The new requirements in the the Indian Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021 (or “the Guidelines”) must not be used to force intermediaries to break end-to-end encryption or stop their plans to offer it. Over 500 million citizens use end-to-end encrypted messaging apps in India. Each of them relies on strong encryption more than ever to keep their communications safe and private.
Any attempts to weaken encryption would undermine the digital security of people in India, as well as those with whom they communicate outside the country.
The Guidelines state that intermediaries would not “be required to disclose the contents of any electronic message,” in the identification of the first originator of information. However the Internet Society reiterates its concern, shared by cybersecurity experts, that in order to comply with these traceability requirements, platforms may be forced to undermine end-to-end encryption.
In an open letter to the Ministry of Electronics and Information Technology, cryptographic and security experts warned that pursuing message traceability would undermine digital security. And in a report last year, more experts warned, “to comply with traceability requirements, platforms may be forced to enable access to the contents of their users’ communications, breaking end-to-end encryption and considerably weakening the security and privacy of their product.”
Yet, the government has pushed forward with a traceability requirement that “significant social media intermediaries” (including popular end-to-end messaging apps) must have the ability to identify the first originator of information shared on their platforms.
Any requirements that force businesses to make themselves and their products less secure by breaking end-to-end encryption gives a green light to criminals and hostile actors to exploit confidential and sensitive information.
The Indian Government must protect the security and privacy of millions of people across India and preserve uncompromised end-to-end encryption.