16 March 2023

The Indian Telecommunication Bill Engenders Security and Privacy Risks

Anunay Kulshrestha, Gurshabad Grover

The last telegram in India was sent in July 2013. Almost 10 years after the use of telegraph faded into extinction, most regulation of telecommunication in India still finds its legal basis in the Indian Telegraph Act of 1885 and the Indian Wireless Telegraph Act of 1933, both of which were legislated by the British colonial government.

In a country that now has more than a billion combined subscribers to telephony and internet services, the Indian government has finally (rightfully) realized the need to update the legal framework that governs telecom and internet infrastructure: 138 years after the promulgation of the Telegraph Act, the Indian Ministry of Communications is seeking to replace the two colonial-era laws with the (draft) Telecommunication Bill, which was released for public consultation in September 2022.

The Telecommunication Bill covers many aspects of regulation, from the licensing regime for telecom and internet service providers to state powers of interception and surveillance. But far from providing the “modern and future-ready legal framework” that it promised, the bill regurgitates antiquated ideas from the very laws that it seeks to amend, threatens human rights, and sanctions unchecked state surveillance. In this article, we focus on the serious threats that the new bill creates for network security and privacy and examine how its provisions will consequently impact the exercise of the rights to privacy and freedom of expression in India.

Internet License Raj

Troubles with the Telecommunication Bill begin with its very definitions. It defines “telecommunication services” so vaguely and broadly that it covers most online services, including messaging, social networks, and virtual private networks (VPNs):

[B]roadcasting services, electronic mail, voice mail, voice, video and data communication services, audiotex services, videotex services, fixed and mobile services, internet and broadband services, satellite based communication services, internet based communication services, in-flight and maritime connectivity services, interpersonal communications services, machine to machine communication services, over-the-top (OTT) communication services[.]

Other countries, however, have recognized the necessity of defining telecommunications more narrowly. The U.S. Telecommunications Act of 1996, for example, distinguishes between information services such as social media platforms and telecom services such as internet service providers—ultimately meaning that providers of an information service are subject to different regulation than are telecommunications providers.

India’s bill further requires all such telecommunication services to apply for a license. The burden of applying for a license and complying with its terms will kill competition in the marketplace by steeply increasing the barrier to entry. It will favor entrenched, well-resourced incumbents over new, disruptive entrants. Licensing will also harm the self-hosting movement supported by free and open-source software. Examples of popular self-hosted software include home office VPNs, private social networks (e.g., Mastodon), and private chat (e.g., Matrix).

It is critical that the bill narrow the definition of telecommunication services to traditional telephony and text messaging, and exclude any online services.

Sender Identification

The broad definition of telecommunication services means that the many requirements on licensees, which may make sense for traditional telecom providers, will create serious security and privacy concerns for online services.

For example, Section 4(8) of the bill prescribes that “the identity of a person sending a message using telecommunication services shall be available to the user receiving such message.”

Making the identity of the sender (or caller) available to the recipient of the message (or call) is an important security measure in the case of cellular networks, where caller ID spoofing is a widespread issue. However, this identification measure is not always necessary for online service. End-to-end encrypted (E2EE) messaging services, for instance, already provide strong sender authentication mechanisms, without necessarily relating them to real-life identity. The bill’s obligation would thus undermine privacy guarantees offered to senders by services like Signal, a privacy-focused messaging app, and SecureDrop, an open-source whistleblower submission system. Forcing E2EE services like these to deanonymize senders will jeopardize whistleblowers, journalists, and marginalized groups who depend on these privacy protections for their physical safety. Further, recent research indicates that sender anonymity can be compatible with abuse detection and reporting in E2EE.

The revised bill should exclude internet services from the obligation to reveal the sender’s identity to recipients. Absent amendments to the bill, E2EE services may find it impossible to operate in India, which would destroy communications privacy in the country.

Surveillance

The same issue presents itself once more in Section 24(2)(a) of the bill, which requires services to provide communications data in response to surveillance requests. While this is feasible for most communication conducted over cellular networks, it is technically impossible for providers of end-to-end encrypted messaging, as the providers themselves do not hold decryption keys—a safeguard designed to maintain user privacy by preventing third parties from intercepting the data. Because only participants of a conversation can decrypt the communications on E2EE platforms, the companies themselves cannot hand over the contents of messages to law enforcement.

Data requests to service providers must operate on a best-effort or capability basis. Implementing such a revision would not be new to Indian law. For example, the 2009 procedure and rules that govern state monitoring and interception of digital communication obligate online services to assist with interception only “to the extent the information is encrypted by the intermediary or the intermediary has control over the decryption key.”

These threats arising from the bill are only exacerbated by the legal mechanism that it seeks to establish for surveillance and interception in Chapter 6. With Sections 24 and 25 of the bill, the government seeks to empower itself to conduct surveillance if at any point it considers it “necessary or expedient” to safeguard national security or in cases of public emergencies.

This power to order the interception of communications can be invoked unilaterally by authorized personnel in the executive, with zero oversight or sanction from the parliament or the judiciary.

The absence of such oversight from other branches of the state is a long-standing human rights issue in India. Legal provisions such as Section 5(2) of the Indian Telegraph Act (1885) and Section 69 of the Information Technology Act (2000) are similar in this regard, offering the executive unilateral power to conduct surveillance. However, such powers are inconsistent with both international human rights law and recent constitutional law precedent in India.

Principles of international human rights law require that surveillance requests be sanctioned by an impartial and independent authority such as the judiciary in order to protect the right to privacy. While Indian courts have been satisfied with executive sanction and review in the past, there is a strong case to be made that judicial review of surveillance is a “constitutional imperative” after the Supreme Court’s 2017 decision in Puttaswamy v. Union of India, which affirmed the constitutional right to privacy. To align the Telecommunication Bill with international human rights law and constitutional jurisprudence, the bill must require judicial review of all surveillance or interception requests.

The bill also fails to mandate any post-facto accountability measure: There is no judicial or independent review mechanism for government surveillance in India. While in theory it is possible to challenge surveillance, the secrecy of such orders means that citizens have no avenue for legal remedy. The bill—through omission—disregards the rights of the targets of the surveillance. Targets should be informed of government interception of their communications as soon as possible, so long as such notification does not defeat the purpose of the surveillance. This will enable individuals who were targeted unfairly to challenge unlawful or unconstitutional surveillance and exercise their constitutional right to legal remedy.

Moreover, India at present has no mechanisms in place requiring intelligence or law enforcement agencies to make any of their activities in this regard transparent. In comparison, the U.S. intelligence services have published a transparency report every year since 2014.

Unauthorized Access

In Schedule 3(2), the bill correctly criminalizes “gaining or attempting to gain unauthorized access to a telecommunications service” and “intercepting a message unlawfully”—but it does so without creating an exception for good-faith security research and vulnerability testing. The chilling effect of such a law would make telecommunication infrastructure less secure in the long run. Security researchers like us face serious legal risks from such ambiguous laws and enforcement.

We recommend that the bill carve an exception for good-faith computer security research that is responsibly disclosed—much like the U.S. Department of Justice created an exemption under the Computer Fraud and Abuse Act (CFAA).

The technical meaning of “access” varies by online service. If the same standard is applied across all services, it could criminalize certain legal usage of authorized access like web scraping. Within this framework, the bill should also clarify the meaning of “access,” at least for internet services.

Conclusion

The central flaw in the Telecommunication Bill remains that it seeks to bring online services under the umbrella of “telecommunication services.” This view has been advanced by groups such as the Cellular Operators Association of India, which argues that telecom services are functionally equivalent to communication services provided by online services. This profound misunderstanding of technology also ignores the pertinent fact that traditional telephony and telecom in their current form cannot provide the security and privacy afforded by internet services. A recent consultation paper by the Telecom Regulatory Authority of India, “Regulating Converged Digital Technologies and Services,” betrays the same erroneous view.

In drafting a bill that fails at its own goals of “updating the nomenclature and definitions of relevant terms,” and providing a “future-ready” legal framework, India’s Ministry of Communications risks mistakenly codifying this dangerous definitional merging of online and telecom services. Far from realizing the “importance of cybersecurity” and “ensuring constitutional and procedural safeguards” for surveillance and censorship, the bill engenders serious information security and privacy risks, and puts the human rights of 1.4 billion Indians in peril.

No comments: