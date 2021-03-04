A member of the All India Student Federation is teaching farmers about social media and how to use these tools in the ongoing protests against the government. (Pradeep Gaur / SOPA Images / Sipa via Reuters Connect)

The Indian Ministry of Information Technology recently finalized a set of rules which the government says will make online service providers more responsible for the bad behavior of their users. Failure to comply may expose a supplier to legal liability which it is otherwise immune. Despite seemingly lofty rules aimed at making providers better control their services, in reality the changes pose a serious threat to Indian data security and reflect the increasingly authoritarian approach of Indian governments to corporate governance. the Internet.

Prime Minister Narendra Modi’s government has taken a clearly illiberal approach to online discourse in recent years. When the Ministry of Informatics of India released its original draft rules from more than two years ago, civil society groups critical the proposal like a serious threat freedom of expression and rights to privacy. In the years that followed, threats to freedom of expression only increased. To quell dissent, the Modis government has cut the internet in several regions. In the face of widespread protests by the country’s farmers against his government, Modi has stepped up his attacks on the press and Twitter under pressure taking hundreds of accounts critical of the government’s protest response. The new rules represent the latest tightening of state control on online content, and as other backward democracies consider greater restrictions on online speech, the Modi government is providing a troubling model on how to do it.

Beyond the cold digital rights, the new rules threaten to undermine the computer security systems that Indian internet users rely on daily to grant the state increased power to control online content. The new rules require messaging services to be able to determine the origin of content and require online platforms to develop automated tools to remove certain content deemed illegal. Taken together, the new rules threaten freedom of expression and the privacy and security of Indian internet users.

The relevant provisions apply to significant social media intermediaries (which I will call SSMI for short). Significant means that the provider has reached an yet to be defined number of registered Indian users. Social media intermediary generally encompasses many types of user-generated content-oriented services. A government Press release calls WhatsApp, YouTube, Facebook, Instagram, and Twitter in particular, but services as diverse as LinkedIn, Twitch, Medium, TikTok, and Reddit also fall within the definition.

Two provisions are of particular concern. Section 4 (2) of the new rules requires SSMIs that are primarily messaging providers to be able to identify the primary content creator on the platform. Section 4 (4) requires any SSMI (not limited to messaging) to endeavor to deploy technology-based measures, including automated tools or other mechanisms to proactively identify two categories of content: the child sexual abuse material and identical content to anything removed. before. I will call this the provisions relating to traceability and screening.

These provisions endanger the security of Indian Internet users as they are incompatible with end-to-end encryption. End-to-end encryption, or E2EE, is a data security measure to protect information by encoding it in unreadable scrambling that no one other than the sender and intended recipient can decode. This way, the encrypted data remains private and strangers cannot modify it en route to the recipient. These characteristics, confidentiality and integrity, are the essential foundations of data security.

Even the provider of an E2EE service cannot decrypt the encrypted information. This is why E2EE is incompatible with content tracking and filtering. Tracing the origin of information requires the ability to identify each instance when a user has submitted a given piece of information, which an intermediary cannot do if they cannot decode the encrypted information. The same problem applies to the automatic filtering of a service for certain content.

Simply put, SSMIs cannot provide end-to-end encryption and still comply with both provisions. It’s by design. Talk anonymously to Economic times, a government official said the new rules will force large online platforms to monitor what the government considers illegal content: Under the new rules, platforms like WhatsApp cannot give encryption of end to end as an excuse not to remove this content, the official mentionned.

The rules confront SSMIs with a The Hobsons’ Choice: either weaken their data security practices, or open themselves up to costly disputes such as the price of strong security. It is an untenable dilemma. Intermediaries should not be penalized for choosing to protect user data. Indeed, the existing rules already oblige intermediaries to take reasonable measures to secure user data. If SSMIs weaken their encryption to comply with the new traceability and filtering provisions, will this violate the reasonable data security provision? This tension creates another dilemma for intermediaries.

The new rules make a conflicting demand: secure Indian data, but not too well. A nation of 1.3 billion people cannot afford half measures. National, economic and personal security has become inseparable from data security. Strong encryption is essential to protect data, whether it is military communications, proprietary business information, medical information, or private conversations between loved ones. Good data security is even more vital as the COVID-19 pandemic has displaced much of daily life online. Without adequate safeguards, sensitive information is ripe for privacy breaches, theft, espionage and hacking.

Weakening the data security of intermediaries is a gift for those who seek to harm India and its people. Citing national security and privacy concerns, Indian authorities moved to restrict the presence of Chinese applications in India, but these new rules risk exposing Internet users in the country. The rules affect all intermediate users, not just those who use the platform for criminal acts. More than 400 million Indians currently use WhatsApp and Signal hopes to add 100-200 million Indian users in the next two years. Most of those half billion people are not criminals. If middlemen ditch E2EE to comply with the new rules, it mainly puts the privacy and security of law-abiding people at risk, in return for making it easier for the police to monitor the small criminal minority.

Such surveillance may prove to be less effective than what the Indian government expects. If popular apps stop offering E2EE, many criminals will abandon these apps and move on to the dark web, where they are harder to find. Some may create their own encrypted applications, such as Al-Qaeda done as far as 2007. In short, the new Indian rules can lead to a perverse result where outlaws have better security as the law-abiding people they target.

Meanwhile, weakening the encryption isn’t the only way for police to gather evidence. We live in a golden age of surveillance in which our activities, movements and communications generate a wealth of digital information about us. Many sources of digital evidence, such as communication metadata, cloud backups, and email, are typically not end-to-end encrypted. This means that they are available from the service provider in a readable form. If the Indian police have difficulty in acquiring such data (for example because the data and the company is located outside India), it is not due to the encryption, and the adoption of rules limiting the encryption will do nothing to improve the problem.

When intermediaries use end-to-end encryption, it means enhanced security for communities, businesses, government, military, institutions and individuals, which contributes to the security of the nation. But new traceability and filtering requirements could end end-to-end encryption in India. The revised intermediation rules put the security of the whole country at risk. In the middle of a global decline for Internet freedom, the proposal may provide an example for other potential authoritarians to follow.

Riana pfefferkorn is a researcher at the Stanford Internet Observatory.