Akriti Bopanna
Policy and Advocacy Manager for Internet Society (ISOC), based in India
Diego R. Canabarro
Senior Regional Policy Manager for ISOC, in Latin America and the Caribbean, based in Brazil
Disclaimer: The views expressed here are personal, and do not reflect the positions of the Internet Society or any other institution to which the authors are affiliated.
India, with its evolving digital policy jurisprudence for more than a billion people, is at a significant juncture today in setting the rules for technology companies worldwide. Politically, the attempts to make India a more right-wing country and introduction of protectionist measures have changed how the influence of foreign entities is perceived. This is accompanied with greater scrutiny of the actions of companies like Google, Amazon and Facebook whether in terms of competition law, intermediary liability or e-commerce regulations. It is the best of times and the worst of times for surveillance in India today, depending on who you ask. Former for the Government who has advanced the newest edition of the rules governing intermediary liability in the country, the Information Technology Rules, 2021. It was notified under the The Information Technology Act, the parent legislation for laws regarding liability and duties of intermediaries operating in the country. The recent move has sparked a fresh period of unrest with the top social media companies and messaging service providers battling key provisions. While Twitter and Signal are at the risk of losing their intermediary status due to non-compliance, Whatsapp and Facebook have gone on the offensive by filing two separate legal cases against the 2021 Rules. The case concerns the central issue discussed in our piece today, the one of breaking end-to-end encryption by mandating aspects of traceability.
Issues related to intermediary liability have also been a key part of the Internet policy landscape in Brazil for some time now. Historically, for the last twenty five years, the country has been known for a highly progressive approach to ICT policy over the last twenty five years with Anatel (the telco regulator) adopting innovative policies and regulations that foster market competition. Such as alleviating the regulatory burden for entering the market (especially in rural and remote areas), as well as recognizing complementary connectivity solutions like community networks. Further, the Brazilian Internet Steering Committee (CGI.br) has been of paramount importance in coalescing the multi-stakeholder community in the country to provide guidance for the public sector vis-à-vis Internet policy-making processes. Since 2014, Brazil counts on an “Internet Bill of Rights” (a.k.a. “the Marco Civil”) that sets rights and duties for users and Internet providers of all sorts, including defining the role of the public sector in the further development of the Internet in the country. Since the 2018 elections (marked by widespread controversies related to the spread of disinformation through social media platforms and messaging apps), Internet policy discussions in the country have revolved around of “doing more” in relation to the power of platforms and the need to “bring light” to communication streams that happen in messaging apps protected by E2E encryption. That happens against the backdrop of Bolsonaro’s chaotic government and severe conflicts between the Legislative, the Judiciary and the Executive branches.
Traceability in messaging apps as a policy issue in India and Brazil
The conversation around traceability in India has become topical over the past few years due to two main and related reasons; the first one being the widespread popularity of WhatsApp in the country, which in April 2016, enabled end to end encryption for all its users. The popularity of the app, in India, gave rise to a new wave of misinformation and in many scenarios, even offline violence emanated from it, which led to governments blaming the tool and demanding more accountability from the platform. This was in form of wanting them to prevent the spread of messages as well as trace their origin. Subsequently, the Indian government started viewing encryption as a threat to public order and then, as a concern for national security purposes.
Traceability surfaced in Brazil and has been dividing Internet stakeholders since mid 2020. In early May, a group of Parliamentarians introduced identical Draft Bills in both Houses of the Congress to tackle the issue of disinformation (specially in the context of electoral processes). The Senate was fast to approve PL 2630 – or the “Brazilian Law of Freedom, Responsibility and Transparency on the Internet” (commonly referred to as ‘the Disinformation Bill”) in roughly one month of deliberations. Since July 2020, the House of Representatives is seized of the matter. In a nutshell, PL 2630 mainly focuses on social networks and messaging apps which have a significant number of users (plus than 2 million users). The Bill deals with accountability, transparency and due process in content moderation by social media platforms. It adopted a transparency and accountability regime concerning paid content amplification and publicity (with special provisions for the case of elections). Additionally, it creates rules that are applicable to self-regulation by Terms of Services and Use. It also sets penalties for those in charge of spreading disinformation in an organized way. One of the key controversies inherent to the text approved in the Senate (and probably the most heated topic of discussion over the last year) was a provision (Article 10) that introduces the notion of traceability in messaging apps.
What ties us together? An overly simplistic (and dangerous) tech approach to tackle complex social phenomena
5(2) of India’s Rules, asks social media intermediaries with more than 5 million registered users to enable identification of the first originator of any message the Government asks such information of. The regulation clarifies that intermediaries do not have to disclose contents of messages on the platform, which implies that originator data will be asked for messages already known to the authorities – one can only assume how that maybe, perhaps if these messages have gone viral or revealed by one party in the exchange. The assertion of the foremost originator of a forward can be a highly arbitary process, with the possibility of many individuals forwarding a message at the same time albeit with superficial modifications. Moreover, the first individual to introduce the message on the platform could have done so for purely personal or non-malicious intentions, with the message then being manipulated or modified for nefarious reasons. In such a case, it is difficult to account for intention when a message is created. Additionally, in case a message has originated in a location outside of India then the first originator is deemed to be the first recipient of the message in the country. This is highly problematic as receiving a message cannot be equated to commencing a criminal act. Another issue is a rule that mandates the intermediary shall preserve records of content transmitted by it for a minimum period of 60 days. The Supreme Court of India in the Puttswamy Judgment established an Indian citizen’s Right to Privacy and such actions by the authorities violate this fundamental right.
In Brazil, Article 10 of the Disinformation Bill obliges messaging app providers to log forward chains of specific messages (“mass forwarding”) for a period of three months. Mass forwarding is considered the dispatch of the same message by more than five users, in an interval of up to 15 days, to chat groups, transmission lists or similar mechanisms used for grouping multiple recipients. The logs shall contain “the indication of the users who forwarded the message, with the date and time of the respective forward, and the total number of users who received the message. The intention here is to be able to trace back the first originator of a forward chain. The Bill indicates that “the privacy (sic) of the message content” shall be safeguarded and access to those logs will only be granted by means of a court order in the context of criminal investigation and prosecution of those involved in mass forwarding of illicit content. As a final safeguard adopted by the Brazilian legislator, the provision shall not apply to messages that reach an audience of of less than one thousand users. Among other things related to traceability that we will delve into below, there are three immediate problems with the Brazilian framework: (a) app providers – specially those who operate E2EE services – have no way of anticipating which message will go viral or not, so, for at least 15 days they will have to keep records for all users in bulk (making the system a massive surveillance tool); (b) Even if the message is kept encrypted in the database or a hash of the content is generated to feed the database, for three months, every message classified as ‘mass forwarding’ will be indexed and linked to every user who forwarded it and who received it; and (c) the whole system oversimplifies the complexity of forward chains (which are not linear as the legislator seems to take for granted) and disregards the issue of cross-platform posting.
What separates us? Intention!
Intentions of the legislative actions are rightly marked by suspicion given the political climate in India, currently veering towards authoritarianism. The Rules themselves were notified against the backlash of several civil society organizations and lack of public consultations. In such an environment of right-wing hardlining, laws including and especially those pertaining to the digital realm, are enforced to crush dissent and normalize mass surveillance. This is being conducted under the oft-used reasons of preventing crime through technological means and protecting citizens from national security threats. While these concerns have to be accounted for, the implementation of the interventions being introduced are far from protecting the rights of citizens. On the contrary, it weakens their privacy, digital security and expectations of the fundamental right to free speech.
While in India traceability comes from an attempt of the government, in Brazil traceability can be largely attributed to parliamentarians that are seeking alternatives to curb the threats posed to democratic institutions by organized disinformation campaigns (including campaigns allegedly organized by Bolsonaro’s entourage). Such a movement has been growing in the country amid several reports on the use of bots and coordinated inauthentic behavior in social media platforms as well as the use of spam tools in messaging apps by politicians (most prominently by the Bolsonaro Campaign in the 2018 election and onwards). Beyond the elections, it has been said that such a strategy has been now entirely embedded in the Federal government’s modus operandi. To make things worse, the pandemic has transformed disinformation into a matter of life and death for Brazilians, which provided additional thrust to legislators (specially those in the opposition of Bolsonaro) seeking urgent technical solutions to alleviate those matters. As one pundit once put it, the intentions of those parliamentarians are noble. Our concern here is precisely the fact that we should not judge the proposal solely on the basis of its intentions.
The road to hell is paved with good intentions…
The growth of online surveillance in the past few years (either by the State or the private sector) increased the awareness of the importance of encryption (especially the end-to-end model as a way to ensure, by default and design, that unauthorized third parties cannot access the flows and the content of our communications). Knowing that the Government can trace a message of yours sent through end-to-end encryption contradicts the spirit of that encryption and causes a chilling effect on speech whereby citizens proactively censor their communication. The evolving jurisprudence on the right of privacy to India, established by the Puttaswamy judgment, would be amiss without acknowledging the right to end-to-end encryption. In the same direction, two Justices of the Brazilian Supreme Court – when presenting their votes in the WhatsApp cases (still pending before the Court) – recognized that the right to use E2EE encryption stems from the constitutionally right to privacy and that nothing authorizes the government to oblige app providers to install backdoors or weaken encryption in their products and services.
Many would argue that the Indian rule can be complied with by sharing of meta-data which is far less severe than decryption of messages, however much personal information can be connected from scraps of meta-data that can lead to leaking of sensitive personal information. The collection and accumulation of metadata can be as dangerous as direct access to the content of private communications (because of the inferences that can be made from crossing different bits of metadata, even out of the original context).
In both countries, the idea of traceability back to the “first originator” involves setting up a database that comprises both user metadata and content data (or at least content metadata – i.e.: hashes that refer to the original clear text message or the encrypted payload). From the user, it will be possible to reach messages. And from the messages, it will be possible to reach users. In practice, this arrangement allows mapping who speaks, with whom and when (and even what is spoken by those users) for more or less time. Moreover, “content confidentiality” is not to be confused with “interaction confidentiality”. The confidentiality of the very act of communicating with someone is vital (regardless of the content of the conversation): think of (a) when someone uses a police anonymous reporting channel or a government agency ombudsman; (b) the journalist who talks to a source; (c) the whistleblower (like Chelsea Manning or Snowden) who brings to light classified information; and (d) the police officer who operates undercover in the field and needs to communicate regularly with members of his team in the HQ.
Both in India and Brazil, traceability proposals oversimplify how complex and non linear the spread of a message can be in a messaging app. Bearing in mind cross-platform and app posting, as well as coordinated spread (mainly through automated tools) of the same message through hundreds or thousands of users in parallel do not generate a linear chain of events,. Instead, it resembles a graph which is like a complex tree, full of branches that grow and intersect in a confusing way.
Proposals in both countries were entirely crafted bearing in mind the design of WhatsApp. Both countries seem to want the tool to be redesigned to serve their own individualistic public policy purposes. While it is safe to say that governments are entitled to intervene in the private sector in the pursuit of higher level public policy goals, one can argue that such intervention does more harm than good to the bulk of society. Traceability, as proposed, would systemically reduce the level of security and privacy of users across the board. Additionally, by crafting rules with such a narrow focus and specificity, aiming at one off-the-shelf solution widely used, India and Brazil seem to disregard the variety of tools available in the digital market. As well as ignoring the rapid pace of digital innovation – to a larger extent, the traceability proposals can even block innovation and conform innovation to pre-determined/approved models certified by governmental authorities. More importantly, suppressing secure communication tools from the general population does not solve the fact that criminals are always two steps ahead in developing new and customized tools for their own purposes.
Traceability in India and Brazil could contradict the principle of data minimization endorsed by Law and recognized by Supreme Courts in both countries. In reality, the “data maximization” being requested from messaging apps in our countries also leads to more complex application systems. This is a problem from a cybersecurity point of view. Systems with a larger surface are more susceptible to attack and likely to be subject to security incidents (such as data leaks). This maximization of data collection also comes with an increase in the operational costs associated with service delivery, because from a functional, technical, and economic perspective, “more data is not always the rational choice”.
Our hope through this collaborative article has been to inculcate an understanding of how fundamental the nexus between encryption and privacy is globally, how crucial it is for everyone’s security regardless of which stakeholder you might be. Irrespective of which country it is, citizens across the world are united by a universal right for their digital communications to stay encrypted.