IT Rules shy away from preserving encryption

Economic Times, March 22, 2021

By Pradeep S. Mehta,

“Summing-up, it appears that the IT rules may harm consumer welfare emanating from instant messaging services on parameters of privacy, trust and usage, in case the continued use of encryption is not ensured. It is therefore important for the government and service providers to continue with End-to-End Encryption on communication services, as a privacy enhancing tool,” says Mehta.

Many of us use WhatsApp and as soon as one opens it, a reassuring message crops up that all messages are encrypted and even the provider cannot access your messages, thus asserting our right to privacy. Alas, this is under attack by the proposals that the government is wanting to bring in to regulate cyberspace. One hopes that this will not happen in view of the 2017 order of the apex court upholding the right to privacy as a fundamental right.

The attack likely comes through the much-awaited Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021 (rules). These were recently notified by the government. Significant changes have been made in them, from the draft amendments of 2018, and previous version of 2011. These include: merging the digital media ethics code in the rules, providing for voluntary user verification, extending timelines for service providers for preserving data, among others. Rather than strengthening encryption to protect users’ chat privacy on instant messaging services, the proposal will dilute the same.
The recent surge in uptake of digital communication services (instant messengers), signifies that consumers are now putting their trust in such technologies. Notably, as shown by a recent pan-India survey of over 2,000 respondents, titled Understanding Consumers Perspective on Encryption, conducted by us at CUTS International, one of the important benefits perceived by users of instant messaging services is privacy of their chats.

Privacy of chats over instant messaging services is made possible through End-to-End Encryption (encryption) technology. Notably, encryption is intrinsic to most of the popular instant messengers such as WhatsApp, Telegram, iMessage, Signal etc.

However, the recently notified IT Rules require significant social media intermediaries i.e., those having more than five million users in India) to enable identification of originators of certain kinds of undesirable messages. The rules also require them to deploy technology-based measures, including automated tools or other mechanisms to proactively identify certain kinds of problematic information. This may prompt service providers to process more consumer data for compliance, which may require breaking or weakening encryption.

While the rules prescribe certain safeguards to ensure privacy of consumers chats, the same shy away from specifically recognising the need for retaining encryption. Furthermore, the technologies being proposed by the government for compliance without breaking encryption, remain untested, and it is believed that identification of originators and encryption may not be able to co-exist. This calls for creating a regulatory sandbox to test these technologies in a controlled environment, to check their efficacy with respect to the principle of privacy by design.

Our survey revealed that consumers fear unauthorised access to their chats by government agencies, service providers, advertisers, malicious actors like cyber-criminals etc. Such perceived fears towards unauthorised access were found to increase, especially with respect to advertisers and cyber criminals in case encryption was to be removed. This was found to likely result in reduced usage of communication services, i.e., consumers claimed to reduce exchanging different kinds of information with different stakeholders (like family, friends, office colleagues etc.), in case encryption was removed.

Another issue with intermediaries collecting/processing more user personal data for compliance, is its contradiction to principles of data minimisation and data limitation, which have been prescribed in the Personal Data Protection Bill 2019 (PDPB). Given that the bill is presently pending with a Joint Parliamentary Committee, and the country lacks a dedicated personal data protection law, the rules risk leaving users vulnerable to privacy violation and lack of adequate personal data protection, without appropriate recourse in case of any grievances.

The objective of the provisions of the IT rules is to curb the spread of problematic information. However, the survey reveals that consumers’ exposure to problematic information is mostly (87%) through un-encrypted platforms like social media and search engines. This signifies that the relationship between encryption and curbing the spread of problematic information is not mutually exclusive, i.e., retaining encryption would not hamper the government’s valid objective of curbing problematic information. Also, the survey shows that consumers give equal importance to the two. Therefore, they may not be willing to trade one for another. This highlights the need for undertaking a Regulatory Impact Assessment in order to ensure that the regulatory costs in terms of privacy of chats, do not outweigh the intended benefits of curbing the spread of problematic information.

Summing-up, it appears that the IT rules may harm consumer welfare emanating from instant messaging services on parameters of privacy, trust and usage, in case the continued use of encryption is not ensured. It is therefore important for the government and service providers to continue with End-to-End Encryption on communication services, as a privacy enhancing tool.

The broad definition of intermediaries given under the rules may also be suitably amended, to differentiate between encrypted and unencrypted communication services. Furthermore, the government must enact the PDPB, at the earliest. There is also a need for adopting a constructive and collaborative approach in framing and implementing the IT rules, in which consumers are kept at the heart of data governance in India.

This news item can also be viewed at:

https://telecom.economictimes.indiatimes.com/