The Encryption Observatory (ObCrypto) interviewed the Indian organization The Dialogue to understand the nuances of the new rules that force messaging application providers to deploy ways to permit the traceability of messages, under risks of liability. Questions about the local political and social landscape were addressed, the demands of law enforcement forces, as well as the technical feasibility of the measure given the risks to cybersecurity and to the ecosystem of rights currently dependent on strong encryption. The interview was given by Kazim Rizvi, public policy entrepreneur and founder of The Dialogue.
Question: We would like to understand the legal shift in the regulatory scenario in India concerning encryption. For example, before the modifications in the “Intermediary Guidelines” Rules, how was encryption regulated (if it was)? And after the new rules, what has changed to intermediaries in terms of obligations and liability?
Answare: Lawful interception has been part of policies dating back to 1998, specifically within the Indian Telegraph Act, 1885. Section 5 of the Telegraph Act and Rule 419A of the Indian Telegraph Rules, 1951 empowered the government to lawfully intercept and monitor communication. The validity of Section 5 of the Act was challenged before the Supreme Court in the case of PUCL v. Union of India [(1997) 1 SCC 301]. The Court refused to strike down the Section, instead listed guidelines to be followed to check arbitrariness in interception orders. Additionally, Section 84A of the Information Technology Act, 2000, was introduced through an amendment in 2008. It allowed the government to prescribe modes and methods for encryption to ensure secure use of the electronic medium and promote e-governance and e-commerce. Following a more prescriptive mandate of regulation, Section 69 of the IT Act, 2000, allowed the Central and State governments to monitor and collect information through any computer resource for cybersecurity. Rule 9 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules 2009, provided that an order for decryption could relate to any information sent to or from a ‘person or class of persons’ or relate to ‘any subject matter’.
It was in this atmosphere that the National Encryption Policy was formulated in 2015. However, it didn’t manifest to a statutory law because of the criticism it received. Critics opined that it was more of a ‘decryption’ policy, because it only allowed platforms to function if they complied with the mandatory regulatory mechanism. The policy was said to simply secure government access to encrypted data, rather than securing user data. The Draft Intermediary Guidelines of 2018 which were expected to have a significant impact on encryption policies owing to the traceability mandate, had also received comments from all concerned stakeholders pertaining to the onerous traceability requirement introduced. More recently, this argument was expanded to include the threat to public order due to proliferation of fake news on encrypted platforms, which at times would lead to lynchings and the challenges pertaining to CSAM on the internet.
The notification of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, jolted the Indian encryption ecosystem. Rule 4(2) of the IT Rules, 2021 mandated originator traceability for all Significant Social Media Intermediaries (SSMIs) providing messaging services. Non-compliance with the originator traceability mandate would lead to automatic withdrawal of the Safe Harbour Protection conferred by Section 79 of the IT Act. This entails, if the SSMIs providing messaging services are unable to implement the traceability mandate, they would lose their immunity for protection against any illegality committed by third parties on their platform. While on one hand we have solutions offered by Prof. Kamakoti and the proposal for Alphanumeric Hashing to introduce traceability, on the other hand we have experts and organisations explaining the legal technical and policy challenges associated with implementing the same. While the Kamakoti solutions relied on the key escrow model which has been rejected years ago, alphanumeric hashing will equip the platform with the ability to surveil the user which is against the fundamental idea behind end-to-end encryption, i.e., no third party – be it the platform or the State – should have access to the transaction between the sender and receiver(s).
Q: Could it be highlighted the main reasons for the Indian government to propose the new rules? What is the political context and government’s narrative behind it? Does it proceed, in The Dialogue’s opinion?
A: The State has a legitimate interest in accessing data for law enforcement, as well identifying what caused a criminal or an illegal act. With a bulk of communications taking place on encrypted devices, it is natural that the state would want to understand the trail of a crime. Moreover, any child pornographic material being shared on such devices is a legitimate cause of concern. It would not be prudent to assume that national security demands do not exist or must not be met, moreover, in India privacy is also not an absolute right.
bothThe underlying intention to seek traceability is to tackle fake news and proliferation of child sexual abuse material on encrypted platforms.
This said, one must assess the necessity and proportionality of the means to achieve this end. For the state, the problem comes when it is unable to access complete information about a criminal investigation. The argument is that they need to see the chats of suspects, or understand who shared the chats first. However, with cutting edge meta data analytics and forensic technology, we understand that law enforcement agencies can actually achieve a lot without having to access chats and can actually solve investigations through strong meta data analytics techniques. It is equally important to harness meta data for assistance in criminal investigations while the platforms must assist the state in building their meta data analysis capabilities. All the key stakeholders including the academia, industry, big tech and the State must work towards finding privacy respecting solutions which do not weaken encryption.
One cannot risk the security of 99% of the citizens to catch the 1%. Moreover, the tech savvy criminals will simply shift to unregulated encrypted platforms and continue with their nefarious activities.
If a vulnerability or backdoor is created on a popular encrypted platform for law enforcement agencies to track perpetrators with, then tech-savvy criminals will simply shift to another platform, possibly one of their own, which is securely encrypted. Such interventions enable better privacy protection for the criminals, who shift to unregulated encrypted platforms. On the other hand, law-abiding citizens end up subjected to enhanced surveillance, in stark violation of their right to privacy. Once the criminals shift to other platforms, the police will even lose the meta data that regulated platforms shared with them to assist in criminal investigations.
Moreover end-to-end encrypted Apps are by their nature data-light. Collecting more data than what is required for quality services is in violation of the data minimisation principle envisaged in the Personal Data Protection bill, 2019. The Bill also envisages use of encryption to better secure user data.
The State might end up opening a Pandora’s box by weakening encryption, creating multiple unintended challenges in a tryst to solve one.
Q: In The Dialogue’s opinion, how do the technical provisions that will be necessary to comply with the rules affect information security for the chain of interconnectivity between users and services? Furthermore, will it be possible to maintain a reasonable expectation of privacy and freedom of expression in message apps, for example?
A: Alphanumeric hashes are, in simple terms, a signature of sorts explaining who sent a message to whom and may also carry additional information like the date and time of the message and the location data. The solution proposed is old and was put forth in the Indian context by Dr. Kamakoti before the Madras High Court. At that point too, the solution was widely criticised because it is a regressive solution that takes the technology decades back to the early 2000’s and is proposed without understanding the very nature of the end-to-end encryption protocol used by Signal and WhatsApp.
In order to ensure perfect privacy, the Signal protocol entrenches the principle of ‘cryptographic deniability’. This entails that B will be 100% sure that it is in fact A who has sent him a message but can never prove it to anyone. A can always deny saying anything to B in this perfect privacy enabling ecosystem.
It is for these reasons that the Telecom Regulatory Authority of India after years of consultation and review of international best practices, in its recommendation to the Department of Telecommunications, opined that the security architecture of end to end encrypted platforms should not be tinkered with as it may render the privacy, safety, and security of the users susceptible to attacks by hostile actors.
In nutshell, alphanumeric hashes aim at defeating end-to-end encryption. It is pertinent to note here that encryption is currently recommended as a key privacy by design and default component in EU, USA and several other jurisdictions. Indian personal data protection bill also recommends using encryption for safeguarding privacy.
Q: Just a few weeks ago, WhatsApp went to court in order to sue the Indian Government because the new rules will affect end-to-end encryption protocols in its service. Can you comment on it? And how are the local developers and services responding to the rules? Will the changes affect, for instance, the innovation potential for new technologies in India?
A: WhatsApp in its petition to the Delhi High Court argues that Rule 4(2) of the IT RUles violates Article 14, 19 and 21, i.e. right to equality, free speech and privacy. Many stakeholders also opine that the Ministry of Electronics and Information Technology has exceeded its mandate, where the IT Rules do not empower them to enforce a traceability mandate.
Rule 4(2) only impacts Significant Social Media Intermediaries providing messaging services. A platform needs to have 50 Lakh users to be deemed as significant. So it does not impact small players directly, but many have come up strongly against it given its human rights and business implications rendering the products and services weak in terms of cybersecurity and thus unacceptable in the global market.
Q: And for all the sectors that are opposing the new regulation, including civil society organizations, are there opportunities to reverse it? How do you see the risks of ripple effects of the new rules towards other regions of the world?
A: While the Rules are already in place, they do not prescribe the technical means for implementing the traceability mandate. We hope that the Ministry will consult with technical experts to discuss implementable solutions as the hashing proposal may lead to more challenges than it seeks to resolve.
If Rule 4(2) of the IT Rules 2021 is implemented then significant social media intermediaries providing messaging services will have to store the hash values of each message sent on their platform. This domestic Indian law, which has severe implications on fundamental right to free speech and privacy, will impact the global regime as hash values of messages exchanged between users in India and any other foreign country like England will also have to be stored. This will lead to infarction of international human rights obligations.
