India’s information technology ministry recently finalized a set of rules that the government argues will make online service providers more accountable for their users’ bad behavior. Noncompliance may expose a provider to legal liability from which it is otherwise immune. Despite the rules’ apparently noble aim of incentivizing providers to better police their services, in reality, the changes pose a serious threat to Indians’ data security and reflect the Indian government’s increasingly authoritarian approach to internet governance.

The government of Prime Minister Narendra Modi has in recent years taken a distinctly illiberal approach to online speech. When India’s IT ministry released its original draft of the rules more than two years ago, civil society groups criticized the proposal as a grave threat to free speech and privacy rights. In the intervening years, threats to free speech have only grown. To quell dissent, Modi’s government has shut off the internet in multiple regions. Facing widespread protests led by the country’s farmers against his government, Modi has escalated his attacks on the press and pressured Twitter into taking down hundreds of accounts critical of the government’s protest response. The new rules represent the latest tightening of state control over online content, and as other backsliding democracies consider greater restrictions on online speech, the Modi government is providing a troubling model for how to do so. 

Beyond chilling digital rights, the new rules threaten to undermine computer security systems that Indian internet users rely on every day in order to grant the state increased power to police online content. The new rules require messaging services to be able to determine the origin of content and demand that online platforms develop automated tools to take down certain content deemed illegal. Taken together, the new rules pose threats to freedom of speech and the privacy and security of India’s internet users. 

The relevant provisions apply to “significant” “social media intermediaries” (which I’ll call SSMIs for short). “Significant” means the provider has hit a yet to be defined number of registered Indian users. “Social media intermediary” broadly encompasses many kinds of user-generated content-driven services. A government press release calls out WhatsApp, YouTube, Facebook, Instagram, and Twitter specifically, but services as diverse as LinkedIn, Twitch, Medium, TikTok, and Reddit also fall within the definition. 

Two provisions are of particular concern. Section 4(2) of the new rules requires SSMIs that are “primarily” messaging providers to be able to identify the “first originator” of content on the platform. Section 4(4) requires any SSMI (not limited to messaging) to “endeavour to deploy technology-based measures, including automated tools or other mechanisms to proactively identify” two categories of content: child sex abuse material and content identical to anything that’s been taken down before. I’ll call these the “traceability” and “filtering” provisions.

These provisions endanger the security of Indian internet users because they are incompatible with end-to-end encryption. End-to-end encryption, or E2EE, is a data security measure for protecting information by encoding it into an illegible scramble that no one but the sender and the intended recipient can decode. That way, the encrypted data remains private, and outsiders can’t alter it en route to the recipient. These features, confidentiality and integrity, are core underpinnings of data security. 

Not even the provider of an E2EE service can decrypt encrypted information. That’s why E2EE is incompatible with tracing and filtering content. Tracing the “originator” of information requires the ability to identify every instance when some user sent a given piece of information, which an intermediary can’t do if it can’t decode the encrypted information. The same problem applies to automatically filtering a service for certain content. 

Put simply, SSMIs can’t provide end-to-end encryption and still comply with these two provisions. This is by design. Speaking anonymously to The Economic Times, one government official said the new rules will force large online platforms to “control” what the government deems to be unlawful content: Under the new rules, “platforms like WhatsApp can’t give end-to-end encryption as an excuse for not removing such content,” the official said. 

The rules confront SSMIs with a Hobson’s choice: either weaken their data security practices, or open themselves up to expensive litigation as the price of strong security. That is an untenable dilemma. Intermediaries should not be penalized for choosing to protect users’ data. Indeed, the existing rules already require intermediaries to take “reasonable measures” to secure user data. If SSMIs weaken their encryption to comply with the new traceability and filtering provisions, will that violate the “reasonable data security” provision? This tension creates yet another quandary for intermediaries. 

The new rules make a contradictory demand: Secure Indians’ data—but not too well. A nation of 1.3 billion people cannot afford half-measures. National, economic, and personal security have become indivisible from data security. Strong encryption is critical to protecting data, be it military communications, proprietary business information, medical information, or private conversations between loved ones. Good data security is even more vital since the COVID-19 pandemic shifted much of daily life online. Without adequate protective measures, sensitive information is ripe for privacy invasions, theft, espionage, and hacking.

Weakening intermediaries’ data security is a gift to those who seek to harm India and its people. Citing national security and privacy concerns, Indian authorities have moved to restrict the presence of Chinese apps in India, but these new rules risk exposing the country’s internet users. The rules affect all of an intermediary’s users, not just those using the platform for bad acts. Over 400 million Indians currently use WhatsApp, and Signal hopes to add 100-200 million Indian users in the next two years. Most of those half-billion people are not criminals. If intermediaries drop E2EE to comply with the new rules, that primarily jeopardizes the privacy and security of law-abiding people, in return for making it easier for police to monitor the small criminal minority. 

Such monitoring may prove less effective than the Indian government expects. If popular apps cease offering E2EE, many criminals will drop those apps and move to the dark web, where they’re harder to track down. Some might create their own encrypted apps, as Al-Qaeda did as far back as 2007. In short, India’s new rules may lead to a perverse outcome where outlaws have better security than the law-abiding people whom they target. 

Meanwhile, weakening encryption is not the only way for police to gather evidence. We live in a “golden age for surveillance” in which our activities, movements, and communications generate a wealth of digital information about us. Many sources of digital evidence, such as communications metadata, cloud backups, and email, are not typically end-to-end encrypted. That means they’re available from the service provider in readable form. If Indian police have difficulty acquiring such data (for example because the data and the company are located outside of India), it’s not due to encryption, and passing rules limiting encryption will do nothing to ameliorate the problem.

When intermediaries employ end-to-end encryption, that means stronger security for communities, businesses, government, the military, institutions, and individuals—all of which adds up to the security of the nation. But the new traceability and filtering requirements may put an end to end-to-end encryption in India. The revised intermediary rules put the whole country’s security at risk. Amid a global backsliding for internet freedom, the proposal may offer an example for other would-be authoritarians to follow. 

Riana Pfefferkorn is a research scholar at the Stanford Internet Observatory.

Facebook, Google, and Microsoft provide financial support to the Brookings Institution, a nonprofit organization devoted to rigorous, independent, in-depth public policy research. 

On May 6, 2021, Facebook announced the takedown of 32 Pages, 46 Profiles, and six Instagram accounts operated by individuals in the Central African Republic (CAR) whose activities targeted audiences in CAR. Facebook shared this network with the Stanford Internet Observatory (SIO) on April 26, 2021. This network was suspended not due to the content of its posts, but rather for coordinated inauthentic behavior. SIO found significant indications both on and off platform that many of the assets removed in this takedown were aliases for the same entity. 

The suspended network exhibited strong ties to Harouna Douamba, a pseudonym for an allegedly Burkinabe individual who has gained notoriety in CAR for the information campaigns he wages on social media. Douamba claims to be the president of three non-governmental organizations (NGOs): Aimons Notre Afrique (ANA), Coalition Afrique Engagée (CAE), and Fédération Nationale des Ivoiriens d’Origine Étrangères (FENIOE). Facebook Pages for these organizations were included in the suspended network, in addition to Pages for several other NGOs and media companies with ties to Douamba. We also found some evidence that one of the suspended Profiles may be the individual behind the Harouna Douamba pseudonym. Facebook attributes the network to ANA.

NGOs and media outlets linked to Harouna Douamba

Suspended Pages consistently disparaged France’s involvement with CAR, but praised President Faustin-Archange Touadéra and Russia. They also published slanted stories on other west and central African countries. 

We also investigated Douamba’s connections to a disinformation campaign that claimed four officials associated with the UN peacekeeping mission in CAR (the Multidimensional Integrated Stabilization Mission in the Central African Republic, known as MINUSCA) trafficked arms to rebels operating in a neighborhood in Bangui, the CAR capitol. One of the suspended Pages was deeply involved in this effort and posted what might qualify as incitements to violence. 

Key takeaways: 

• The suspended network centered around the activities of Harouna Douamba. Nearly all of the suspended Pages have connections to Douamba and/or frequently published content featuring Douamba and the activities of his NGOs. Several of the suspended Profiles and Instagram accounts also appear to have direct ties to Douamba, his NGOs, or affiliated media companies. 

• Many of the suspended Pages claimed to be NGOs that seek to advance Pan-African causes. However, these NGOs largely appear to be thinly veiled aliases for Douamba’s ANA and CAE NGOs. Pages for these organizations demonstrated significant coordinated behavior. For instance, they frequently shared duplicated content from ANA and CAE, usually within 10 to 15 minutes of the original posts. 

• One of the suspended Pages was a coordinating force around a disinformation campaign in 2020 alleging that UN peacekeepers in CAR trafficked weapons to rebel groups and calling for revolt at the peacekeeping operation. This is strong evidence that Douamba is linked to that disinformation campaign. 

• Eighteen domains, largely French-language news sites covering central and west Africa, were linked to the network. There is substantial evidence that the sites are linked to each other and to Douamba. The ANA website, for instance, lists nearly all of the news sites as part of their media group, ANA-COM.

• Topically, the network largely pushed content critical of France and supportive of the Touadéra regime and Russia. They also published slanted stories on other west and central African countries.

• The network also attempted to build its audience across platforms. One post that was shared widely by suspended Pages called for Pan-Africanists to include their WhatsApp numbers in the comments. However, few users shared this information.