By Apurva Singh, Volunteer Legal Counsel, Software Freedom Law Center.in
In the last few years, several countries across the globe have attempted to break or weaken strong security offered by end-to-end encryption under the garb of countering child sexual abuse material or misinformation. India recently became the first country to introduce the much-debated traceability provision. While the signs of Indian government’s dislike towards end-to-end encrypted platforms were evident after the release of the draft Intermediary Guidelines, 2018 and when India joined the “Five-Eyes” alliance¹ in releasing a statement against encryption, the abrupt notification of the provision still came as a shock to organizations working in this space. The Government of India decided to notify the provision as a subordinate legislation whereby it bypassed legislative scrutiny.
India follows a conditional safe harbour regime and the safe harbour is contingent on the intermediaries complying with the provisions of the Intermediaries Guidelines Rules notified in 2011.² These Rules were replaced by the Information Technology (Intermediaries Guidelines and Digital Media Ethics Code) Rules”, 2021 notified on February 25, 2021. These Rules mandate a significant social media intermediary (these are defined as social media intermediaries having more than 5 million registered users in India) providing messaging services to identify the originator of information when required by a judicial order or by a competent authority.
While the government has provided a 3 months timeline to significant social media intermediaries to comply with the provision, which will expire on May 25th, 2021 the uncertainty behind the technical implementation without breaking end-to-end encryption has led to unsaid extension to the timeline. The provision is particularly problematic in a flawed democracy where students, hospitals and journalists are slapped with FIRs for voicing SOS calls on social media platforms or for posting pictures of over-crowded crematoriums. The traceability provision will undermine this safety offered by end-to-end encrypted platforms leading to further crackdown of activists, whistleblowers, dissenters in India. The Rules, 2021 have been framed in such a manner that even platforms with less than 5 million users can be brought in under the garb of the traceability provision. This has particularly undermined the federated FOSS services such as Matrix and Diaspora. The Rules ignore the transcendental nature of technology and require significant social media intermediaries to have three officers in India. The fate of not-for-profit services like Signal has been left in lurch in India. The provision, in its current form, does not have mandatory judicial scrutiny. The judicial scrutiny requirement can be bypassed by law enforcement agencies using S. 69 of the Information Technology Act, 2000.
It cannot be ignored that India’s tech governance will impact countries in South East Asia and Brazil due to their unique positioning. Brazil has been in the process of introducing traceability and India’s recent notification could give it impetus to implement the same. Both the countries have a shaky record in human rights protection. The implementation of the provision will lead to further degradation of human rights in the country and a crackdown on activists, protestors and dissenters. There is a likelihood that India and Brazil would be followed by other countries who have been opposing the security and privacy offered by use of encryption. The growing pressure against encryption from countries which widely uses encrypted services has the possibility of toeing the private for-business corporations in either weakening their encrypted services by way of traceability or offering paid encrypted services to a select few who can afford it. In any case, the judiciary of both countries would have a bigger challenge to balance the privacy vs security debate vis-à-vis encryption.
A little hope remains from the civil society organisations which have been advocating against the traceability provision. SFLC.in, in India, has assisted a FOSS developer in challenging the 2021 rules. One of the grounds is that the traceability provision does not adhere to the tests relating to privacy laid down in the landmark Puttaswamy (2017) case. The petition also prays that the right to encrypt be declared as a subset of the right to privacy, which has been interpreted by the Supreme Court to be a fundamental right under the Constitution of India. During these dark times, civil society organisations remain a beacon of hope against arbitrary state actions that undermine privacy.
Notes:
¹ The “Five-Eyes” alliance is an inter-governmental deal for sharing intelligence and surveillance information between the United States, United Kingdom, Canada, Australia, and New Zealand. Recently, Japan and India have collaborated with an alliance’s statement. See https://www.indiatoday.in/technology/news/story/india-joins-five-eyes-japan-in-demanding-backdoor-into-whatsapp-end-to-end-encrypted-chats-1730681-2020-10-12.
² See https://sflc.in/our-projects/freedom-in-the-net/faq.
³ First Information Reports