Digital Rights in India: An In-Depth Conversation with Nikhil Pahwa

Today we’re lucky to get to hear the thoughtful and informed perspectives of Nikhil Pahwa, a journalist, activist and public speaker on digital policy, internet governance, censorship, surveillance and privacy in India. As the founder and editor of MediaNama, a leading publication chronicling the evolution of digital policy in India, Nikhil has been at the forefront of advocating for and influencing the evolution of internet freedom in India. As part of that advocacy, he started the SaveTheInternet.in campaign for Net Neutrality and co-founded the Internet Freedom Foundation, which defends online freedom, privacy and innovation in India.

In recognition of his tireless work, Nikhil has been selected as a TED Fellow, an Asia21 Fellow and was named one of India Today Magazine’s "Indians of Tomorrow". He has been profiled in Forbes, Wired and GQ.

This interview with Nikhil offers a comprehensive overview of the landscape for online privacy in India, the challenges faced by the tech community, and the collective efforts needed to ensure a secure and privacy-respecting digital environment.

What is the current landscape for online privacy in India?

If there’s a country that exemplifies the lack of online privacy in its laws and the way it functions, it is probably India. A few headline points about online privacy in India:

• Our “Digital Public Infrastructure” is regularly leaking personal data (some examples: here, here and here), or are designed for easy and low-friction sharing of personal data, and enabling profiling of citizens, 360 degree surveillance, and systems are being built for realtime access to citizen data, apart from rolling out CCTV cameras across cities, and facial recognition systems in use everywhere
• We have a fundamental right to privacy in India, determined a few years ago by India’s Supreme Court, but the laws that we have essentially appear to disregard this determination. The Government of India had said in court that Privacy isn’t a fundamental right, and even today it appears to view privacy and data protection as deterrents for economic development in the country.
• India has a data protection law that, while it builds a consent driven framework for data collection, doesn’t do much when it comes to protecting privacy. Three example:
  • The Data Protection Bill exempts publicly available personal data from the ambit of privacy, which means that you can’t claim privacy protections over any data that is good to scrape, including facial data from social media platforms.
  • The government of India is largely exempt from the provisions of the Bill, which means that we’ve lost the opportunity to bring some semblance of proportionality and legal protections against surveillance via the Digital Personal Data Protection Act.
  • Citizens can only appeal to the (yet to be constituted) Data Protection Board about privacy violations – they can’t go straight to court to complain against a privacy violation. They also cannot receive any damages, which essentially removes any incentive to complain.
• The Indian state may be hacking devices: The Indian state was accused of using Pegasus to spy on individuals, and has been steadfast in its refusal to confirm or deny its usage. More recently, multiple journalists and politicians received notifications about potential government hacking as well.

In what ways does the recent Telecom Act affect the privacy rights of individuals, and what are the primary reasons for concern?

The Telecom Act suffers from the following problems:

• Unchecked Power to do surveillance: The Telecom Act lacks sufficient checks on government surveillance, enabling unrestricted access to personal communications, which is a privacy concern. Government officials both issue and evaluate surveillance orders, creating a situation where the entity in power polices itself, leading to a clear conflict of interest. It’s worth remembering that:
  • Access to call data records is ubiquitous in India. Call Data Records (CDRs) are obtained by local police in almost 90% of cases by local police without adequate oversight, compromising the privacy of countless individuals, and the Telecom Bill doesn’t restrict access to surveillance.
  • India’s Centralised Monitoring System, which is embedded in telecom networks, enables extensive monitoring capabilities of non-E2E calls and messages, without necessary limitations, potentially leading to abuse under the guise of security.
  • There’s lack of proportionality in surveillance: As per previous reports, around 300 orders per day for surveillance were issued. How can there be adequate application of mind at this scale? Also, there is no graded approach, and there doesn’t appear to be a differentiated approach based on threat perception: under what circumstances, and based on what kind of information, and what kind of threat, what level of surveillance and for how long, is permitted.
  • Lack of definition of National Security: There is no definition in law, in terms of what National Security means. It could mean whatever the government wants it to mean. Can snooping on an opposition politician during elections be seen as a national security issue? Currently, it can.

How do recent policy changes in India affect developers who prioritize end-to-end encryption in their applications, particularly in the context of messaging?

Firstly, as I mentioned earlier, the Telecom Bill and the Data Protection Bill have failed to bring about surveillance reform. There was a fear that the Telecom Bill would cover the Internet as well, and even though the way the law is worded, it would appear that online messaging apps are also covered by the Bill, the Minister has publicly said that they aren’t. That doesn’t mean that given the letter of the law, at some point in time in the future, they invoke the provisions to legitimise the banning of VPNs and end to end encryption. India’s IT Rules 2021 also have a provision that enables the traceability of a message, up to the first Indian user that has sent the message, and this is irrespective of whether the message is sent protected by end to end encryption or not.

The Indian government officials are very smart about this: they know that end to end encryption is such that it cannot enable the determination of the originator of the message, and that such a clause would force the dismantling of end to end encryption. However, their approach is to argue that they’re not forcing the dismantling of end to end encryption: their rule is technology agnostic, and how the originator is determined is the platforms problem. The other aspect is more procedural: the IT Rules are themselves illegal because the IT Act doesn’t have any provisions that enable rules for enforcing the breaking of end to end encryption: the rules cannot do what the law doesn’t allow. Of course, the Government of India doesn’t seem to care, and has enforced these rules.

Considering XMTP's role as a secure messaging protocol and decentralized communication network, what are the major legal or privacy-related hurdles that developers in India might encounter when building with XMTP, or when making their apps available to users in the Indian market?

As such, right now, there appear to be no major legal challenges that a developer might face when building with XMTP in India, or for making their apps available to users in the Indian market. This is largely because WhatsApp has gone to court challenging the IT Rules, and the matter is currently sub-judice, but one might need to contact a lawyer about this anyway. I don’t know when the Supreme Court of India might look at this case, but my guess is that it won’t do this anytime soon. If you’re an app that is under the radar, then you’re less likely to be impacted. Alternatively, if you’re a larger entity that the Indian government is trying to woo, in order to set up manufacturing in India, you might end up being overlooked for compliances related to end to end encryption.

What are the current and upcoming bills and policy changes that we'd need to stay aware of in India to better understand the privacy implications and the availability of end-to-end encrypted messaging?

We’re expecting rules any time now, which address enforcement of India’s Digital Personal Data Protection Act, and these will largely set out the framework for privacy regulations in the country. At some point in time over the next year or so, we might get the Digital India Act, which is likely to replace the IT Act, and legitimize the IT Rules, and in effect, create the legal grounds for enforcing the breaking of end to end encryption.

In terms of advocacy for privacy rights, what are some proactive steps people can take, and which advocacy organizations in India should they follow for gaining awareness and participating in calls to action?

The Indian government often forces and frequently nudges privacy-violating tech at citizens, who end up choosing the easier way out, because of the friction involved in not giving up your data. We talk about these services being voluntary (on paper) but mandatory (in practice). At times, people are even fooled into signing up for services.

Firstly, I think it’s important to push back against some of the more privacy-impacting deployments in India, and this has to be at a personal level. Push back against the idea of having to give your mobile number every time you make a purchase, against the usage of Aadhaar to create a bank account, or register at a hospital. There will have to be many small acts of defiance. Secondly, create awareness of dangers of the deployment of facial recognition systems everywhere, including at Indian airports, despite the apparent convenience. Thirdly, there are often consultations about deployment of such tech, or when new rules are made, or laws are being formulated. It’s important for citizens, and not just advocacy organizations to participate in these processes, even if it just about sending a line of comment voicing your opinion. Every vote counts.

XMTP Labs' Commitment: Building Towards a Future Where Privacy is the Web's Default Standard

In line with the spirit of this dialogue, XMTP Labs recognizes the crucial role of developers in building and contributing to technologies that respect and protect user privacy. Our support extends beyond stewarding the development of XMTP as a secure and private messaging protocol; it encompasses advocacy for digital privacy to ensure that developers everywhere can openly contribute to privacy-preserving technologies without consequences.

We commend the relentless efforts of activists and journalists like Nikhil, who tirelessly fight for privacy rights, shining a light on the importance of protecting our digital freedoms. For more of these insights, be sure to subscribe to MediaNama.