Weakened encryption and its impact on federated FOSS and SaaS services vis-a-vis right to trade and profession

This blog post is second in series of “Encryption and human rights” series by SFLC.in.

Countries across the world have been advocating for weakened encryption standards under the garb of curbing fake news, terrorist activities, and prevention of child sexual explicit material. In last one year, we have witnessed the five-eyes alliance release a statement against strong encryption with India and Japan as signatories. India has introduced the traceability provision under the Rules notified under the Section 79(2) of the Information Technology Act, 2000. Strong encryption is crucial for safeguarding data amassed by critical infrastructure such as healthcare, banking, cloud services, communications, and finance. However, governments often use the pretext of encryption being a barrier to investigations by law enforcement agencies to push for backdoors. Encryption has been known to play an important role in safeguarding the intellectual properties, and trade secrets of businesses as well. It has been known to safeguard sensitive information over the years, and has been used widely for several online services such as e-commerce, banking. The requirement of weakening encryption may also mean that companies doing business in a particular territory would have to alter their infrastructure to meet legal requirements of backgrounds. However, if technical infrastructure is altered at a global level, it would mean that due to a domestic law, entire global infrastructure of a company may be altered, thereby, undermining the security and privacy of users globally.

Impact of the traceability provision on federated FOSS services

Most recent instances of where the Government has tried to weaken encryption is in India wherein the Government notified the Information Technology (Intermediary Guideline and Digital Media Ethics Code) Rules, 2021 (hereinafter “Rules, 2021”). The rules introduce a traceability provision which has jeopardized the fate of end-to-end encrypted federated FOSS services in India. These services are mostly operated by FOSS volunteers and include Diaspora and Matrix amongst other services. These services could be required to comply with the provisions for significant social media intermediaries including the traceability provision by virtue of Rule 6 of the Rules, 2021.

However, these messaging applications are federated in nature meaning that various individuals, group of individuals or organizations use these applications for organizational or personal purposes. These organizations/ groups of people exist in silos and do not interact with each other. Unfortunately, the Rules, 2021 do not draw any intelligible differentia between the not-for-profit decentralized FOSS services and for-profit proprietary services.

There is a likelihood that weakened encryption standards would pose existential challenges for federated FOSS services which offer more security and adhere by the principles of openness and innovation. These FOSS services do not retain humongous amount of metadata or surveil upon their users like most of the for-profit companies. The FOSS community also does not make any profit of the data gathered by its users unlike the proprietary services.

The Rules, 2021 severely impact the ability of volunteers to run federated FOSS services. This has been challenged by a FOSS developer, Praveen A., in the High Court of Kerala. The Petition also pleads that right to encryption is a subset of right to privacy. SFLC.in has assisted Praveen in filing the legal challenge. The challenge also states that the applicability of the traceability provision on federated FOSS architecture is unclear i.e. if the Rule would be applicable on independent servers or on the entire platform. For instance, Matrix is an end-to-end encrypted open source messaging protocol which is federated in nature. Matrix is also interoperable meaning that it has ‘n’ number of servers hosted by people or entities or organizations across the world. The applicability of the traceability provision would leave the fate of such services undecided as the FOSS volunteers would be forced to alter the technical infrastructure of their servers at the whims of an executive notification. Another aspect of this which needs to be heeded of is that host of a federated server, may alter its technical infrastructure to incorporate traceability. However, the owners of other federated servers may not necessarily do so. This would break the seamlessness in interoperable functioning of such services.

Another challenge with the applicability of the traceability provision would be that the operators of such federated FOSS services cannot retain the metadata trail of communications as other servers hosted by the residents of different countries cannot be compelled to share metadata of such communications.

Impact of the traceability provision on SaaS services

The Software as a Service platforms or the SaaS services rely on encryption to protect confidentiality of data at rest and data in motion. This includes FOSS services like Jitsi, a video conferencing platform. In addition to this, services like Matrix also fall in the category of federated FOSS services as well as SaaS. They also offer encryption of communications including the encrypted audio and video services.

Owing to the open-ended nature of definition of social media intermediary in the Rules, 2021, services like Jitsi and Matrix also fall under it, and therefore, have to adhere to the Rules. This will lead to similar problems for these services to operate as that of federated FOSS services providers including the requirement to modify their existing technical infrastructure. These services, while enabling online interaction, do not traditionally fall within the ambit of a social media company. For instance, Jitsi is used for audio-video conferencing but is not used as a social media platform to post content.

How will modified infrastructure of these services impact human rights of their users

Encryption is the vital canon for modern, internet driven global economy. The large amount of sensitive data including personal data of individuals and businesses is amassed and processed by Software as a Service (SaaS) platforms. The federated FOSS services are also relied upon by several people across the world to safeguard their right to privacy and freedom of speech. The United Nations Guiding Principles on Business and Human Rights, require private companies to respect human rights. The services offered by federated FOSS services including the SaaS services like Matrix, and Jitsi enable exercise of internationally recognized right to privacy, and freedom of speech and expression. They also enable anonymity on digital platforms which further aids exercise of the aforementioned human rights. FOSS services also provide user flexibility and reliability, at a cost which is substantially lower than traditional, centralized software development methods. Weakening of encryption standards would be a double edged sword in the sense that FOSS services and FOSS SaaS services will have to alter their infrastructure, and compromise on the principles of FOSS as well as security offered by them. It would also mean lesser choice to users of FOSS services and their migration to proprietary centralized for-profit services which bend as per the whims of law enforcement agencies and have the tendency to compromise privacy.

It remains to be seen how the traceability provision will shape the digital space in India and globally but there is little good which will come out of it at a cost of undermined internationally recognized human rights principles of privacy, freedom of speech and expression, and anonymity.

Note: You can track Praveen A. vs Union of India here. To learn more about the traceability, click here. To learn about what has been happening with respect to the traceability in India so far, click here.