It’s disingenuous when the Indian government says that they want traceability but “not at the cost of encryption or privacy.”
Traceability is bound to be at the cost of privacy, even if it means getting meta-data. And, when it comes to Whatsapp, traceability is likely to be at the cost of end-to-end encryption, and invariably, the removal of end-to-end encryption means that it is at the cost of privacy. It’s almost as if this is a tactical PR move from the government: no one can deny that there are times when traceability is necessary, and the two clear cut cases here are terrorism and child pornography. At the same time, even though removal or dilution of encryption puts users at risk, saying that it’s the platforms problem to figure out how they provide traceability without breaking encryption means that the government doesn’t look as if it’s trying to risk harming privacy, even if that’s what its demand will end up doing.
What is traceability?
It’s worth noting that in its Intermediary Liability consultation, the government hasn’t defined what traceability is. The specific clause in the still draft amendment to the IT Rules is:
(5) When required by lawful order, the intermediary shall, within 72 hours of communication, provide such information or assistance as asked for by any government agency or assistance concerning security of the State or cyber security; or investigation or detection or prosecution or prevention of offence(s); protective or cyber security and matters connected with or incidental thereto. Any such request can be made in writing or through electronic means stating clearly the purpose of seeking such information or any such assistance. The intermediary shall enable tracing out of such originator of information on its platform as may be required by government agencies who are legally authorised.
So what is traceability? “Such information or assistance” is vague enough for it to mean whatever security agencies want, which means that the vague phrasing lends itself to actions which are not proportionate. But is it:
- The mobile number linked to a message?
- The name of the person who sent/received a message?
- Every person who received a particular message?
- Every person who sent a particular message?
- Content of every message sent by an individual
- Content of every message received by an individual
- Their GPS location?
Remember that disproportionate traceability already exists in case of the Centralised Monitoring System (a great read on it here), and our calls and messages can be monitored en masse. Surveillance of everyone is neither necessary nor proportionate.
If you remove end-to-end encryption, it puts everyone at risk. If you give the decryption keys to the government – i.e. give them a “backdoor”, it opens the door for someone else to exploit it as well. Encryption ensures privacy and privacy ensures trust. If our communications are constantly under the threat of being monitored, it has a chilling effect on private communications and forces us to self-censor. Lack of privacy makes us vulnerable. Why is there a need to be able to see every message, from every user, all the time?
We need a better approach: start with surveillance reform
What the government of India is doing here is trying to address and immediate need of getting access to information, without bringing in accountability. India’s draft data privacy law exempts the government from data protection requirements. India’s amendment to intermediary liability protections wants proactive monitoring of content, and traceability of users without a structured and meaningful conversation on what this disproportionate act of enabling surveillance means for citizens and rights, without bringing in necessary surveillance reform. The TRAI’s OTT consultation also goes into regulation of the Internet on the basis of security concerns, without looking at protection for citizens.
What we need here is for legitimate requests from the government to be processed on an urgent basis, and for metadata, as Tim Berners-Lee pointed out to me, to be made available for governments when needed, but we also need a more structured definition of what a legitimate request is. Who monitors our security agencies and ensures that their requests and their access to data is lawful (in case of the Telangana allegations, the access seems to have been political)? They’re not answerable to Parliament, so who holds them to account?
Current processes are focused on enabling, and increasing the reach and scope of surveillance, without bringing in accountability. It’s about time that the government of India started a process for surveillance reform.
