Donate

Open Letter: Concerns with Amendments to India’s Information Technology (Intermediaries Guidelines) Rules under the Information Technology Act

Shri Ravi Shankar Prasad
Minister of Electronics and Information Technology
Government of India

9 January 2020

Honorable Minister Prasad,

The undersigned international security experts write to you to express concern around the effects of the proposed amendments to the Information Technology (Intermediaries Guidelines) Rules under the Information Technology Act.[1] While the proposed amendments create numerous concerns, many of which are raised in the public comments,[2] this letter focuses on the impact of content filtering requirements on encryption and digital security. In pursuing the goal of curbing online misinformation and illegal content through content filtering requirements, the proposed amendments would put the security of the Internet and its users, and the future of a digital India at greater risk.

Encryption technologies protect people online and secure the economy by protecting the integrity and confidentiality of data and communications. Encryption secures web browsing, online banking, and critical public services like e-government services, electricity, hospitals and transportation. In India alone, over 400 million people rely on end-to-end encrypted messaging services to protect their communications with loved ones, engage in business, and more.[2] End-to-end encryption provides the strongest level of security and trust because ideally only the intended recipient holds the key to decrypt the message. As the Intermediaries Guidelines highlights, intermediaries should “take all reasonable measures to secure [their] computer resources and information contained therein.”[3]

However, by tying intermediaries’ protection from liability to their ability to monitor communications being sent across their platforms or systems, the amendments would limit the use of end-to-end encryption and encourage others to weaken existing security measures.[4] With end-to-end encryption, there is no way for the service provider to access its users’ decrypted content. This means that services using end-to-end encryption cannot provide the level of monitoring required in the proposed amendments. Whether it’s through putting a “backdoor” in an encryption protocol,[5] storing cryptographic keys in escrow, adding silent users to group messages,[6] or some other method, there is no way to create “exceptional access” for some without weakening the security of the system for all.[7]

India has the potential to be a world leader in the global digital economy, but only if consumers trust the products and services provided by its companies. In a global market, trust can make or break a decision to go with an Indian product or service, rather than a well-established competitor from North America or Europe. With the ability to monitor user content tied to intermediaries’ protection from liability, companies in India may feel compelled to weaken strong encryption on their services or fail to implement the technology at all. When the security of a company’s services and products are put into question, the trust needed to compete globally is put into doubt.

The content monitoring requirements in the proposed amendments would have grave unintended consequences on the security of the Internet, the Indian economy and Internet users. We ask the Ministry of Electronics and Information Technology to reconsider these requirements as they prepare to publish the revised version of the proposed amendments to the Information Technology (Intermediaries Guidelines) Rules, and to protect India’s Internet economy and users, by supporting the use of end-to-end encryption.

Sincerely,

  1. Ben Adida, Executive Director, VotingWorks
  2. L. Jean Camp, Professor, Indiana University
  3. Stephen Checkoway, Assistant Professor, Oberlin College Department of Computer Science
  4. Raman Jit Singh Chima, Senior International Counsel and Asia Pacific Policy Director, Access Now
  5. Roger Dingledine, Research Director, The Tor Project
  6. Zakir Durumeric, Assistant Professor, Stanford University
  7. Dr. Stephen Farrell, Trinity College Dublin
  8. J. Alex Halderman, Professor, University of Michigan
  9. Joseph Lorenzo Hall, PhD., Senior Vice President for a Strong Internet, Internet Society
  10. Matthew Holt, Software Engineer, Caddy Web Server
  11. Max Hunter, Engineering Director, Encrypting the Internet, Electronic Frontier Foundation (EFF)
  12. J. C. Jones, Cryptographic Engineering Lead, Mozilla
  13. Joseph Kiniry, Principal Scientist, Galois
  14. Sascha Meinrath, Director, X-Lab; Palmer Chair in Telecommunications, Penn State University
  15. Nat Meysenburg, Technologist, New America’s Open Technology Institute
  16. Prashanth Mundkur, Computer Scientist, SRI International
  17. Peter G. Neumann, Chief Scientist, SRI International Computer Science Lab
  18. Riana Pfefferkorn, Associate Director of Surveillance and Cybersecurity, Stanford Center for Internet and Society
  19. Hannah Quay-de la Vallee, Senior Technologist, Center for Democracy and Technology (CDT)
  20. Ronald L. Rivest, Institute Professor, Massachusetts Institute of Technology
  21. Andy Sayler, Senior Security Engineer, Twitter, Inc.
  22. Ross Schulman, Senior Policy Technologist, New America’s Open Technology Institute
  23. Wendy Seltzer, Strategy Lead, World Wide Web Consortium (W3C)
  24. Adam Shostack, President, Shostack & Associates
  25. Nick Sullivan, Head of Research, Cloudflare
  26. Parisa Tabriz, Security Princess & Senior Director of Engineering, Google Inc.
  27. Tarah Wheeler, Cybersecurity Policy Fellow, New America
  28. Daniel Zappala, Professor, Bringham Young University
  29. Philip Zimmermann, Delft University of Technology

*Affiliations listed for identification purposes only

Footnotes:

[1] Information Technology [Intermediaries Guidelines (Amendment)] Rules. https://meity.gov.in/writereaddata/files/Draft_Intermediary_Amendment_24122018.pdf
[2] Public Comments on Draft Intermediary Guidelines Rules, 2018. https://meity.gov.in/writereaddata/files/public_comments_draft_intermediary_guidelines_rules_2018.pdf
[3] Information Technology [Intermediaries Guidelines (Amendment)] Rules. section 3, sub-section 6.
[4] Information Technology [Intermediaries Guidelines (Amendment)] Rules. section 3, sub-section 9.
[5] The Clipper Chip. https://epic.org/crypto/clipper/
[6] Open Letter to GCHQ on the Threats Posed by the Ghost Proposal. https://www.lawfareblog.com/open-letter-gchq-threats-posed-ghost-proposal
[7] Keys under doormats: mandating insecurity by requiring government access to all data and communications. https://academic.oup.com/cybersecurity/article/1/1/69/2367066