Over two dozen encryption experts call on India to rethink changes to its intermediary liability rules

Security and encryption experts from around the world are joining a number of organizations to call on India to reconsider its proposed amendments to local intermediary liability rules.

In an open letter to India’s IT Minister Ravi Shankar Prasad on Thursday, 27 security and cryptography experts warned the Indian government that if it goes ahead with its originally proposed changes to the law, it could weaken security and limit the use of strong encryption on the internet.

The Indian government proposed (PDF) a series of changes to its intermediary liability rules in late December 2018 that, if enforced, would require millions of services operated by anyone from small and medium businesses to large corporate giants such as Facebook and Google to make significant changes.

The originally proposed rules say that intermediaries — which the government defines as those services that facilitate communication between two or more users and have five million or more users in India — will have to proactively monitor and filter their users’ content and be able to trace the originator of questionable content to avoid assuming full liability for their users’ actions.

“By tying intermediaries’ protection from liability to their ability to monitor communications being sent across their platforms or systems, the amendments would limit the use of end-to-end encryption and encourage others to weaken existing security measures,” the experts wrote in the letter, coordinated by the Internet Society.

With end-to-end encryption, there is no way for the service provider to access its users’ decrypted content, they said. Some of these experts include individuals who work at Google, Twitter, Access Now, Tor Project and World Wide Web Consortium.

“This means that services using end-to-end encryption cannot provide the level of monitoring required in the proposed amendments. Whether it’s through putting a ‘backdoor’ in an encryption protocol, storing cryptographic keys in escrow, adding silent users to group messages, or some other method, there is no way to create ‘exceptional access’ for some without weakening the security of the system for all,” they added.

Technology giants have so far enjoyed what is known as “safe harbor” laws. The laws, currently applicable in the U.S. under the Communications Decency Act and India under its 2000 Information Technology Act, say that tech platforms won’t be held liable for the things their users share on the platform.

Many organizations have expressed in recent days their reservations about the proposed changes to the law. Earlier this week, Mozilla, GitHub and Cloudflare requested the Indian government to be transparent about the proposals that they have made to the intermediary liability rules. Nobody outside the Indian government has seen the current draft of the proposal, which it plans to submit to India’s Supreme Court for approval by January 15.

Among the concerns raised by some is the vague definition of “intermediary” itself. Critics say the last publicly known version of the draft had an extremely broad definition of the term “intermediary,” that would be applicable to a wide-range of service providers, including popular instant messaging clients, internet service providers, cyber cafes and even Wikipedia.

Amanda Keton, general counsel of Wikimedia Foundation, requested the Indian government late last month to rethink the requirement to bring “traceability” on online communication, as doing so, she warned, would interfere with the ability of Wikipedia contributors to freely participate in the project.

A senior executive with an American technology company, who requested anonymity, told TechCrunch on Wednesday that even as the proposed changes to the intermediary guidelines need major changes, it is high time that the Indian government decided to look into this at all.

“Action on social media platforms, and instant communications services is causing damage in the real world. Spread of hoax has cost us more than at least 30 lives. If tomorrow, someone’s sensitive photos and messages leak on the internet, there is currently little they can expect from their service providers. We need a law to deal with the modern internet’s challenges,” he said.