The weakening of encryption in OTT communication and privacy erosion are imminent if the draft Indian Telecommunication Bill, 2022, goes through. What do WhatsApp, Signal users have to worry about? Lots
Union IT minister Ashwini Vaishnaw briefs the media on the draft ITB, 2022, in New Delhi earlier this month. Pic/Getty Images
If ou are someone who is averse to the idea of sharing personal data like an Aadhar card with over-the-top (OTT) communication platforms, or fear the loss of your personal and professional data online, then you might have certain contentions with the draft Indian Telecommunication Bill (ITB), 2022 in its current form.
ADVERTISEMENT
The Department of Communications (DoT), which comes under the Ministry of Communication, recently released the draft of ITB, which is open for stakeholders’ comments till October 20. The Bill aims to combine three laws currently in place—The Indian Telegraph Act, 1885, the Indian Wireless Telegraphy Act, 1933 and the Telegraph Wires (Unlawful Protection) Act, 1950, to enact a new comprehensive legislation for the telecom sector.
Satya Muley, Ayush Tripathi and Jones Vaidya
But among other proposals it makes, the ITB is being questioned for its intention in bringing OTT communication services, such as WhatsApp, Signal, Telegram, Facetime, Zoom, Facebook etc, which are used to send messages and make voice and video calls over the internet, under its ambit. It seeks OTT communication platforms to also take up licence from the government to operate much the same way other telecom operators do, which experts believe could make free communication platforms payable if the costs are transferred on to the consumers. ITB also seeks to enforce know-your-customer (KYC) practices on these services. Under Clause 4(7), which pertains to KYC, platforms requiring a licence need to “unequivocally identify the person to whom it provides services, through a verifiable mode of identification as may be prescribed”.
In addition, Clause 4(8) requires the identity of the person sending a message to be made available to the user receiving the message. End-to-end encryption as promised by many, but WhatsApp in particular will also get affected under ITB, which makes provision for the government to seek and store data transferred on these platforms.
Michelle Solomon Le Page, Pranav Mandaliya and Gaurav Agrawal
According to Forbes India, Indians are most active on WhatsApp, with over 390 million monthly active users in 2020 alone. The move will thus, affect a large number of users.
Advocates at the law firm in practice since 1909, Solomon & Co, tell mid-day that while the aims of the ITB “are clear and may even be noble, which is to protect consumers, to aid law enforcement, to improve national security... its means are questionable”. Michelle Solomon Le Page, partner at the firm, says, “There was certainly a pressing need for laws governing the telecommunication sector to be updated in order to keep up with changing times. Unwanted advertising and publicity, anonymous calls and messages, identity theft, fraud and cyber crime, all require regulations to combat their virulent spread. The Bill aims to protect consumers from receiving anonymous communication, but it does so by obliging KYC information of senders to be provided to recipients. It also enables the government to oblige service providers to share user information and content with it, which fails to adequately protect data privacy rights of the consumers that the Bill so intends to protect.”
Ayush Tripathi agrees. He is the programme manager at tech policy think tank, The Dialogue. According to him, “the Bill increases the power of the central and state governments to intercept messages on digital platforms without putting in place any checks and balances for issuing such directives. In the absence of a data protection bill, it will infringe on the privacy rights of the individual.”
Services which provide end-to-end encryption might also have to weaken their system to comply with the orders of the government. At present, platforms providing end-to-end encryption services do not store data with them. “In order to comply with the provisions, they will have to start storing such data, which will defeat the purpose of the said facility they aim to provide. Weakening the encryption would mean that messages of the users will not be private and will be vulnerable to cyber attacks,” he says, adding, “TRAI in its 2020 recommendations to DoT had opined that the security architecture of end-to-end encrypted services should not be tinkered with as this will compromise the privacy, safety and security of citizens.”
Practising lawyer at the Bombay High Court and Supreme Court, advocate Satya Muley says that the biggest concern is that the Bill gives “sweeping powers to the central government to suspend telecom services, including internet services, during a period of emergency”. “The Supreme Court has also held that the government in such circumstances [public emergency] must first consider less intrusive and alternative remedies in place of blocking or intercepting telecom services.”
With KYC in place, Muley says, consumers can expect more safety when using OTT services, but associates at Solomon & Co, Jones Vaidya and Pranav Mandaliya, believe this will also dramatically increase the storage of personal data and the risk of data breaches. “A consumer may be relieved to no longer receive anonymous calls or texts, but on the flip-side consumers would be providing more and more personal information by way of KYC, which would lead to large volumes of data which need to be responsibly managed.” The management of this data is a primary concern, they feel. “It is even more concerning now that the Data Protection Bill, which has been in discussion since 2019 [when it was first introduced], was withdrawn by the government earlier in August, for introducing an even more comprehensive legal framework. It seems only logical and prudent that a robust data protection law be implemented before ITB is implemented in order to mitigate the risk of data breaches that comes along with the enactment of this Bill.”
There are some like Gaurav Agrawal, who believe that the draft Bill is needed for national security. Agrawal, who is senior vice-president of cloud telephony company Exotel, says, “Companies will have to get a government licence, like we already do. All telecom players are bound by regulations, I do not see a reason why OTT players should not be bound by the same rules on lawful interception.”