CDT Joins International Coalition Calling for Withdrawal of Draft Indian Telco Bill – Provisions Threaten End-to-End Encryption
Pasted from the letter:
Mr Ashwini Vaishnaw
Hon’ble Union Cabinet Minister for Railways, Communications, Electronics & Information Technology
Department of Telecommunications
Mr Naveen Kumar
Hon’ble Joint Secretary, Telecom
Subject: International coalition of organisations and experts, including members of the Global Encryption Coalition, call on the Department of Telecommunications to withdraw the Draft Indian Telecommunication Bill and protect encryption, privacy and security.
The undersigned organisations and experts, including members of the Global Encryption Coalition, urge you to enable open and secure communications in India. As we are committed to a free, open, and secure internet, and strong cybersecurity that strengthens privacy and freedom of expression, we respectfully call on you to withdraw the Draft Indian Telecommunication Bill, 2022 (“Bill”) in light of its threat to end-to-end encryption (“E2EE”), and the human rights, individual security and economic growth it serves to protect. A revised draft must be prepared in consultation with stakeholders and experts, that does not undermine E2EE, and instead incorporates provisions to protect and strengthen this privacy and security enhancing tool.
The broad definitions of “telecommunication” and “telecommunication services” in the Bill include over-the-top (OTT) services. As a result, any communication, such as video or audio calls, or messages, over a host of OTT platforms such as WhatsApp, Zoom, Signal, and Facetime would fall within the Bill’s purview. A number of these platforms offer E2EE for calls and messages to enable strong privacy and security, which the Bill puts at risk.
Clause 24(2) in the Bill authorises the government to direct interception, detention, or disclosure of messages on broad grounds. The provision grants sweeping surveillance powers to the government, lacking safeguards that must be embedded in communications surveillance frameworks. It fails to carve out an exemption for E2EE services, and could easily be misused to break the security offered by E2EE services.
The defining feature of E2EE is that no party other than the sender/caller and the intended recipient/s can access the content of the communication, not even the service provider itself. In other words, such service providers have no technical capability to intercept, detain or disclose communications content. This ensures privacy, security and authenticity of information.