To Regulate Content, India Takes An Axe To Consumer Privacy

While all attention was on the social media circus that played out before US Congress throughout the latter part of 2018, another meeting – one of potentially greater significance – took place between the tech giants and members of the Indian government.

Held behind closed doors in December, representatives of Google, Facebook, Amazon, Twitter, and others were called before the Ministry of Electronics and Information Technology (MeitY) to receive new rules on how to govern their platforms in the south Asian nation.

The proposed amendments to India’s Information Technology (IT) Act, first enacted in 2000, reflect the longstanding position held by governments that increased state control over tech will help stem the tide of illicit activity, said to be amplified by the interconnectivity of social media.

In India’s case, the regulatory focus has been placed on the prevalence of social media and messaging services, such as WhatsApp, which is used each month by 200 million people throughout the country.

“A number of lynching incidents were reported in 2018 mostly alleged to be because of fake news/rumors being circulated through WhatsApp and other social media sites,” said the MeitY in a statement that was published alongside the draft reforms on December 24.

Combing through the proposed amendments to the IT Act, it’s clear that Indian policymakers are looking to increase their leverage over communication apps and the data they hold:

When required by lawful order, the intermediary [social media platform] shall, within 72 hours of communication, provide such information or assistance as asked for by any government agency or assistance concerning the security of the State or cybersecurity; or investigation or detection or prosecution or prevention of offense (s).

Together with this proposal comes another, more familiar, government mandate, which has instinctively raised alarm bells with Apar Gupta, a lawyer and executive director of the Internet Freedom Foundation, an India-based non-profit.

“The argument that has been made is that this [IT Act] requires WhatsApp end-to-end encryption to be broken because even the metadata that is shared by WhatsApp is insufficient for law enforcement,” Gupta told The Daily Swig.

“But this is a problem that goes much beyond WhatsApp, much beyond Twitter, much beyond Facebook.”

When is a backdoor not a backdoor?

Days before its meeting with the tech giants, the Ministry of Home Affairs issued 10 government agencies with extended powers to intercept, monitor, and decrypt “any information transmitted through any computer resource”, under revisions to the same IT Act.

The changes stated would require service providers, from messaging apps to telecoms, to provide law enforcement and the security agencies with access to requested messages, regardless of whether the platform currently stores the desired content.

WhatsApp, for instance, may retain the date, time stamp, and mobile numbers of two people in conversation, but what’s said in that conversation remains private.

How WhatsApp, or indeed any secure messaging app, is meant to provide authorities with these messages when requested has yet to be specified within the IT Act, but failure to comply is punishable by a prison sentence of up to seven years and a potential fine of an undisclosed amount.

“It will require product side changes in which there will be a requirement for the service provider, such as ProtonMail or WhatsApp, to introduce a requirement of traceability to the message by itself and likely retain the data on its server with respect to the message,” said Gupta.

“So if the private key is stored on the device side, and not with the service provider, it would arguably undermine end-to-end encryption, or could just mean the end of it.”

The war on encryption

India, considered to be the largest digital growth market, rivaled only by that of China, has declared war against encryption before. Privacy advocates breathed a sigh of relief in 2016 when the Supreme Court dismissed a petition to ban secure messaging apps altogether.

While India’s civil liberty advocates have made strides against the country’s surveillance regime, most notably in 2017 with the Supreme Court’s ruling of privacy as a fundamental right, a lack of encryption standards and regulation over breached data has yet to be seen.

This is paired with India’s infamous Aadhaar biometric database, which had nearly one billion records compromised in the first half of 2018, and an ongoing government monitoring mission creep, particularly within the IT Act in the aftermath of the 2008 Mumbai terror attacks.

“India’s surveillance system is a black hole,” Mishi Choudhary, legal director at the Software Freedom Law Center, told The Daily Swig.

“There’s just no discussion, nobody knows exactly how much money is being spent on its functionalities. In terms of laws, [the] government has every possible power it can give itself, and in the absence of any parliamentary or judicial oversight, the citizens can only make noise but really not do much.”

According to Choudhary, somewhere around 7,000 to 9,000 phone tapping orders were made by the central government in 2014 alone, and transparency over such practices continues to be barely existent.

This, she said, is just one example of how abuse of power is likely with the government’s latest rules.

“I do not understand how the cops and government think that the market can behave differently from the good guys to the bad guys,” said added. “So break encryption only for us, and not for the others.”

Further questions over what these changes will mean for India’s massive outsourcing industry, a hub for software development and tech talent, currently in decline, remains uncertain.

Thom Langford, an industry commentator, thinks, at least for now, it’s all just business as usual.

“For India, 2019 is an election year so there is almost a sense of resignation that these kinds of official statements are made by the government during a time when the worlds largest democracy is due to hit the polls,” he told The Daily Swig.

“It is a cynical view, but one that rings true; there is little industry commentary on this, and at the moment not seen as anything to be overly concerned about by companies doing business in India.”

For rights activists on the ground, it’s another story.

“These platforms do need a certain form of regulation, oversight and accountability,” said Gupta.

“But to undermine privacy itself is not something which is beneficial.”

The Indian government is accepting comments on the IT Act amendments until January 15, followed by a counter-comment period stretching to January 28. There will be no discussion in parliament.―Port Swigger