India’s new IT Rules could end privacy, erode security
With the Supreme Court’s imprimatur on Right to Privacy as a fundamental right, the country was eagerly waiting for a Data Protection Law to be enacted by Parliament, after due deliberation and clearance by a joint parliamentary committee. But before the contours of the privacy regime could be laid out in cold print, the government came out with the Information Technology (IT) Rules, 2021, stirring up a fresh debate over privacy issues and raising fresh challenges to encryption, which is the veritable backbone of any safe and secure digital connectivity.
While social media giants are driven to stunned silence, foot soldiers of Internet freedom are up in arms naming the latest move as draconian and invasive, treading on the digital freedom of people.
At the core of this bitter divide lies the government’s avowed objective of tracing the originator of highly objectionable digital chats and the reason given is public order. It has been averred that grave challenges posed by Child Sexual Abuse Messages (CSAM), chats relating to drug trade, terrorism, radicalisation, hate/fake news. etc., have led to the demand of mandatory traceability on the part of the government.
The Centre’s rationale for intervention in the above cases is justified on grounds of national security. The policy recommendation to intermediaries to proactively monitor and remove content pertaining to CSAM and other sexual crimes against women is also imperative. Appointment of a dedicated chief compliance officer and a nodal officer for constant liaison with security agencies is a good step and placement of a resident grievance redress officer, vide Rule 4, is another good move.
But it is the sweeping traceability mandate that has provoked an outcry from stakeholders across the ecosystem due to its long-lasting deleterious effects on privacy and safety of users, as well as to the security of the state.
The key issue is whether traceability requirements can be fulfilled without weakening the overall security architecture of encryption. Is there a method of introducing traceability without triggering privacy, safety and security concerns?
Among the solutions offered is IIT professor V Kamakoti’s response to the Madras High Court which entails adding an originator information with every message and envisages a permission-based system which allows users to classify a message as forwardable or not forwardable. Experts have already discounted this method as erroneous and not technically feasible without breaking the encryption.
Proponents of the case for traceability cite two methods of achieving it — use of digital signatures as cited above or the metadata approach. However, it is still open to question whether either can discharge its legal objective of establishing criminal liability.
The digital signature approach is not foolproof because it is susceptible to impersonation. Further, the approach would require the intermediary to keep the private key of the encrypted digital signature and decrypt when ordered by the court or the government. But the key will then become vulnerable to hacking by bad actors and once successful will create havoc, targeting innocent users.
The metadata approach has its own set of challenges. The metadata contains data pertaining to source, time, date, location and other attributes minus the content. But for traceability, a humongous amount of data would be commandeered for which the security agencies neither have the time, energy or capacity to disaggregate for any meaningful result. Second, it also violates the data minimisation principle, strictly adhered to by all data protection regimes of the world. It figures prominently in Puttaswamy judgment on privacy and the PDP Bill, 2019. Heavy reliance on metadata leads to escalated threat to user security from cybercriminals and inimical foreign-based actors.
If the above two techniques are fraught with risks, is it possible to comply with IT rules with a straight-forward method of intermediary keeping the decryption key of the messages? No. Because any modification of the system to give backdoors, weakens the security architecture, rendering it vulnerable to all bad actors.
The other alternative is the client sight scanning, where hashes used in communications are matched against a database of content before sending the message to the intended recipient. But the threat again is real, once the platform gets totally exposed by hackers getting hold of the database.
Ultimately it is for the intermediaries to comply with the traceability rule and figure out whether it is possible without breaking the encryption.
The government has reiterated that it does not seek content and that originator tracing can be done without breaking encryption. It will be an ideal situation if this is possible but arraigned on the other side are the national and international experts who maintain that traceability is not possible without breaking encryption resulting in compromised platforms.
It is time, therefore, for the government to have a hard look at the feasibility of the traceability exercise and set up a technical committee, as it is a scientific challenge, to resolve the issue by confabulating with all stakeholders and gleaning the best practices currently adopted in the world. The end-to-end encryption is the bedrock of securing private messaging and online infrastructure, for ensuring safety and security of its users. The recent hacking of the power sector in Mumbai by foreign bad actors underscores the importance and sanctity of encryption. Core sectors like banking, power and IT-enabled services rely completely on secure connectivity provided by encryption. Tinkering around with it will lead to a severe crisis of confidence and credibility.
Innocent users of various social-media platforms have a cherished right to their privacy. Their personal information and chats cannot be used either commercially or surveilled by the state. A democratic state owes it to its free citizens.
(The author is Chairman, DeepStrat. He retired from the Indian Police Service. A version of this piece first appeared in the Hindu Businessline on March 11, 2021)