Unencrypted Too Far

Institutions can help find complex balance between privacy and online safety. India’s IT Rules do not meet good institutional design.

Photo by Anton from Pexels

A battle rages for the soul of the internet, and there are no easy answers. For several decades, tech companies and governments have waged a battle on whether the latter should be able to access encrypted data that is stored by the former. The internet boom has now embedded tech companies in many aspects of our everyday lives — how we communicate with each other, what we see and think, etc.

The stakes in this battle have risen, and governments seem to be losing patience. Australia, for example, has passed a law that compels tech companies to grant the police access to encrypted messages. Seven major countries, including USA and UK, came together to issue a statement on encrypted messaging, saying that it should not come at the cost of precluding them from acting against illegal content online.

What we should realise, however, is that these are not fleeting issues that can be patched over by band-aid reactions. Instead, they are extremely complex and have implications for democracy, free speech, and many other things we care about. Experts and governments will have strong opinions. Some will say that privacy should not be violated at any cost. Others will argue that controlling child pornography is more important than privacy. Some may say that Big Tech companies are irredeemably complicit, while others may see them as the only plausible counter-weight to government overreach. That people have widely divergent positions is not an issue in itself — in fact, it is the very hallmark of robust societies. But not having processes that find a middle path is.

That is why institutions are important in such polarised policy discussions. They temper the worst excesses of our society, bring people together to discuss these issues, and find a middle path that is largely (if not fully) accepted by everyone. That is what the concept of Parliament itself is about — a few hundred people, each representing a different community or interest group, coming together to debate issues. The majority opinion prevails, but not before each is heard. Institutions are the structures, laws, rules, norms and incentives of different parts of the government that guides the actions of our leaders. When defined broadly like this, they are pervasive yet invisible in everyday life. The police is an institution. Media regulation is an institution. How to regulate encrypted platforms is an institution too.

It is not enough to just set up institutions. If we want to pursue the best path that maximises societal value, we need to set up good institutions. This requires three things:

1. Tightly-written law that narrowly identifies the problem and the solution, and constraints unchecked government power through well-defined processes and rules.
2. Transparent adherence to those laws, which ensures that the rules do not just remain on paper, but that every individual and civil society can see whether they are followed.
3. Independent oversight that ensures that those who are unhappy with the law or its implementation can ask for a second opinion, thus also forcing governments to come up with better rules to start with.

The Information Technology Rules that the Government of India released in February are a form of institutional governance. It imposes many new obligations on tech companies. One, in particular, has attracted lots of controversy. The rules force social media companies to identify the first originator of a message. Tech companies argue that this will force them to re-architect their platform, and thereby break the secrecy of end-to-end encrypted messages. The government says that it is only asking for the first originator, which can be achieved through other means. Experts opine that even these other means will gravely affect privacy and freedom of expression.

These are complex issues, and we should not presume that we will have the perfect answer anytime soon. Which is why it is important for any regulation to follow good institutional practices that create adequate checks-and-balances to avoid unconstrained government power that can make citizens feel insecure and businesses uncertain. These rules, however, do not seem to have paid careful attention to the three principles of good institutions.

Firstly, the rules around identifying the first originator are not tightly-written. It specifies many grounds based on which the government can ask for data from tech companies, including terms like ‘public order’ that are so vague that they were explicitly excluded by constituent assembly from our original constitution. If terms are vaguely defined, it provides the government a lot of discretion to interpret them to its advantage. This should be revisited, and any such government action should be restricted to a narrower set of grounds like child sex abuse material or content related to rape. Such clarity and certainty will help both citizens and businesses.

Secondly, the rules do not discuss transparency at all. For example, will a person know if her data is sought to be accessed like this? If it hampers criminal investigations, would such disclosures be made after the data is accessed? Will the government release a report on how many such requests it makes in a year, and why? Such transparency is important to ensure that governments stay true to the objectives of a (tightly-defined) law, and for citizens to be able to hold them accountable to it. But the rules — which otherwise promote transparency in its other sections — are silent on transparency related to requests for first-originator information.

Thirdly, the rules allow government officials to ask for such information, without the concurrence of an independent body like the judiciary or a regulator. Under the rules, Secretaries of the Home Ministry at the central or state level can pass such orders, which means that they have virtually unchecked powers. This violates good institutional design. When police wants to search our houses, they need to get a warrant from court. Our communications — which reflect our most intimate details like sexuality or political preferences — needs to have a similarly high (if not higher) threshold.

Many experts disagree with the very premise of seeking first originator information. Their concerns are valid, and need to be addressed. However, irrespective of where we land on a particular proposal, the institutional apparatus around it is timeless and needs to adhere to the three principles of good institutions. It will ensure that any incursions on personal liberty happen with the concurrence of two independent bodies. It will allow citizens to question government action, thus improving the laws over time. It will, in summary, set us off on a journey of societal self-improvement that a new and complex challenge like this deserves.