No encryption for little people: That's media ethics for you
Most of the commentary on India's new Internet policy has focused on the rules' effect in eroding the space for independent news media, OTT platforms, etc. These are important, but there is another aspect of this regulatory revolution, which is much more easily ignored and of equal importance, and that is encryption.
With a jolt, the Internet policy of the world's largest democracy has veered in an utterly undemocratic direction. The entry into force of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, has turned India into one of the most intrusively regulatory states in the so-called free world.
Understandably, most of the commentary on this extraordinary step has focused on the rules' effect in eroding the space for independent news media, to control what TV series you can watch on OTT platforms, and to the aggressive turn in the regulatory relationship with the US platform companies. These are all important, but there is another aspect of this regulatory revolution, which is much more easily ignored and of equal importance, and that is encryption.
The same one that was in issue when Deepika Padukone's WhatsApp messages were leaked or when WhatsApp filed a lawsuit against Israeli hacking tool developer NSO Group for helping Governments hack into the cellphones of at least 1,400 users between April 29 and May 10, 2019.
Just as the government completed the Content Monitoring System, thus gaining access in real-time to the phone calls and SMS messages of the entire Indian population, the implementation of open-source end-to-end encryption by WhatsApp restored strong secrecy to the general citizenry's reach. In the new rules lies concealed a chilling policy declaration: strong privacy is to be put beyond the reach of the common people, all of whose communications are to be seen by the governments of the future, all the time. For the rich and the few only, the technological possibilities of secure communication will be reserved. The rich can have an invitation-only privacy-respecting application without thinking about these burdensome rules.
The mechanism of this permanent discrimination is the new rules' declaration that "significant" messaging services - services with more than five million users - will be subject to new content regulations over secure communications. In this version, the rules require any messaging service to be able to identify the "originator" of suspect communications. There will be strong disagreement between supporters of regulation and the consensus of security experts and academic computer scientists over whether this regulation in itself breaks end-to-end encryption outright. It is at any rate clear that services like Signal, which are operated to maximise user trust are being told that the provision of high-security communications to ordinary people will occur at the will of the government. Signal provides a privacy respecting service by using the strongest and most transparently verifiable open-source end-to-end encryption, and unlike WhatsApp by not storing the "metadata" that documents who communicates with whom, when, and from where.
They will no doubt make a good-faith effort to comply with the government's rules, but whether immediately or only soon (based on their number of users), they will be subjected to the imposition of technical requirements precluding real privacy for the general society.
None of this will apply to the messaging services that aren't aimed at the mass market but are instead used by financial and other businesses with high communications security requirements. For the rich and powerful, these rules will have no significance, unless they are so careless or unlucky as to use "significant" mass-market services in daily life.
No democracy can deprive the majority of the people of their right to private communication without altogether discarding democratic principles. Just as India has become the world's leader in shutting down the mobile Internet services on which the daily lives of the masses now depend, this new aggressive pressure against encryption shows just how counter-democratic India's Internet policy has become. Whether you are a supporter or an opposer of the current government, one must appreciate that such instruments in the hands of all future governments of any type and outlook are too much to risk.
Ironically, by doing this, the new rules will spur a different counteracting technological development. Centralised systems for secure communication like Signal have great advantages in flexibility and technical resources. But they have the disadvantage of being large enough to be reached by systems of discriminatory regulation the government is proposing. But a family, a business, or a group of friends that wants to have secure private messaging (whether text or audio or video chat) can use very inexpensive hardware combined with software that is free for everyone to use, improve and share to make messaging systems of their own and attach them to the Internet anywhere. This can be fast and simple enough for any 12-year-old to learn how to set up and keep running.
People the world over have learned in the first two decades of the 21st century that if they lose their privacy they lose their freedom. They have learned also that there are plenty of alliances between companies that want their behavior data and governments that want to spy on their lives and control their choices. By trying to control encryption for the masses, the government is going to cause people to take further steps to protect their privacy in ways that are harder for government to invade even for legitimate reasons because there are no big companies to threaten without shutting down everything that the society requires to run. Increasing the tension between the state and its citizens over whether they are allowed to have secrets may undermine democracy, but it undermines overreaching government, too.
This article has been written by Eben Moglen and Mishi Choudhary.
(Eben Moglen is a professor of Law and Legal History at Columbia Law School. Mishi Choudhary is a technology lawyer and Legal Director at Software Freedom Law Center, New York.)
The opinions expressed in this article are the authors' own. They do not reflect the opinions or views of HT Tech or Hindustan Times.