How the Bulli Bai case exploits GitHub's features

In June 2020, an app on GitHub, the popular code repository platfrom, called Sulli Deals became a talking point for uploading photos of Muslim women without their consent and (fake) auctioning those off to the highest bidders. Many outspoken activists and journalists found their photos on the list, most of them being taken off from Twitter or other social media platforms.

FIRs were registered in the Sulli Deals matter and a request was sent earlier under the Code of Criminal Procedure (CrPC) to GitHub for details, but the platform did not respond.

The latest development in the Sulli Deals case is that the Ministry of Home Affairs has approved the Delhi police’s request to seek details from GitHub under the MLAT (Mutual Legal Assistance Treaty). This development comes in six months after the FIRs were registered in Delhi and Noida.

While the Sulli Deals app was taken down following the outrage on social media, no legal action has been taken yet. Almost like clockwork, another fake auction site, called Bulli Bai, has sprung up on GitHub, and it is doing the exact same thing as the other app - auctioning off photos of Muslim women without their consent.

Many of those who have found their photos uploaded on Bulli Bai are repeat victims, and they think that the lack of action from authorities has “emboldened” the offenders to do the same thing again.

Names and photos on the platform included Pakistani activist and Nobel Peace Prize laureate Malala Yousafzai, and closer to home, Kashmiri journalist Quratulain Rehbar, Delhi-based journalist Ismat Ara who lodged an FIR with the Cyber Police in South East Delhi, Radio Mirchi RJ Sayema, and even Najeeb Nafees' mother Fatima Nafees. Najeeb, a student at Jawaharlal Nehru University in Delhi, went missing more than five years ago after a fight with students from a right-wing organisation on campus.

‘Sulli’ and ‘Bulli’ are both derogatory slangs used for Muslim women and the main idea behind both the apps has been to target these women, particularly those who have raised their voices on Twitter, and other social media platforms, against the current political regime in the country.

“India’s online space is rife with misogyny and harassment of women. But the two ‘auctions’ have amplified concern about the organised nature of the virtual bullying, and how targeted smears and threats of violence, particularly sexual violence, are deployed to try to silence women, especially those critical of some of Prime Minister Narendra Modi’s policies,” a New York Times report pointed out recently.

Bulli Bai case: What has happened so far

Unlike in the Sulli Deals case, three arrests have been made in the Bulli Bai case - 21-year-old Vishal Kumar from Bengaluru, 18-year-old Shweta Singh from Uttarakhand, and 21-year-old Mayank Rawat from Kotdwar in Pauri Garhwal district. All the three  arrested are going to be taken to Mumbai for questioning.

Engineering student Vishal’s role was reportedly to edit and upload photos of the women onto the app. Shweta’s name was revealed by Vishal who said that they were in touch and that Shweta knew the people who were working on the posts and activities on the Bulli Bai app. According to reports, Rawat promoted the Bulli Bai app on Twitter and stopped when the content provoked outrage.

 Shweta, who is being called the mastermind behind all this, was allegedly working on the instructions of a social media friend from Nepal who was instructing her regarding the “activities” to be carried out on the app. She was also using a fake Twitter handle (JattKhalsa07) to share hate posts, objectionable photos and comments on Twitter. It is currently being probed if Shweta created the Bulli Bai app herself or if someone else was involved.

The case is being handled and investigated by both Mumbai and Delhi Police.

Bulli Bai and Sulli Deals: What were these apps doing

Both the apps work pretty simply. They have photos of Muslim women that those on the app can bid on. These are fake auctions, of course. The main concept is to dehumanise these women to the level of objects that can be auctioned off. Screenshots of these apps, or mentions that they were seen on the app, were often used on Twitter as rebuttals to any Muslim woman being critical of the current regime in an effort to demolish their arguments and shut them up.

Where are these apps?

Like Sulli Deals, Bulli Bai was created and hosted on a platform called GitHub. These apps are not on any of the app stores, but a simple Google search can lead you to the APK files for these apps. APK or Android Application Package is a file format that is used to distribute and install apps, games, etc., on Android systems.

Since the apps were not in legitimate app stores like the Google Play Store or the Apple App Store, they were not immediately flagged and reported, and were only pulled up when there was ample uproar about them online.

What is GitHub?

GitHub, where the code for both the Sulli Deals and Bulli Bai apps were uploaded by their developer(s), is a code repository that allows developers to store, manage and crowdsource development of their code, as well as track and control changes to the same.

It is a platform that allows developers to collaborate, communicate and work together on a project while also allowing them to create new versions of the software without affecting the current version. It’s an essential platform for open-source development worldwide, with contributions from Big Tech firms like Google, Microsoft and many more.

GitHub is very user-friendly and anyone can sign up and host a public code repository for free which makes it very popular for open-source projects. Transparency is another plus point of the platform allowing developers and companies to open up their projects for users to understand its workings better.

In the case of both these apps, code hosted on GitHub was probably used in their development and maintenance. But at the same time, if GitHub shares details with the authorities, it should also be easy to track exactly who all were involved in the projects.

Github also allows users to download apps from it, which means it could be considered a distribution medium too, like the Google and Apple app stores. However, apps downloaded off Github aren’t finished products and are usually only used for testing and development purposes.

So, what happens now legally?

While three arrests have already been made, more might follow. Also, while the app has already been pulled down, but APK files seem to be available online still.

“In the Bulli Bai matter, two FIRs have been registered, one by the Delhi Police and another by the Mumbai Police. These FIR’s have invoked Sections 153A, 153B, 295A (insulting religious beliefs), 354D (stalking), 509 and 500 (criminal defamation) of the Indian Penal Code (IPC)  and the Mumbai Police has also invoked Section 67 (publishing or transmitting obscene material in electronic form) of the Information Technology (IT) Act,” explained Satya Muley, Advocate at the Bombay High Court.

Muley added that since Section 67 of the IT Act has been invoked, it indicates that “punishment might extend three years of imprisonment and fine of up to Rs 5 lakhs, for publishing or transmitting any material which is obscene, lascivious or depraved”. Section 67A has more stringent punishment which may extend to five years of imprisonment and fine of up to Rs 10 lakhs, for publishing or transmitting any material which is sexually explicit, he added.

What more can be done?

Haste and deftness seem to be the requirement of the day when it comes to dealing with a case like this. Policy think tanks are of the opinion that the procedures take too long and that the current IT framework is also lacking.

“The tedious MLAT process which takes months to complete is another major reason for delayed investigations and prosecution,” Kazim Rizvi, Founder of The Dialogue, pointed out.

“The law enforcement agencies are still awaiting evidence from Github in the earlier Sulli Deals case to proceed against the perpetrators. As India stands at the brink of enacting its first data protection legislation, it is crucial that the law meets the adequacy standards of the data protection frameworks in the other jurisdictions. This shall ensure the free flow of data from foreign countries and allow timely access to crucial digital evidence from foreign entities,” Rizvi added.

“Reforming our current information technology framework to ensure its relevance and ability to tackle the emerging security concerns in the digital world is another important step that needs to be actioned upon. Strict punishment must be prescribed against such offenders to create deterrence in the society and state accountability must be enhanced to ensure timely justice for the victims,” he said.

“Legal mandates to ensure cooperation by platforms during investigation and ensuring strict and efficient enforcement of their Terms of Service is also paramount to build a robust net against the perpetrators with utmost accountability and responsiveness from all the stakeholders,” Rizvi said while speaking about the next steps that should be taken in this case.

The most natural narrative, in this case, will be one that goes against a platform like GitHub. But at the end of the day, it is a platform where millions of developers from around the world are collaborating at any given point in time to create apps and websites that are not derogatory and have not been created to harm or malign a particular community.

We are at a point where technology is either celebrated or demonised. But this is not the time for binaries. It is possible, and normal, for technology to do both good and harm at the same time.  

“GitHub has longstanding policies against content and conduct involving harassment, discrimination, and inciting violence. We suspended a user account following the investigation of reports of such activity, all of which violate our policies. We also continue to follow applicable laws and policies as we engage in good faith with authorities," a GitHub spokesperson told Business Today.

“The test of a first-rate intelligence is the ability to hold two opposing ideas in mind at the same time and still retain the ability to function,” wrote F. Scott Fitzgerald.

So, while GitHub’s ease of use, access, lack of regulation, etc., is the problem here, its transparency should be the solution to get to the criminals.

Also Read: GitHub user behind 'Bulli Bai' app blocked; CERT, police coordinating further action: IT Minister