On 1 January, when hundreds of Muslim women started their New Year seeing their photos being misused and 'auctioned' on a GitHub app called 'Bulli Bai', it shouldn't have come as a surprise. For no action was taken and no arrests made in the prequel to this incident – the 'Sulli Deals' fiasco – just six months ago.
Despite the online outrage from the women listed on the app, and their allies, the case saw no concrete investigation, purportedly emboldening the perpetrators to repeat the incident.
Moreover, six months after the Delhi and Uttar Pradesh cops filed two different FIRs in July 2021, the following information has still not been disclosed or clarified by the police with regards to investigation in the case:
When was the Multilateral Legal Assistance Treaty (MLAT), under which GitHub is bound to share data, initiated?
A copy of the summons issued, if such summons were issued
Whether summons were issued to/information sought from GoDaddy.com, which had 'sullidealing.co.in' registered but not yet hosted
A detailed action report, as sought by the Delhi Commission for Women
Details of steps taken by the Delhi and UP cops to identify and arrest the perpetrators/or the reasons for not arresting them
The Quint had reached out to Delhi and UP Police's cyber crime units on 3 January. Our questions elicited no response.
Although, on Thursday, 6 January, the Delhi Police's Special Cell arrested a 21-year-old man, Neeraj Bishnoi, from Assam, in connection with the Bulli Bai case. The police claimed that Bishnoi is the mastermind behind the app.
The Maharashtra Police, who are also investigating the Bulli Bai case, arrested three people in connection with it – two of whom are students. In a press conference on 5 January, they indicated that more arrests were in the offing. "The Mumbai Police was just an hour away from his location to nab but Delhi Police detained him," a police source told The Quint about Bishnoi's arrest.
While the Bulli Bai case has made some progress, why did the Delhi Police make no real headway in the 'Sulli Deals' investigation?
What Should Have Been Done in July?
The Delhi Police Special Cell filed an FIR on 8 July 2021, and the UP Police a day later on 9 July. The ideal next step should have been processing an MLAT, say all three cyber security experts who The Quint spoke to.
As a hosting platform, GitHub, among other things, allows users to create apps under personal or administrative names. For GitHub to provide information about the registrant and IP details of the person behind Sulli Deals, it has to go via Treaty Between India And United States of America On Mutual Legal Assistance In Criminal Matters.
"To be honest, this is done very frequently by police departments. It is for them to coordinate with the Ministry of Foreign Affairs which then sends such requests to different organisation. One thing which becomes relevant here is that the police has not just disclosed or provided the actual copies or the dates of the notices which have been sent to the online companies. It shows the police inaction is giving adequate comfort for people to repeat this crime, knowing that they can act with impunity."Apar Gupta, Executive Director, Internet Freedom Foundation told The Quint
Cyber Expert Sandeep Shukla added that if indeed the MLAT has been processed, another question should be why it was taking extended time.
He told The Quint:
"In another country, GitHub would have faced large-scale denial of service for allowing such things on their platform, by hacktivists. More so because GitHub is not owning upto their poor monitoring or not tracking down the IP addresses and other information of users who did it mid 2021. However, in India, communalism and misogyny has reached such levels that such things are even happening."
It was only on 5 January that Delhi Police DCP KPS Malhotra said that the MLAT procedure "was completed" in the Sulli Deals case.
"The MLAT procedure in the 'Sulli' app case is completed in India and will soon be delivered to the Department of Justice. Details will be sought through MLAT accordingly and will be shared through Interpol," he said.
Malhotra did not clarify when exactly the process was initiated and completed, and whether GitHub has already been issued summons under MLAT.
GitHub, meanwhile, told The Quint it had "suspended a user account", but said nothing about information sought by investigating agencies.
"GitHub has longstanding policies against content and conduct involving harassment, discrimination, and inciting violence. We suspended a user account following the investigation of reports of such activity, all of which violate our policies,” they said.
Other Unanswered Questions
Were Summons Issued to GoDaddy.Com?
In July, multiple Twitter handles tweeted about a a new domain that had been registered on GoDaddy.com, titled “sullidealing.co.in." The website, however, was not hosted yet.
It is not known whether the portal was issued summons to provide details on the person who registered this address.
"If GoDaddy.com was summoned to provide information about who registered sullidealing.co.in, it could have provided some headway into joining dots for who really created this nuisance app."Apar Gupta to The Quint
Apart from the summons, the most basic thing to do is for the cops to track the Twitter handles that were sharing screenshots of 'Sulli Deals' app, cyber experts added.
Did Cops Track Twitter Handles?
A handle by the name ‘UrLocalSulliDealer’ (@sullideals101) was operating since 2019. Many such handles were tweeting and promoting the “Sulli Deals” app – @sullideals786 and @sullideals, The Wire pointed.
Were these handles tracked by the cops? Neither the UP Police nor the Delhi Police responded.
"Twitter is more than compliant to Indian government. I do not see why they are unable to get the information. Of course the users might have used anonymisation service to create those accounts and hence difficult to track down. But there should be transparency as to why it is difficult," Shukla said.
Lack of Intent, Weak FIR?
Six months after the investigation began, the cops have not shared details of the steps taken by them to identify and arrest the perpetrators. Neither have they provided reasons for not arresting them.
Several women, many of whom are victims of these targeted attacks, questioned the lack of intent from the Delhi and UP Police.
The Delhi Police registered an FIR under Section 509 of the Indian Penal Code (IPC) – insulting the modesty of a woman – and Sections 66 and 67 of the Information Technology Act – transferring obscene material. This experts say, is a weak FIR, that also shows the cops' lack of intent to investigate.
"The FIR registered on the Sulli Deals case, is only for offences of obscenity and outraging the modesty of women. However, there elements of hate speech also present, given that specific Muslim women who are members of a minority, have been targeted in order to de-humanise Muslims. So I would say, it is a weak FIR which has been filed. So on these two instances, I think there is sufficient basis for the assertion that the Delhi Police is not properly investigating the case itself," Gupta explained to The Quint.
(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)