International coalition calls for withdrawal of Draft Indian Telco Bill: Provisions threaten end-to-end encryption

Mr Ashwini Vaishnaw

Hon’ble Union Cabinet Minister for Railways, Communications, Electronics & Information Technology

Department of Telecommunications

Ministry of Communications

Sanchar Bhawan, 20 Ashoka Road

New Delhi – 110 001

CC:

Mr Naveen Kumar 

Hon’ble Joint Secretary, Telecom

Subject: International coalition of organisations and experts, including members of the Global Encryption Coalition, call on the Department of Telecommunications to withdraw the Draft Indian Telecommunication Bill and protect encryption, privacy and security.

Sir,

The undersigned organisations and experts, including members of the Global Encryption Coalition, urge you to enable open and secure communications in India. As we are committed to a free, open, and secure internet, and strong cybersecurity that strengthens privacy and freedom of expression, we respectfully call on you to withdraw the Draft Indian Telecommunication Bill, 2022 (“Bill”) in light of its threat to end-to-end encryption (“E2EE”), and the human rights, individual security and economic growth it serves to protect. A revised draft must be prepared in consultation with stakeholders and experts, that does not undermine E2EE, and instead incorporates provisions to protect and strengthen this privacy and security enhancing tool.

The broad definitions of “telecommunication” and “telecommunication services” in the Bill include over-the-top (OTT) services. As a result, any communication, such as video or audio calls, or messages, over a host of OTT platforms such as WhatsApp, Zoom, Signal, and Facetime would fall within the Bill’s purview. A number of these platforms offer E2EE for calls and messages to enable strong privacy and security, which the Bill puts at risk. 

Clause 24(2) in the Bill authorises the government to direct interception, detention, or disclosure of messages on broad grounds. The provision grants sweeping surveillance powers to the government, lacking safeguards that must be embedded in communications surveillance frameworks. It fails to carve out an exemption for E2EE services, and could easily be misused to break the security offered by E2EE services. 

The defining feature of E2EE is that no party other than the sender/caller and the intended recipient/s can access the content of the communication, not even the service provider itself. In other words, such service providers have no technical capability to intercept, detain or disclose communications content. This ensures privacy, security and authenticity of information. 

Invocation of clause 24(2) in the context of E2EE communication channels, would therefore effectively make it impossible for service providers to offer E2EE, in violation of people’s right to privacy, physical safety, and freedom of expression. It is worth noting that even if the clause is not invoked in practice to demand access to E2EE content, its mere existence, and possibilities of weakened security, heightened compliance requirements and abuse of power that it engenders, would still have a debilitating effect on the availability of E2EE platforms, rights and freedoms, the country’s overall cybersecurity infrastructure, and the economy. 

Further, Clause 25 confers broad discretionary powers on the government to issue directions in respect of standards to be adopted by licensees, registered entities or assignees. There is no explanation or limitation as to the subject matter of such standards. Unless clearly prohibited, the provision could be misused to prescribe standards that have the effect of weakening or circumventing security tools such as encryption. 

Encryption is crucial, not only for protecting fundamental rights guaranteed by the Indian Constitution, but also for bulwarking the economy, preserving democracy, and ensuring national security. 

Undermining encryption, including compelling circumvention techniques, violates human rights, including the right to privacy and freedom of expression under the International Covenant on Civil and Political Rights and the Universal Declaration of Human Rights. A democracy that stifles free expression by jeopardising private communications is a democracy in peril, and in violation of people’s rights and freedoms. The detriment is felt disproportionately by vulnerable groups, including dissidents, refugees, domestic violence survivors, members of the LGBTQI+ community, who are often targeted for expressing themselves; and activists, lawyers, journalists, medical professionals, and others, who need encryption to ensure data security – and even physical safety in many cases – and indeed, to perform their daily professional duties. 

Such measures also have a negative impact on the country’s economy and national security. As an example, an Australian legislation authorising law enforcement access to compel decryption and access communication had a noticeable detrimental impact on the market. Moreover, strong encryption is a critical component of a country’s cybersecurity infrastructure. Once the ability to weaken encryption is introduced, it can be easily misused by malicious state and non-state actors. 

Importantly, the Bill’s potential effect on encryption runs contrary to the Indian Supreme Court’s emphatic, and evolving, jurisprudence on the right to privacy, including the landmark Puttaswamy judgment, in which a nine-judge bench unanimously held that the right to privacy is protected by the Constitution of India. If made applicable to encrypted communications, Clause 24 would fail to fulfill the necessity and proportionality test recognised by the Court as well as international human rights frameworks. Further, it would contradict the government’s vision of “Digital India”, which cannot be achieved without ensuring digital safety. 

Despite the clear benefits of encryption, the Bill is yet another attempt by the Indian government to thwart encryption, following the widely opposed IT Rules, 2021 – which imposed the traceability mandate, and are facing legal challenges before various Indian courts. As the Office of the United Nations High Commissioner for Human Rights (OHCHR) noted in its recent report on the right to privacy in the digital age: “[E]ncryption is a key enabler of privacy and security online and is essential for safeguarding rights. In recent years, various Governments have taken actions, which, intentionally or not, risk undermining the security and confidentiality of encrypted communications. This has concerning implications for the enjoyment of the right to privacy and other human rights.” The report specifically cites India’s IT Rules, 2021, as one of the problematic examples of the State imposing obligations that would undermine E2EE. 

India – as the world’s largest democracy, and second largest base of internet users – has an opportunity to draft an exemplary legislation that ensures the protection of human rights in the digital age, and encourages technological innovation. Undermining security measures such as encryption would be in complete contradiction to not only this goal, but also the government’s stated goal of creating an “open, safe, trusted and accountable internet”.

The Indian Telegraph Act of 1885, which the Bill seeks to replace, is anachronistic, laden with provisions that enable government overreach and violate fundamental rights. In order for the 2022 Bill to truly be an improvement over the 1885 legislation, in keeping with the current context of technology, democracy, and human rights, we urge you to withdraw the Bill, and work on a revised draft, in consultation with stakeholders and experts. The revised draft must include strict limitations and safeguards pertaining to communications surveillance, including language to explicitly protect secure communications and end-to-end encrypted platforms. 

Sincerely,

Signatories:

Organisations: 

Access Now

Adebunmi Adeola AKINBO Trustee, Africa ICT Foundation

Africa Media and Information Technology Initiative (AfriMITI)

Associação Portuguesa para a Promoção da Segurança da Informação (AP2SI)

Association for Progressive Communications (APC)

Beyond Saving Lives Foundation (BSLF)

Blacknight Internet Solutions Ltd (Blacknight)

Bolivian Internet Governance Forum

Center for Democracy & Technology

Collaboration on International ICT Policy for East and Southern Africa

Community NetHUBs Africa

Derechos Digitales, Latin America

Digital Empowerment Foundation

DNS Africa Media and Communications

Electric Coin Co. (creators and supporters of Zcash)

Electronic Frontier Foundation

EngageMedia

Fight for the Future

Fundación CELTA (Venezuela)

Global Partners Digital

Human Rights Journalists Network Nigeria

Ikigai Innovation Initiative

Internet Freedom Foundation, India

Internet Governance Project, Georgia Institute of Technology

Internet Society

Internet Society Catalan Chapter

Internet Society Ghana

Internet Society India Hyderabad Chapter

Internet Society Liberia Chapter

JCA-NET(Japan)

Mailfence

MEGA The Privacy Company

Point of View

Privacy & Access Council of Canada

Ranking Digital Rights

Simply Secure

Software Freedom Law Center, India

Southeast Asia Freedom of Expression Network (SAFEnet)

Surfshark

Tech for Good Asia

The Tor Project

Tutanota

VPN Trust Initiative (VTI)

Individuals: 

Philip Zimmermann

Prof. Kapil Goyal, Academic Member, GEC , Fellow, ICANN

Riana Pfefferkorn