for monitoring;15 ensure that their equipment can provide for centralized interception and monitoring; and provide the geographic location of any subscriber at a given point in time.16 A 2011 Equipment Security Agreement requires telecom operators to develop the capacity to pinpoint any customer’s location within 50 meters.17

In December 2021, during the previous coverage period, the Department of Telecommunications (DoT) extended the requirement for telecommunications providers to retain call data and internet usage records of subscribers from one year to two years.18 In March 2020, news reports revealed that telecom companies had raised concerns with the DoT over the bulk call data records sought by the government.19 Through RTI requests, the IFF found indications that the records were potentially sought for use cases beyond quality assurance, as the government claimed.20

Between January and December 2022, Meta received 119,349 total requests from the Union and state governments in India for user data. The company produced information for 66.59 percent of requests received from January to June 2022 and for 68.26 percent of requests received from July to December 2022.21 From January to June 2022, Microsoft received 610 requests by law enforcement in India relating to criminal cases, of which 29.02 percent resulted in disclosure of non-content subscriber data and 544 requests in which users or accounts were specified.22

C7 1.00-5.00 pts0-5 pts
Are individuals subject to extralegal intimidation or physical violence by state authorities or any other actor in relation to their online activities? 2.002 5.005

Trolling and violent threats for online activity continued in the reporting period. Journalists continued to face intimidation, coming in the form of criminal charges and lawsuits, as well as extralegal harassment.

People sometimes face physical violence as a result of their online activities. In June 2022, two Muslim men killed Kanhaiya Lal Teli, a Hindu, in Udaipur, reportedly in retaliation for his social media post in support of former BJP spokesperson Nupur Sharma, who had made controversial and derogatory remarks about the prophet Muhammad.1

Media outlets have reported widespread online harassment and trolling of investigative journalist Rana Ayyub in response to her work.2 In February 2022, the Enforcement Directorate, one of the government’s financial investigation agencies, reportedly launched a money-laundering investigation against Ayyub in relation to alleged misappropriation of COVID-19 relief funds raised primarily through crowdfunding platform Ketto.3 Ayyub has called the investigation a baseless smear campaign.4 Ayyub was stopped by immigration officials at the Mumbai airport in March 2022 while on her way to London for a discussion on online violence against women journalists hosted by the International Center for Journalists.5 Online harassment of Ayyub continued throughout the coverage period.6

Indian media outlets have reported incidents of police intimidating and harassing other journalists for their work. In June 2022, Delhi-based journalist Shahid Tantray, who works for the Caravan news site, disclosed that Jammu and Kashmir police had harassed him and his family as a result of his reporting. He has alleged that he was told that if he continued his reporting he would either be shot at or detained.7

In August 2023, after the coverage period, the home of Khushboo and Nadeem Akhtar, who run the YouTube news channel Pal Pal News, was set on fire. The Akhtar siblings, who have received death threats for their reporting on violence and discrimination against Muslims, believe the arson attack was connected to their work.8

In November 2021, during the previous coverage period, journalist and right to information activist Buddinath Jha, who reported for his Facebook news page BNN News Benipatti, was found burnt to death. Jha had previously received death threats and offers of bribes in relation to his reporting on corruption in local health care clinics.9 In August 2021, Chenna Kesavulu, a journalist who had exposed the corruption of a local police officer in a series of YouTube videos, was stabbed to death by the officer and his brother.10

Abuse and trolling are worse when the victim is a woman, is an adherent of a minority religion, is from a lower caste, or otherwise identifies within a marginalized group.11 For example, YouTube journalist Thulasi Chandu faced violent misogynistic harassment during 2022 and 2023 over her reporting, which appeared to be coordinated in part through Facebook groups and YouTube channels.12

Other apps have reportedly been used to coordinate online harassment campaigns against prominent Muslim women. In January 2022, an app called “Bulli Bai” surfaced, which reportedly used photographs and deepfakes of prominent Indian Muslim woman journalists and ordinary women to “auction” the women online.13 The “Sulli Deals” app, which surfaced in July 2021, reportedly created online profiles and uploaded photos of over 80 Muslim women, including activists, journalists, and politicians, describing them as "deals of the day."14 Both apps are named after colloquial slurs for Muslim women, and have targeted women with a prominent digital presence.15 The creators of both apps were charged with promoting enmity between groups, sexual harassment, and causing disharmony, among other offenses.16

C8 1.00-3.00 pts0-3 pts
Are websites, governmental and private entities, service providers, or individual users subject to widespread hacking and other forms of cyberattack? 2.002 3.003

India remained a frequent target of cyber security incidents during the coverage period. CERT–In reported almost 1.39 million cybersecurity incidents in 2022.1 Many cyberattacks are suspected to emanate from actors in China. Hackers based in China reportedly attempted to compromise the personal health data of millions of patients after attacking five servers of the All India Institute of Medical Sciences (AIIMS) in Delhi.2 State-backed attacks originating in Pakistan3 and Iran4 have reportedly also targeted Indian government systems.

Reports suggest that cyberattacks against Indian government agencies increased during the coverage period.5 According to monitoring by CloudSEK, such attacks doubled from 2021 to 2022.6 For example, the hacktivist group DragonForce Malaysia coordinated attacks against government and BJP websites in June 2022 after a prominent BJP official made disparaging remarks about the prophet Muhammad.7 According to MeitY, the number of ransomware incidents in India has increased in recent years, with 132 incidents in 2021 and 202 incidents in 2022.8

The Information Technology Act is the primary legislation governing cybersecurity, and lays out penalties for damaging computers and computer systems.9 The IT Act penalizes hacking, introducing malware, and distributed denial-of-service (DDoS) attacks that result in significant damage or disruption to essential services.10 The law also allows the government to define resources as “critical information infrastructure.”11 In August 2020, the prime minister announced that the government is developing a new cybersecurity policy to counter increased cyberattacks;12 the national security coordinator reported that the strategy remained in progress during the coverage period.13 The April 2022 CERT–In directive (C4) also requires all service providers, intermediaries, data centers, companies, and government organizations in India to report cybersecurity incidents within six hours.14

On India

See all data, scores & information on this country or territory.

See More

Country Facts

  • Global Freedom Score

    66 100 partly free

  • Internet Freedom Score

    50 100 partly free

  • Freedom in the World Status

    Partly Free

  • Networks Restricted

    Yes

  • Websites Blocked

    Yes

  • Pro-government Commentators

    Yes

  • Users Arrested

    Yes