India’s proposed internet regulations could threaten privacy everywhere
India wants to end encrypted messaging as we know it — and it’s not clear tech companies can win the fight
by Casey NewtonIn December, after a somewhat bruising Senate hearing with Facebook, I argued that the fight over encryption was just beginning. This week, with India poised to unveil new rules that threaten encrypted communications around the world, it seems safe to say that the encryption fight is now fully underway.
First, some background.
Messaging products that are end-to-end encrypted can be read only by the sender and the recipient. The encrypted platform itself — such as Apple’s iCloud, or Facebook’s WhatsApp — can’t read the message, because it doesn’t have a key. This has led to periodic attempts from law enforcement agencies and lawmakers to force platforms to create so-called “backdoors” that would allow them to snoop on the contents of those messages. But the platforms have resisted, and the issue has generally been in a stalemate.
In India, though, things are moving very quickly to make end-to-end encryption illegal. The country has sought to exert more control over the internet in the wake of lynchings committed after false rumors spread on WhatsApp. But the Indian government has often taken a draconian approach to regulating the web — shutting down internet access at least 95 times last year, including an indefinite shutdown in Kashmir that a judge called an “abuse of power” earlier this year.
Now a set of rules proposed a little over a year ago would force tech platforms to cooperate continuously with government requests, without requiring so much as a warrant or court order. Among the requirements is that any post be “traceable” to its origin. And in what is believed to be a world first, the rules would require tech companies to do the investigating — to deploy their sophisticated tools to track a post’s spread on their network back to its point of origin, and then turn that information over to law enforcement.
This is quite different from the current approach, in which law enforcement identifies a suspect and then asks platforms to supply information about them. Now tech companies could essentially be required to serve as deputies of the state, conducting investigations on behalf of law enforcement, without so much as a court order.
That almost certainly means breaking encryption — how else could tech companies be expected to trace the source of a message? Imagine Clearview AI, but as a service tech companies are required to provide to law enforcement for free, and you start to understand what the Indian government is asking for here.
The final rules are expected to be released imminently, Saritha Roi reports in Bloomberg:
The Ministry of Electronics and Information Technology is expected to publish the new rules later this month without major changes, according to a government official familiar with the matter. [...]
The provisions in the earlier draft had required platforms such as Google’s YouTube or ByteDance Inc.’s TikTok, Facebook or its Instagram and WhatsApp apps, to help the government trace the origins of a post within 72 hours of a request. The companies would also have to preserve their records for at least 180 days to aid government investigators, establish a brick-and-mortar operation within India and appoint both a grievance officer to deal with user complaints and a government liaison.
The rules would apply to any app with more than 5 million users, including Facebook, YouTube, Twitter, and TikTok. Bloomberg reports that it’s not clear whether the identities of foreign users would be exempt.
The tech companies are fighting back. A trade group has argued that the rules would represent a severe violation of Indian citizens’ privacy, and they would almost certainly sue if the rules were implemented as written.
But there’s no guarantee that they’ll win. And if these rules take effect India won’t be the last democracy to implement them. Tech companies will come under increasing pressure to implement a similar system in other Western countries. (Australia seems poised to try to break encryption as well.)
What happens if encryption supporters lose? First, privacy is diminished for billions of users — including for activists, dissidents, victims of domestic abuse, businesses, and even government workers who have come to rely on secure messaging.
Second, the move could hurt the tech sector — both in India and abroad — by making it prohibitively expensive to launch a new business. Who can afford to build a compliance regime that requires the company to accommodate any government request, no matter how small, from day one? In practice, the answer is likely to be “only incumbents.” Hannah Quay-de la Vallee makes this point here:
If this rule is implemented in India (and potentially copied by other nations) it could force companies to create two types of systems – one that uses e2e and one that doesn’t. Companies might well justifiably balk at the cost and complexity of that approach and simply build less secure systems. That would weaken the overall safety of the internet ecosystem, harming users around the globe. Alternatively they could remove themselves from the Indian market altogether, depriving 1.2 billion people of state-of-the-art internet security. Neither of these are good outcomes.
Given how many things Americans have to worry about domestically, I understand how a story about Indian internet rules can fly under the radar. But it’s important to recognize that the spirit that’s animating the discussion in India is alive and well in the United States. Threats to privacy are multiplying faster than tech or society can deal with them. In such a world, encryption is one of the last — and best — tools we have to fight back.
The Ratio
Today in news that could affect public perception of the big tech platforms.
Trending sideways: Facebook’s fundraising features, which have led to more than $3 billion in donations since 2015, have generated significant goodwill. But nonprofits are complaining they don’t receive enough data about donors to form long-lasting relationships.
Governing
⭐ Mike Bloomberg is paying some of the biggest meme-makers on the internet to post sponsored content on Instagram promoting his presidential campaign. He’s working with Meme 2020, a company formed by some of the people behind extremely influential accounts, like Mick Purzycki of Jerry Media. Taylor Lorenz at The New York Times has the scoop:
The campaign, which launched this week, has already placed sponsored posts on Instagram accounts including @GrapeJuiceBoys, a meme page with more than 2.7 million followers; Jerry Media’s own most popular account, with more than 13.3 million followers; and @Tank.Sinatra, a member with more than 2.3 million followers.
The accounts all posted Bloomberg campaign ads in the form of fake direct messages from the candidate.
Larry Ellison, the founder of Oracle and one of the world’s richest men, is throwing a fundraiser for Donald Trump. It’s the most significant display of support from a major tech titan for the president, by far. (Theodore Schleifer / Recode)
Senator Kirsten Gillibrand (D-NY) released a proposal to overhaul the way the US government regulates privacy. Her new Data Protection Act would create an independent agency to protect consumer data at large. (Makena Kelly / The Verge)
A court in Moscow fined Twitter and Facebook 4 million rubles each (a piddling $63,000) for refusing to store the personal data of Russian citizens on servers in their home country. It’s the largest penalty imposed on Western technology companies yet under Russia’s new internet laws, which are designed to give the government more control over peoples’ online activity. (Associated Press)
A network of news sites is expanding across the country. Nearly 40 websites masquerading as conservative local news outlets were discovered in Michigan in October. Now, additional statewide networks have sprung up in Montana and Iowa. (Katherina Sourine and Dominick Sokotoff / The Michigan Daily)
A mobile voting app used in West Virginia has basic security flaws that could allow someone to see and intercept votes as they’re transmitted from mobile phones to the voting company’s server. It’s the latest evidence that digital voting solutions are not secure. (Kim Zetter / Vice)
Industry
⭐ Facebook’s dataset of anonymized URLs, which is meant to help researchers study the impact of social media on democracy, is finally live. The project, which allows approved researchers to see every link shared on Facebook, is part of a research partnership with Social Science One. Gary King and Nathaniel Persily of Social Science One talk about why the launch took so long:
When Facebook originally agreed to make data available to academics through a structure we developed (King and Persily, 2019, GaryKing.org/partnerships) and Mark Zuckerberg testified about our idea before Congress, we thought this day would take about two months of work; it has taken twenty. Since the original Request for Proposals was announced, we have been able to approve large numbers of researchers, and we continue to do so. When this project began, we thought the political and legal aspects of our job were over, and we merely needed to identify, prepare, and document data for researchers with our Facebook counterparts. In fact, most of the last twenty months has involved negotiating with Facebook over their increasingly conservative views of privacy and the law, trying to get different groups within the company on the same page, and watching Facebook build an information security and data privacy infrastructure adequate to share data with academics.
Facebook’s New Product Experimentation team released a Pinterest-like app for saving and sharing photos of activities like cooking and home improvement projects. The app, called Hobbi, is meant to “help you document and remember the things you love to do.” Pinterest stock dipped on the news. (Alex Heath / The Information)
Teens are creating thrifting communities on Instagram where they buy and sell clothes in photos and comments. It’s like a modern-day eBay. (Mia Sato / Input)
Jeff Bezos bought the most expensive property in LA with an eighth of a percent of his net worth. It is literally impossible to imagine just how rich the wealthiest people on the planet are. (Bijan Stephen / The Verge)
Amazon’s first employee, Shel Kaphan, says breaking up the company “could potentially make sense.” In an interview for a new PBS Frontline documentary about Amazon, Kaphan said he’s proud of what the company has become, but also conflicted. (Jason Del Rey / Recode)
In 2019, YouTube dominated 70 percent of the total time people spent on their phones watching the top five entertainment apps. Its success is something that companies like Netflix, WarnerMedia, NBCUniversal, and Disney will have to take into account as they compete for people’s attention. (Julia Alexander / The Verge)
The CEO of an AI startup with deep ties to the University of Michigan just stepped down from the company amid allegations of sexual misconduct. But he’s still a professor at the school. (Zoe Schiffer / The Verge)
Ezra Klein’s new book, Why We’re Polarized, charts 50 years of American history to figure out why our political climate is the way it is. It turns out the answer is a lot more complicated than just “social media.” (Nicholas Thompson / Wired)
New social media advice when going through a breakup: Deactivate your accounts, have a trusted friend change the passwords, and avoid looking back for as long as you can stand it. (Katie Way / Vice)
And finally...
I’m sure there’s relevant context here, but I’ve decided that I don’t care to look it up.
Talk to us
Send us tips, comments, questions, and your WhatsApp user ID: casey@theverge.com and zoe@theverge.com.