India's Crypto War 2.0 is not about Encryption.

28 Jun 2021

There had been enough commentary about the Indian IT Rules notified in Feb 2021. Almost all of them focused on the how and what, but not the why. A simple framework to understand these rules is via the lens of My country, My rules. This framework has the following axioms driving the rule making:

1. Social Media is a tool that can bring about regime change and hence must be regulated.
2. Private Communication at scale is also Social Media.

Social Media and Regime Change

Private clubs and Trading organizations have been existence for long and except regulation around financial affairs, governments have stayed away from interfering in their day-to-day affairs. A notable exception is the British East India company, which was so successful in running its private enterprise and ended up owning most of the erstwhile princely kingdoms in the Indian sub-continent, that it had to be taken over by the British government. An important lesson that can be learnt from this historical episode is - A private entity that owns a lot of territory becomes a sovereign state by itself.

A similar construct can be applied in the domain of cyber, where instead of owning a lot of territory, a private entity ends up owning mind space and conversations which ends up driving narratives. When a significant portion of a country’s population uses a digital tool, developed by a private entity, it becomes a critical digital infrastructure. The free distribution and network effects offered by these mediums then becomes a contested space for diverse opinions which all compete with each other to gain mind space of the population.

This becomes problematic for both democratic and authoritarian governments in different ways, as noted by Bruce Schneier and Henry Farrell in their paper, “Common-Knowledge Attacks on Democracies”. They note that while in democracies, who is in charge is contested (via regular elections), in autocracies, who is in charge and what the social goals are must be stable and uncontested. They further note that autocracies benefit from “pluralistic ignorance” or “preference falsification,” under which people only have private knowledge of their own political beliefs and wants, without any good sense of the beliefs and wants of others.

Social media platforms hence are problematic for autocracies because they can become a means for the population to understand, how the existing regime has become unpopular. For instance, protest movements can use these platforms to broadcast their disagreements and may end up picking followers and gain more traction from other sections of population, which are unhappy with the regime for some other reason. Democracies are also vulnerable to these information attacks, but in a different manner, as the sanctity of the Presidential elections were questioned by the incumbent President, who lost the election, which then led to the invasion of the Capitol, as many believed that his claims were true.

Hence, both the content and virality of the content becomes a key area of concern, and it is only natural that governments of all hues would want to regulate that aspect via take down notices. While it is easier to send take-down notices, it is another thing entirely to ensure that they are complied upon because by virtue of gaining a significant user base, Social media Platforms have amassed “People Power” on their own and can mount formidable opposition to an elected government, and may simply choose to ignore the take-down notices.

Governments hence need leverage over these platforms to make them bend to their will and business interests of these platforms offer that leverage. They may also choose other outwardly-reasonable looking methods such as mandating compliance officers within these platforms to ensure take-down notices are honored, by pointing out how platforms don’t respond on time and take down harmful content such as abuse, pornography etc. In this push and pull game, however both parties (Platforms and Governments) have dilemmas that they need to grapple with.

For instance, governments cannot go too hard on the platforms because it may antagonize a large section of citizens, in the platform, which may then backfire, as they would take the side of the platform, and the reverse is also true. Platform users also face the same dilemma, and their segmentation matters on the final outcome. For instance, a section of the platform users may want platforms to be more neutral and respectful of rights, while other segments may want it to take the side of the government because they are dis-trustful about them (The East India company provides a historical context on why).

While the local leadership of the Platforms might also make a difference, the impact would be marginal at best because as they are local citizens under government jurisdiction, they may be subject to punitive measures and be only protected to the extent of independence of the judiciary in the country. The final outcome of this contest is thus predicated on the complex interplay of power between various parties (Government, Platforms, Citizens) and also geo-political realities, but one factor decides the outcome more than most - People Power, and the party that wins it, might succeed, more than others.

Private Communication at Scale is Social Media

What converts a private conversation between two or more individuals into a public square is - The capability to share. If we can imagine an end-to-end encrypted channel, where messages instantly vaporize themselves as soon as they are read, then no matter, how many people use that messenger application, it will not be deemed as a public square. However, all popular messenger applications, provide the capability to share content via the “Forward Feature” for a simple reason - Humans are social animals who love to share.

Virality hence becomes a concern even within Private communications between two or more individuals and currently Platforms don’t offer any means to restrict virality because whatever they do, there are technical workarounds to disable them. For instance, when WhatsApp enabled “Forwarded” labels, to counter criticism that mindless forwarding of child kidnapping rumours resulted in scores of innocent people getting lynched, it created a market for custom clients that are funded by Political parties and other actors, which worked around these labels, by employing copy-paste techniques via WhatsApp Web client.

While some argue that Forwarded labels are just gimmicks that are done on top of the Signal protocol on the client side, to counter criticism about fake news, it has also become an area of relentless misinformation that the feature proves that WhatsApp is indeed tracking virality, which then formed the basis for mandating traceability of the first originator, as part of the IT rules. The rules envisage that just like how two hidden fields (Forwarded: True, Forward Counter), where added by the client side without the knowledge of users, one hidden extra field (Originator Phone number) must be added without the knowledge of users.

The leverage that the government did think it had over WhatsApp was not surprisingly user angst about the roll out of privacy policy which adopted a take-it-or-leave-it approach and also the holding out of WhatsApp pay, until it complies. WhatsApp going to court was an outcome, it did not expect. However, it does not mean that courts will take the side of WhatsApp as it really depends on whose side the power of people reside, and so far Platforms have not made any concerted attempt towards reaching out people, for fear of antagonizing the government and suffering punitive reprisals, that may be carried out on their business interests or their local employees.

Signal - Joker in the Pack

Given this background, the recent news that the government considers Signal to be non-compliant with the IT rules because it has not implemented the traceability mandate and has not appointed grievance officers is puzzling for two reasons:

1. The government has no leverage on Signal as it has no business interests in India being a non-profit foundation.
2. User trust is much higher on Signal because it is highly recommended by security researchers in India for collecting very little meta-data and distrust in WhatsApp because of it’s recently rolled out privacy policy changes.

So why would the government than pull Signal into this? The simple answer is - Floating a trial balloon to gauge reactions and also signalling that it may get banned to the current user base and potential users.

Signal foundation can respond to this trial balloon in the following ways:

1. They can simply ignore the news and choose not to respond.
2. They can make a public statement that they would never comply to these demands and leave it be.
3. They can do #2 above and also intervene or join cause with petitioners who have challenged these rules in various High courts across India.

Each of these responses have their own set of Pros and Cons. For instance #1 (Ignore) is the weakest response and that might convince the government that WhatsApp is all alone in this, and continue to press on about how a company that sells user data can’t be trusted to guard user privacy, turn public opinion against it, win the court cases and then undermine the entire construct of end-to-end encryption, by banning signal later, like China.

A public response from Signal (#2) will strengthen user trust and will also allow signal to grow its user base, but it will startle the government enough to raise the historical context of British East India Company and paint Signal as an aggressor against Indian sovereignty and raise the spectre of fake news, pornography and other harms spreading through the platform and come out in the public (unlike anonymous officials giving quotes). This will create a streisand effect and will drive more users towards Signal.

Joining other petitioners in the litigation against the IT rules (#3) is the strongest response with non-profits such as Internet Freedom Foundation (IFF), will focus public attention not just on Signal, but also towards the technology of end-to-end encryption and the various aspects of free speech it enables. This option also has the added advantage of blunting criticism that Signal behaves like the erstwhile East India Company, raising the discourse level on encryption and technology in the public domain and increasing the chance that these rules might be struck down by the courts.

Tags: [ crypto  encryption  narrative  dominance  ]