Proposed new laws in India could undermine encryption around the world and lead to “automated censorship” and “increased surveillance”, privacy advocates have warned.
India’s Ministry of Electronics and Information Technology is expected to reveal the new rules this month after first proposing them last year.
The new laws would force tech companies to be able to identify the users behind a post, and would shift the onus onto the platforms to do their own investigating, rather than law enforcement, Bloomberg reported.
The rules would impact services like WhatsApp, owned by Facebook, which utilises end-to-end encryption to protect the privacy of messages.
Under the current setup, Facebook itself cannot even read the messages, which can only be seen by the sender and the recipient.
The proposed laws in India would require these companies to make any post on their platforms “traceable” to its origin, essentially forcing them to insert “backdoors” into the encryption to identify the user behind it, and then pass this onto law enforcement in the country.
The draft provisions required companies including YouTube, TikTok, Facebook and WhatsApp to assist the government with tracing a post within 72 hours of receiving a request. The tech firms would also have to keep their records for at least 180 days to assist with investigations, set up a physical presence in India and appoint a grievance officer to work on user complaints, along with a government liaison.
The rules would apply to any service with more than 5 million users, but it is currently unclear whether they will be able to be used to identify users outside of India.
A range of industry groups and privacy experts have argued that the laws would be a serious violation of privacy and freedom of speech, and would threaten encryption worldwide.
The Internet and Mobile Association of India, with members including Facebook, Amazon and Google, said the law would be a “violation of the right to privacy recognised by the Supreme Court”.
An open letter signed by top executives from Mozilla, GitHub and Cloudflare said that the rules would lead to “automated censorship” and “increased surveillance”, and they would basically order tech companies to spy on their users.
The Indian government has said these companies would be exempt from the rules and that they will only apply to messaging services.
In an open letter to Indian IT minister Ravi Shanker Prasad, a coalition of 27 security and cryptography experts said the proposed laws would weaken online security and prevent the use of strong end-to-end encryption.
“By tying intermediaries’ protection from liability to their ability to monitor communications being sent across their platforms or systems, the amendments would limit the use of end-to-end encryption and encourage others to weaken existing security measures,” the letter said.
“This means that services using end-to-end encryption cannot provide the level of monitoring required in the proposed amendments.
“Whether it’s through putting a backdoor in an encryption protocol, storing cryptographic keys in escrow, adding silent users to group messages, or some other method, there is no way to create ‘exceptional access’ for some without weakening the security of the system for all.”
A similar debate around encryption has been raging in Australia across the last two years, with the Coalition passing legislation giving law enforcement new powers to compel tech companies to provide access to encrypted communications.
Privacy and digital rights experts argued that these laws would force tech companies to insert “backdoors” into their encryption infrastructure, undermining the integrity of online security for all.
Some of the biggest tech companies in the world have also been in ongoing fights with law enforcement over the use of encryption.
Recently, US President Donald Trump slammed Apple for refusing to provide access to the iPhone used by the Pensacola shooter.
Apple has continually publicly refused to insert a way for law enforcement to access its devices unencrypted, with the issue coming to prominence in 2016 when Apple opposed a court order telling it to do so.
But behind the scenes Apple appears to have been more willing to assist authorities, with reports earlier this year that the tech giant had ditched plans to allow iPhone users to fully encrypt their device backups on iCloud services in order to appease an FBI request.
