Internet Security In India Threatened By The Government's Proposed Changes To Liability Rules

Global encryption and security experts are joining several organizations to ask India to reconsider its proposed amendments to local intermediary liability rules.

Earlier this week, in an open letter sent to Ravi Shankar Prasad, the country’s IT Minister, 27 security and cryptography experts warned that if the Indian government goes with the change proposal to the law, security could be weakened and the use of strong encryption online could be limited.

In December 2018, the Indian government proposed changes to its intermediary liability rules, which would require significant changes in services of all businesses, even including those like Google and Facebook.

The original proposal says that intermediaries have to proactively filter and monitor the content posted and shared by their users and have to be able to trace the originator of questionable content so they won’t assume full liability for users’ actions. The Indian government defines intermediaries as services facilitating communication between two or more users, having at least five million users in the country.

The letter says:

End-to-end encryption means that service providers cannot see users’ decrypted content, according to the experts, some of whom work at Twitter, Google, Tor Project, Access Now, as well as World Wide Web Consortium.

This means such services cannot monitor users’ content at the required level as in the proposed amendments. There’s no way to make exceptional access for some without trading off the system’s overall security, no matter if services put a backdoor in their encryption protocol, store cryptographic keys in escrow, add silent users to group messages or any other way.

So far, tech firms have been under safe harbor laws, saying that tech platforms are not held liable for users’ content on their respective platforms.

Recently, several organizations have expressed their reservations about the proposed amendments to the law. Earlier this week, Cloudflare, GitHub, and Mozilla requested more transparency from the Indian government about their proposed amendments to its liability rules. Except for the government, nobody has seen the proposal’s current draft, which is planned for submission to the country’s Supreme Court by January 15.

One of the concerns is about how the term “intermediary” itself, which as defined by the Indian government, involves a wide range of services, including popular messaging platforms, internet providers, cyber cafes, even Wikipedia.

Last month, Wikimedia’s general counsel Amanda Keton requested the Indian government to have a second thought about requiring traceability in online communication. She warned that it would interfere with Wikipedia contributors’ ability to freely take part in the project.

Meanwhile, a US tech firm said that the Indian government needs to look into the intermediary guidelines.