New IT Rules Leave Little Room for Privacy, Free Speech in an Increasingly Surveilled Digital Space
The vague guidelines will lead to unnecessary and excessive restrictions on legal speech.
In February, the central government asked Twitter to remove 1,178 accounts linked to the ongoing farmers’ protests. When Twitter refused to comply with the order fully, its top executives in the country faced the possibility of arrest. This was followed by the Minister for Electronics & Information Technology, Mr. Ravi Shankar Prasad, specifically mentioning Twitter, Facebook, LinkedIn, and WhatsApp during a speech in the Indian Parliament and noting that while these companies were welcome to operate in India, they would have to abide by the laws of the country. A few days later, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, were notified.
These guidelines aim to regulate not only intermediaries — such as Facebook and Twitter — but also over-the-top (OTT) platforms like Netflix, Amazon Prime, and online news media platforms such as The Caravan and The Wire. They carried another controversial provision, which allowed them to identify the ‘originator’ of any information thought to violate the rules on platforms such as WhatsApp, Signal, and Telegram.
This traceability requirement comes in addition to a 2009 Ministry of Home Affairs notification, which states that the IT Rules, 2009, may require decryption of any message transmitted through these platforms. That is, in addition to tracing the originator of the information, the government can also access the contents of the messages themselves. Since the purposes (as listed below) are quite vague and open to interpretation, this will lead to unnecessary and excessive curbs on legal speech. In particular, such overbroad categories could be used to target journalists, activists, and other individuals who may express sentiments that the government deems as problematic.
Related on The Swaddle:
The 2021 rules, under sub-rule (2) of Rule 4, make it mandatory for a “significant social media intermediary” providing messaging services — such as WhatsApp, Signal, Telegram — to enable the identification of the originator of the information. A significant social media intermediary under the rules is any social media intermediary with over 50 lakh registered users. Such identification can be required for the “purposes of prevention, detection, investigation, prosecution or punishment of an offense related to the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, or public order, or of incitement to an offense relating to the above or in relation with rape, sexually explicit material or child sexual abuse material .…”
Currently, such identificationof originators is impossible due to the practice of end-to-end encryption. End-to-end encryption essentially safeguards that messages in transit are scrambled in such a manner that only the people on the sending and receiving end have access to it. No one else who may be monitoring the network through which the message is transmitted — such as hackers, the government, or even the platform itself — can access the message.
Now, since the 2021 rules require traceability, end-to-end encryption will be compromised. It begs the question: what happens when end-to-end encryption is broken?
End-to-end encryption has been lauded by privacy experts and technologists around the world for protecting the privacy and security of people online. It has also proved to be a constant source of consternation for law enforcement agencies, which feel it provides excessive protection to criminals, including pedophiles, human traffickers, and terrorists.
However, without protections such as end-to-end encryption in place, citizens’ privacy stands compromised. Further, users become more vulnerable to threats such as spoofing, i.e. being misidentified or framed as the originator of an illegal message. This could happen because bad actors (e.g. hackers) can now exploit the technical vulnerabilities of the messaging platform to maliciously implicate innocent people.
Related on The Swaddle:
It remains to be seen whether these messaging platforms will cave to the government and enable identification of the content originator or stick to their stance of protecting privacy through end-to-end encryption. WhatsApp, for one, has said it “will not bend” on this issue.
Should they bend, though, the effect of these new rules on user privacy will be humongous. A person sending a message to another person has a reasonable expectation of privacy, and these rules are a violation of people’s fundamental right to it. A traceability requirement will essentially be a death sentence to free speech in the country. People will think twice before sending any message that may be wrongly perceived as violating one of the purposes in Rule 4(2). Self-censorship would become the norm, with people being worried about their personal messages being accessed and being taken out of context.
The right to privacy is fundamental because it enables people to exist and hold opinions without the worry of persecution. This is especially important in the context of communities and groups that have been historically repressed and who need security to browse, read, develop and share ideas and opinions, and fully exercise their right to freedom of speech and expression without being intimidated. These repressed groups could include religious minorities as well people who face harassment for their sexual orientation or gender identity.
These tireless attacks on privacy and free speech in the country have not gone unnoticed internationally. According to an Access Now report on internet shutdowns, India leads the world in the number of internet shutdowns imposed in 2020, with India accounting for 109 of the total 155 internet shutdowns globally. In a report published by the U.S. government-funded non-governmental organization Freedom House, India lost its status as a free country and is now categorized as “partly free.” The report makes its determination based on the condition of political rights and civil liberties in the country, which, according to the report, “have deteriorated since Narendra Modi became prime minister in 2014” and “(t)he decline only accelerated after Modi’s reelection in 2019.”
While Indian politicians have been quick to dismiss the report, curbs on free speech and parallel IT threats to privacy are shaping a reality based on these numbers and scores. The operation is swift but pernicious and carries the potential to change — even corrupt — our ideological discourse.
Anushka Jain works as the Associate Counsel (Transparency & Right to Information) at the Internet Freedom Foundation, an Indian digital liberties organization. Her work focuses on issues of privacy and surveillance surrounding disruptive technologies like facial recognition, artificial intelligence, and machine learning, as well as the need to ensure transparency and accountability from the government on its use of these technologies.