The Union government insists that it is acting with the best of intentions: to curb crime and keep women and children safe online. In fact, it is doing just the opposite. With its assault on end-to-end encryption, it is threatening the safety of people, including the most vulnerable.
NEW DELHI – At last month’s G7 summit, India joined 11 other signatories, from Canada to South Korea to the European Union, in issuing a joint statement affirming their “shared belief in open societies, democratic values, and multilateralism.” The statement touted signatories’ commitment to international rules and norms relating to, among other things, “freedom of expression, both online and offline,” and identified “politically motivated internet shutdowns” as a threat to freedom and democracy. By this definition, India can no longer be considered a model of democratic values.
The internet’s potential as a force for good is well known, not least to India’s citizens. During the devastating second wave of the COVID-19 pandemic, when public services failed, Indians used social-media platforms like Twitter and WhatsApp to crowdsource resources.
Indians also used such platforms to organise and mobilise support for protests against controversial agricultural reforms and the discriminatory Citizenship Amendment Act. But the ruling Bharatiya Janata Party deemed this unacceptable, and Prime Minister Narendra Modi’s government repeatedly suspended online access under the guise of “maintaining public safety.”
In fact, since the BJP came to power in 2014, it has shut down the internet 521 times. But, because shutdowns are a blunt instrument, the government is attempting to establish more consistent control over how the internet operates in the country, through the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.
Enacted in February without adequate public consultation or parliamentary debate, the Rules grant the Indian government vast powers to suppress content online. This includes forcing tech platforms to remove posts or videos deemed libelous, hateful, deceptive, or in violation of the country’s sovereignty and integrity.
The rules also instruct social-media companies to appoint India-based executives, who could be held criminally liable for any violations. And perhaps most contentiously, messaging services are required to implement “traceability” for all messages sent via their services, thereby effectively breaking the end-to-end encryption that platforms like WhatsApp and Signal provide for their users.
Of course, India’s government insists that it is acting with the best of intentions: to curb crime and keep women and children safe online. In fact, it is doing just the opposite. With its assault on end-to-end encryption, it is threatening the safety of India’s people, including the most vulnerable.
Encryption is the strongest and most widely available mechanism for ensuring privacy and security for internet users. End-to-end encryption – which ensures that nobody other than the sender and recipient can decrypt and read it – is the gold standard for safety online. When it is weakened or broken, the risks of criminal exploitation, unlawful surveillance, and abuse grow, threatening both personal and national security. The debate is simply not one between privacy and security. Instead, the government is sacrificing both.
Not surprisingly, the new rules have been roundly criticized. Twitter, whose India offices were raided by police in May, after the platform labeled a government official’s tweets as “manipulated media.” described the rules as “dangerous overreach.”
WhatsApp, for its part, has filed a lawsuit against the Indian government, arguing that the traceability requirement is incompatible with end-to-end encryption. Because the company cannot predict which messages will be subject to a tracing order, the lawsuit notes, it will have to identify the originator of every message on its platform forever.
Ultimately, the rules are unconstitutional, the lawsuit asserts, because they infringe on privacy without passing the three-part test, established in a 2017 Supreme Court ruling, of legality, necessity, and proportionality. Other lawsuits challenging the traceability clause echo these arguments.
Tech companies are hardly alone in opposing the IT rules. Three United Nations special rapporteurs – on the promotion and protection of the right to freedom of opinion and expression, on the rights to freedom of peaceful assembly and association, and on the right to privacy – have urged India’s government to withdraw, review, or reconsider aspects of the rules. As written, the special rapporteurs argue, the rules are inconsistent with international human-rights norms enshrined in the International Covenant on Civil and Political Rights, a treaty India ratified in 1979.
The rapporteurs’ letter also points out that the rules’ ambiguous language leaves room for abuse. And experts have noted that, for all the risks the traceability requirement poses to security and privacy, it is not even likely to be effective.
As the world’s largest democracy, India is widely considered one of the world’s “digital deciders” in debates about cyber norms. But the Modi government’s decisions regarding the internet run directly counter to the statement it signed last month. India cannot have it both ways.
Neeti Biyani is Policy and Advocacy Manager at the Internet Society, a global non-profit organization working towards an open, globally connected, secure, and trustworthy Internet. The views expressed here are personal, and do not reflect the positions of the Internet Society or Clarion India
c. Project Syndicate, 2021