India’s new IT Rules 2021 would put online safety of millions of citizens at risk

Every day, we rely on encryption to keep ourselves safe and secure on the Internet. We rely on it even more as the COVID-19 pandemic has pushed work, school and even healthcare online. Yet more governments around the world are creating policies that weaken the use of strong encryption, making its future uncertain. However, what is certain is that any policy that would undermine strong encryption would have devastating consequences on the safety and privacy of billions worldwide. India’s revised Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code), Rules, 2021 - or the new IT Rules 2021 it is popularly known as - released last month, is a prime example.

On the surface, these Guidelines seem to aim squarely at social media platforms and addressing the growing proliferation of fake news and problematic materials posted online. This includes a traceability requirement, or the ability to track down the originator of a particular piece of content or message.

The Ministry of Electronics and Information Technology (MeitY) has emphasized that encryption is not a target in these new IT Rules 2021. Yet here’s the problem, as cybersecurity experts have pointed out, both in India and abroad, tracing a content’s originator is technically problematic. It is simply not possible for companies to try to comply with the new guidelines without suppressing at least some features that are integral for strong encryption to work properly. The likely outcome will be for those platforms to stop offering end-to-end encrypted services altogether. With the traceability requirement, the government appears to be compelling popular online platforms to weak encryption without explicitly telling them to do so.

The consequences of implementing these requirements would be immediately felt in India. An increasing number of the platforms, applications, and services we use every day, from our banks, to our favorite shopping websites rely on encryption to protect our transactions and communications online. Over 500 million citizens use end-to-end encrypted messaging apps in India, each of whom may start to lose trust in the security of the platforms they use to communicate. This outcome would be a major setback to India’s digital transformation while having very little effect on the perpetrators that the guidelines wish to catch. Criminals could easily move to lesser-known platforms that are beyond the guidelines’ scope.

End-to-end encryption is the gold standard for keeping Internet users and systems secure. It helps prevent spies, terrorists, and hostile governments from accessing and exploiting confidential communications of government officials. It also helps keep them from penetrating critical infrastructure and private databases that could cause wide-scale, systemic disruptions to India’s economy.

As a Founding Member of the Global Encryption Coalition, the Internet Society calls on the broader community, including the private sector, to reject efforts to undermine encryption and pursue policies that enhance, strengthen and promote the use of strong encryption to protect people everywhere.

We are not alone in our concerns that these new guidelines would jeopardize the safety of the millions of citizens in India. In an open letter to the Ministry of Electronics and Information Technology, cryptographic and security experts warned that pursuing messaging traceability would undermine digital security. A 2020 report warned that “to comply with traceability requirements, platforms may be forced to enable access to the contents of their users’ communications, breaking end-to-end encryption and considerably weakening the security and privacy of their product."

Endangering the online communications of citizens only scratches the surface of the consequences of weakening encryption. It would run counterproductive to efforts to keep people - including children - safe and secure online. As children of all ages are going go to school remotely, keeping their communications and activities secure online is paramount, and secure platforms offering end-to-end encryption are the most effective ways to do so.

Forcing businesses to make their products and services less secure could have a significant negative impact on India’s post-COVID recovery.

Many digital services are located in India; its IT and business process management (BPM) sectors are vibrant and play an important role in the economy, which is only expected to grow even more through 2025. But if any online service, application or company that becomes popular enough is forced to weaken their security – or not offer much of it at all, Indian companies will find it more difficult to compete in the global marketplace and consumer confidence in India’s tech products and services will wane.

As the government of India works out how it will implement the new rules, it must commit to economic progress and the security of millions of people across India by preserving uncompromised end-to-end encrypted services.

By Rajnesh Singh, Regional Vice President, Asia Pacific - Internet Society