Next week, the Indian Ministry of Electronics and Information Technology is expected to put into effect rules that could significantly limit the ability of companies that operate in India to protect their users. It would effectively prohibit the use of security technologies like end-to-end (e2e) encryption. In turn, this means that the users of these companies’ products, which include things like social networks and messaging apps, are at a higher risk of having their sensitive communications and conversations exposed. Potential laws and rules like these would harm the wider security of the internet and lead to all internet users interacting in a less safe and secure way.
So, what is this rule, and how could it result in this negative impact on security? The rules, which are proposed amendments to the Information Technology (Intermediaries Guidelines) Rules under the Information Technology Act, have the goal of combating the spread of misinformation online. One of the ways they would attempt to do so is by requiring companies to be able to trace the originator of a given piece of content on their platform. While fighting misinformation in society is a laudable goal, this traceability requirement could significantly hamper security. In order to understand why you have to know a bit about e2e encryption.
All encryption (not just e2e encryption) involves encoding a message so that the recipient needs a key to see it. In non-e2e systems, the messaging platform has that key, and so could decode and read the messages if it wanted to. In e2e systems, only the creator and recipient of the message (the two endpoints of the communication, hence the name end-to-end) have the key, so the platform couldn’t see the message even if it wanted to. This is a great security and privacy tool, because it means the users don’t have to place all that much trust in the platform. They can have confidence that platforms won’t leak their data or mine it for ads because it can’t!
Of course, that means that the platform also can’t know who was responsible for creating or posting a given piece of content, because it doesn’t know who sent what. So if India’s rule goes into effect as currently proposed, in order to comply, platforms will have to forgo using e2e encryption, or create “backdoors” into the system (which means it isn’t really e2e). Further, while not in the current proposals, this would also open the door to greater government scrutiny of communications on these platforms.
If this rule is implemented in India (and potentially copied by other nations) it could force companies to create two types of systems – one that uses e2e and one that doesn’t. Companies might well justifiably balk at the cost and complexity of that approach and simply build less secure systems. That would weaken the overall safety of the internet ecosystem, harming users around the globe. Alternatively they could remove themselves from the Indian market altogether, depriving 1.2 billion people of state-of-the-art internet security. Neither of these are good outcomes.
We hope the Ministry of Electronics and Information Technology will reconsider the final version of these rules and strike the traceability requirements that will inevitably have serious unintended consequences.