Concerns with Amendments to India’s Information Technology (Intermediaries Guidelines) Rules under the Information Technology Act
9 January 2020
Shri Ravi Shankar Prasad
Minister of Electronics and Information Technology
Government of India
Honorable Minister Prasad,
The undersigned international security experts write to you to express concern around the effects of the proposed amendments to the Information Technology (Intermediaries Guidelines) Rules under the Information Technology Act.[1] While the proposed amendments create numerous concerns, many of which are raised in the public comments,[2] this letter focuses on the impact of content filtering requirements on encryption and digital security. In pursuing the goal of curbing online misinformation and illegal content through content filtering requirements, the proposed amendments would put the security of the Internet and its users, and the future of a digital India at greater risk.
Encryption technologies protect people online and secure the economy by protecting the integrity and confidentiality of data and communications. Encryption secures web browsing, online banking, and critical public services like e-government services, electricity, hospitals and transportation. In India alone, over 400 million people rely on end-to-end encrypted messaging services to protect their communications with loved ones, engage in business, and more.[3] End-to-end encryption provides the strongest level of security and trust because ideally only the intended recipient holds the key to decrypt the message. As the Intermediaries Guidelines highlights, intermediaries should “take all reasonable measures to secure [their] computer resources and information contained therein.”
However, by tying intermediaries’ protection from liability to their ability to monitor communications being sent across their platforms or systems, the amendments would limit the use of end-to-end encryption and encourage others to weaken existing security measures.[4] With end-to-end encryption, there is no way for the service provider to access its users’ decrypted content. This means that services using end-to-end encryption cannot provide the level of monitoring required in the proposed amendments. Whether it’s through putting a “backdoor” in an encryption protocol,[5] storing cryptographic keys in escrow, adding silent users to group messages,[6] or some other method, there is no way to create “exceptional access” for some without weakening the security of the system for all.[7]
India has the potential to be a world leader in the global digital economy, but only if consumers trust the products and services provided by its companies. In a global market, trust can make or break a decision to go with an Indian product or service, rather than a well-established competitor from North America or Europe. With the ability to monitor user content tied to intermediaries’ protection from liability, companies in India may feel compelled to weaken strong encryption on their services or fail to implement the technology at all. When the security of a company’s services and products are put into question, the trust needed to compete globally is put into doubt.
The content monitoring requirements in the proposed amendments would have grave unintended consequences on the security of the Internet, the Indian economy and Internet users. We ask the Ministry of Electronics and Information Technology to reconsider these requirements as they prepare to publish the revised version of the proposed amendments to the Information Technology (Intermediaries Guidelines) Rules, and to protect India’s Internet economy and users, by supporting the use of end-to-end encryption.
Sincerely,
Ben Adida, Executive Director, VotingWorks
L. Jean Camp, Professor, Indiana University
Stephen Checkoway, Assistant Professor, Oberlin College Department of Computer Science
Raman Jit Singh Chima, Senior International Counsel and Asia Pacific Policy Director, Access Now
Roger Dingledine, Research Director, The Tor Project
Zakir Durumeric, Assistant Professor, Stanford University
Dr. Stephen Farrell, Trinity College Dublin
J. Alex Halderman, Professor, University of Michigan
Joseph Lorenzo Hall, PhD., Senior Vice President for a Strong Internet, Internet Society
Matthew Holt, Software Engineer, Caddy Web Server
Max Hunter, Engineering Director, Encrypting the Internet, Electronic Frontier Foundation (EFF)
J. C. Jones, Cryptographic Engineering Lead, Mozilla
Joseph Kiniry, Principal Scientist, Galois
Sascha Meinrath, Director, X-Lab; Palmer Chair in Telecommunications, Penn State University
Nat Meysenburg, Technologist, New America’s Open Technology Institute
Prashanth Mundkur, Computer Scientist, SRI International
Peter G. Neumann, Chief Scientist, SRI International Computer Science Lab
Riana Pfefferkorn, Associate Director of Surveillance and Cybersecurity, Stanford Center for Internet and Society
Hannah Quay-de la Vallee, Senior Technologist, Center for Democracy and Technology (CDT)
Ronald L. Rivest, Institute Professor, Massachusetts Institute of Technology
Andy Sayler, Senior Security Engineer, Twitter, Inc.
Ross Schulman, Senior Policy Technologist, New America’s Open Technology Institute
Wendy Seltzer, Strategy Lead, World Wide Web Consortium (W3C)
Adam Shostack, President, Shostack & Associates
Nick Sullivan, Head of Research, Cloudflare
Parisa Tabriz, Security Princess & Senior Director of Engineering, Google Inc.
Tarah Wheeler, Cybersecurity Policy Fellow, New America
Daniel Zappala, Professor, Bringham Young University
Philip Zimmermann, Delft University of Technology
*Affiliations listed for identification purposes only
Footnotes:
[1] Information Technology [Intermediaries Guidelines (Amendment)] Rules.
[2] Public Comments on Draft Intermediary Guidelines Rules, 2018.
[3] Information Technology [Intermediaries Guidelines (Amendment)] Rules. section 3, sub-section 6.
[4] Information Technology [Intermediaries Guidelines (Amendment)] Rules. section 3, sub-section 9.
[6] Open Letter to GCHQ on the Threats Posed by the Ghost Proposal.
[7] Keys under doormats: mandating insecurity by requiring government access to all data and communications.