Saturday November 27, 2021

India’s proposed internet regulations can threaten privacy everywhere

February 15, 2020

ISLAMABAD: India this week is poised to unveil new rules that threaten encrypted communications around the world, it seems safe to say that the encryption fight is now fully underway, foreign media reported on Friday. Messaging products that are end-to-end encrypted can be read only by the sender and the recipient.

The encrypted platform itself — such as Apple’s iCloud, or Facebook’s WhatsApp — can’t read the message, because it doesn’t have a key. This has led to periodic attempts from law enforcement agencies and lawmakers to force platforms to create so-called “backdoors” that would allow them to snoop on the contents of those messages. But the platforms have resisted, and the issue has generally been in a stalemate. The Indian government has often taken a draconian approach to regulating the web — shutting down internet access at least 95 times last year, including an indefinite shutdown in Kashmir that a judge called an “abuse of power” earlier this year.

Now a set of rules proposed a little over a year ago would force tech platforms to cooperate continuously with government requests, without requiring so much as a warrant or court order. Among the requirements is that any post be “traceable” to its origin. And in what is believed to be a world first, the rules would require tech companies to do the investigating — to deploy their sophisticated tools to track a post’s spread on their network back to its point of origin, and then turn that information over to law enforcement.

This is quite different from the current approach, in which law enforcement identifies a suspect and then asks platforms to supply information about them. Now tech companies could essentially be required to serve as deputies of the state, conducting investigations on behalf of law enforcement, without so much as a court order.

That almost certainly means breaking encryption — how else could tech companies be expected to trace the source of a message? Imagine Clearview AI, but as a service tech companies are required to provide to law enforcement for free. The final rules are expected to be released imminently, Saritha Roi reports in Bloomberg:

The Ministry of Electronics and Information Technology is expected to publish the new rules later this month without major changes, according to a government official familiar with the matter.

The provisions in the earlier draft had required platforms such as Google’s YouTube or ByteDance Inc.’s TikTok, Facebook or its Instagram and WhatsApp apps, to help the government trace the origins of a post within 72 hours of a request. The companies would also have to preserve their records for at least 180 days to aid government investigators, establish a brick-and-mortar operation within India and appoint both a grievance officer to deal with user complaints and a government liaison. The rules would apply to any app with more than 5 million users, including Facebook, YouTube, Twitter, and TikTok. Bloomberg reports that it’s not clear whether the identities of foreign users would be exempt.

The tech companies are fighting back. A trade group has argued that the rules would represent a severe violation of Indian citizens’ privacy, and they would almost certainly sue if the rules were implemented as written.

But there’s no guarantee that they’ll win. And if these rules take effect India won’t be the last democracy to implement them. Tech companies will come under increasing pressure to implement a similar system in other Western countries. (Australia seems poised to try to break encryption as well.)

What happens if encryption supporters lose? First, privacy is diminished for billions of users — including for activists, dissidents, victims of domestic abuse, businesses, and even government workers who have come to rely on secure messaging.

Second, the move could hurt the tech sector — both in India and abroad — by making it prohibitively expensive to launch a new business. Who can afford to build a compliance regime that requires the company to accommodate any government request, no matter how small, from day one? In practice, the answer is likely to be “only incumbents.” Hannah Quay-de la Vallee makes this point here: If this rule is implemented in India (and potentially copied by other nations) it could force companies to create two types of systems – one that uses e2e and one that doesn’t. Companies might well justifiably balk at the cost and complexity of that approach and simply build less secure systems. That would weaken the overall safety of the internet ecosystem, harming users around the globe. Alternatively they could remove themselves from the Indian market altogether, depriving 1.2 billion people of state-of-the-art internet security. Neither of these are good outcomes.