 My name is Khushagar and on behalf of SFLC.IN. Good evening everyone, my name is Khushagar and on behalf of SFLC.IN, I welcome all of you to today's event on encryption, titled Privacy versus Security, A Flood Perspective. The way technology is constantly evolving and the manner in which it is shaping our world, where we have invasive surveillance tools, rising incidents of cyber crime and hacking, encryption shields us against a lot of these threats. It is something that gives us an assurance, a guarantee of sorts that the data that we are putting out in the digital space is not going to fall into the wrong hands. With all these problems, we also need to pause and think, what is the kind of future that we wish to build for our coming generations? And encryption is an essential ingredient of that thought process. As some of you may already know, SFLC.IN for over a decade has been working on issues that have an impact on digital rights. So it's only natural for us to try and demystify encryption and how it impacts our lives. In furtherance of that effort, we have published a report titled Encryption, Political Mythology and Technical Reality, Decrypting the Encryption Debate in India. It is available on our website. I request all of you to go through it and let us know your thoughts on it. Coming back to today's event, we have a very eminent group of panelists to help you understand the issues relating to encryption. The discussion is going to be moderated by an equally eminent individual and a very familiar face, Abhinandan Sikri, journalist and the co-founder of NewsLaundry. Before beginning with the event, I would like to thank our media partner NewsClick for the association with us for the events. Over to Abhinandan. Thank you, Kushakram. And thank you for letting me be part of this. When I saw the subject, I realized there's much I need to learn and understand on the subject, especially heading a news organization where these days, surveillance seems to be popping up every now and then. So let me introduce the panel and then we'll get straight into the discussion. I just like to tell our viewers, we will have a discussion for about 40, 45 minutes and after that we'll take questions. You can put the questions in the chat window. If that's not correct, someone from the production team can cut in and tell me if that's right. But I guess there's a chat window and everybody who's watching can put their questions in there. And at the end, we will take your questions as many as we can. So each of the panelists, I went over their bios. They are extremely accomplished individuals and I hope to learn a lot from them. I'll try to keep the introductions short but they are really long introductions. So I suggest you also check out the website to see all that they've done. Let me start off with Samuel Woodhams from Digital Rights, the digital rights lead from top 10 VPN. Hi, Samuel, welcome. Samuel is the digital rights lead at top 10 VPN. He has written for some most eminent publications, Wired, CNN, Quartz, Al Jazeera, was inside in Deutsche Welle, the diplomat and World Politics Review. His research has been featured on everything from the BBC to Reuters to Wapo to The Guardian. And he's a frequent guest on BBC's Digital Planet which I actually do watch quite often. And he researches issues of censorship, surveillance and internet freedom with the aim of promoting open, inclusive and secure digital spaces. Welcome, Samuel. Thanks very much. Yeah, and also joining us is Shivangi Nuttkarani. She's the co-founder and CEO of Arka Managing Information Risks. She is a graduate of IIM and Bitspilani. So she's clearly been to the top schools and has cracked the academic situation like very few could. She has 24 years experience in information, security and risk management, e-commerce and networking across multiple geographies. She's worked with Wipro, Siffy and has handled lines of businesses across the board. And she was instrumental in setting up the first licensed certifying authority in India and association at very sign. Welcome, Shivangi, pleasure to have you. Also joining us is Mallory Nodell. I hope I pronounced that correctly. Mallory, is that correct? Is Mallory Nodell joining us? There she is. Hi, Mallory. Is that pronunciation right? Nodell, is that correct? Yes, okay. She's a chief technology officer of Center for Democracy and Technology. She takes human rights to a people-centered approach to technology implementation and cybersecurity policy advocacy. She's the co-chair of the Human Rights and Protocol Consideration Research Group of the Internet Research Task Force and an advisor to the Freedom Online Coalition. She's from the US, but she's lived extensively in Nairobi and she's worked with grassroots organizations around the world including Bolivia, France, Palestine and UK. So I'm guessing she'll bring a world view on this, a perspective from across the world and she holds a BS in physics and mathematics and an MA in science education. Wow. And here's Gus. Hi, Gus. You're the executive director of Privacy International. Is Gus on? There he is. Hi, Gus. So he's worked in the intersection of technology and human rights for over 25 years, although he doesn't look it. He looked for it to answer that. He's led research and co-authored a book on identity systems and policy. Global challenges for identity policy is what it's called. He founded regional and global networks of civil society organizations to work on technology and rights. And he's also acted as external evaluator for the UNHRC and has advised the UN special repertoire on terrorism and human rights and has advised a number of other international organizations. Wow. That's quite a CV and you can read the rest. It's a very long CV. You can check it out on privacyinternational.org. Gus, welcome. Thank you. And finally, our very own Prasant. Sugatham, hi Prasant. Is he on now? There he is. Prasant is from SFLC. In case you're wondering about SFLC is a software freedom law center in India. He is a lawyer with years of practice in the fields of technology, law, intellectual property law. In fact, I could use some advice of him right now. I'm going through some problems with big media, administrative law and constitutional law. He's an engineer turned lawyer and has worked closely with free software community in India. He's appeared in many landmark cases before various tribunals, high courts, as well as the Supreme Court of India. He is also, he's also deposed before the parliamentary committee on issues related to information technology, act and net neutrality. So I'm guessing his inputs will, in some sense, frame policy in our country. So that's the panel. And I hope the rest of the years are feeling as inadequate as I am right now because we have an extremely eminent bunch here. Now, the subject as it has been stated is privacy versus security, a flawed perspective. Now, I'd just like to put my understanding of it having watched so much about this, including the case in the US where the Apple phone needed to be unlocked and a reporter in the US actually went to prison because she did not reveal her sources and she didn't want to give up her gadgets. As long as nation states exist, especially in the current environment, post 9-11, it appears to me, and even though I personally would always lean towards civil liberties and rights, it would be very hard to say that privacy is more important than national security. But is the problem in how it's being framed? Is it a very convenient way for nation states to frame privacy versus national security? So let me start with the framing of one versus the other. Let me start with Mallory. Mallory, is the framing wrong? Is it one at the cost of the other or both don't belong in the same basket to compete for space? Yeah, thanks for starting with me. I've been talking about this for several years. The place where we sort of formulated an approach to cybersecurity was at the Freedom Online Coalition. It's a now, I think, 33 strong list of governments, democratic governments that participate there. And so as civil society representatives along with those from private sector and governments, we talked a lot about this reframe. And what we came up with is, I think something that makes a lot of sense, which is when you think about individual people and you center the needs of people from a human rights perspective, the right to privacy, the right to being secure, there are things that then it feels that the frame actually goes away. It isn't a privacy versus security anymore because individuals need also to be secure. That individuals need their right to privacy as much as they need other forms of security. And you take that away when you force government access to encrypted communications and things like that. Because it has also an impact on economic, social and cultural rights on our ability to express ourselves freely. I think of it as the right to whisper, the idea that you can have a private conversation online is an important model in people's minds in order to be their full selves, to do everything from secure banking transactions to just living their lives. So I do think that the frame needs to shift and the frame needs to center instead on, on the nation state, it needs to shift to actual citizens, residents, people living in that nation that the government is serving. Thanks, Mallory. Let me come to Gus. Gus, do you think the framing can be any other way? I mean, is there really any other way to look at privacy versus national security? Because we have seen and have been told that they have intercepts made, where communications, at least in India, whether it is wireless communications that were intercepted, I don't know if they've been cases like that in the US. How would you frame it? Let me just take my privacy hat off for a second and put on my security framing on this, which is, because you emphasize national security. There's a difference in attitudes around security. There's national security from this sense of we must defend our national infrastructure from those who would want to do us harm outside. There's law enforcement and police who tend to view security from, there's been a crime and we need to investigate, and yeah, so there's at least those two different framings. No national security expert worth their salt would say that we don't need encryption. They would say because of the modern world as we're building it. Increasingly, it's being built not by governments but by intermediaries and more often than not, companies who we hardly ever trust or we shouldn't have to trust. And these are transnational companies who have allegiances to various governments across the world. You need to build infrastructure that is hardy. You need to build infrastructure that anybody can use without fear of neighboring countries or neighboring provinces or neighboring anybody, even organized crime from penetrating. Like otherwise we're building an insecure world leaving aside again the privacy issue. So encryption allows for us to build a digital infrastructure whether it is our cities or our internets in a way that locks adversaries out. And that's security and that's good. That's what we want. Everybody should want that. The Indian government should want it from the Chinese and from the Americans. The Americans should want it from the Russians and the British and the Israelis. And that's why encryption exists. And so the privacy versus security debate could occur in a law enforcement frame. But if you're really interested in national security you should want encryption everywhere. Right, okay, we'll revisit that. Shivangi, if you could come in on of course one is the framing but is this a conversation that we're gonna be having every couple of years because from a time when law was always a little behind technology. Now it seems technologies move faster than law can. And because the inhibitions on technologies development are always gonna be less than policy which has to be go through many procedures and committees and a democratic process. Should we assume we're in an age where we will be having such conversations which will always be unsatisfactory because the two will not keep pace? Yes, I think the first of all I think technology will always move at a pace which is far ahead of law and policy because that's how it is, right? I mean, innovation keeps happening and much faster and takes time for policy and law to catch up. And the fact that when a lot of tech new innovation happens the long-term impact of it and the impact of it over from different perspectives take a while to sort of reveal itself for people to figure out. And therefore another reason why law and policy will always play catch up. But given that, I mean, I go back to what Mallory said and for a second just put myself into an average citizen's shoes. As a citizen, I think this debate which has been by the way going on for a fairly long time is not something that should be there in the first place. I mean, I'm a regular person. I want both security from my country or wherever I am. I still want privacy also. And I feel sometimes equating it to a zero-sum game in a way is finding the easy way out. I know that there are concrete answers. It's still what we call work in progress. The report fantastically brings out the stance taken by different countries. However, having said that, I still think it's very easy to say one versus the other. I mean, forget at the nation-state level. If you talk to an average citizen also, the common perception is that I have to sacrifice privacy for security because that's the narrative that has been sort of dinged into our heads. Am I right, that's correct. But if you actually go down to the granular level and stop seeking solutions only in technology, but look at it from a 360-degree perspective, much like how the report talks about the fact that you need, for example, judicial oversight, you need there's a role for legislation, there's a role for judiciary, there's a role for law enforcement. It all needs to come together in a way which I'm sure things will evolve. But at the end of the day, a citizen has the right to both privacy and security, and it is unfair, in my opinion, to say you can't have one at the cost of that. And I mean, do I have an answer? No, I don't. But I think we need to... But we can throw that idea around in conversations like this and hopefully something will emerge. Samuel, if you could come in and weigh in on this zero-sum game or not, and how would it look in different countries because in an age where corporations are not, they're more than multinational, they're transnational, they're everywhere, like Facebook, Google, Twitter, there's an asymmetry not just with technology and law but also geographies and policy around the world. Is this a too complicated problem that we've never faced before? I think what we've seen a lot recently is debates around weakening encryption systems, a pretty poorly disguised political point scoring, that actually disregard the needs of the already marginalized and those at risk. Protecting encryption and strengthening it is as much a human rights issue as a security one. I think that often legislators like suggesting like the ending of anonymity online and weakening of encryption systems because it shows that they're doing something without a problem that is societal and isn't just to do with technology anymore. But often they then lack the actual technical expertise and understanding to really appreciate the ramifications of what those policies might have. So I think having these discussions about why encryption is so important and why it needs to be defended and strengthened globally is really the right step in the right direction. All right, and Prashant, since you are from the organization that's hosting this, let me come to you last. And you can tell us a little about your report. I did read it and the beginning is all about encryption. I'm assuming many of our viewers would already understand what encryption is. It is a tool where the information that we exchange with each other is locked or coded in a way that no one in the middle can get access to it and see what that information is. And there are laws around encryption, this report, which I encourage you to go if it's ready. Maybe we could post it in the comment section or PDF or a link. But otherwise, I'm sure you can go to the SFLC website and get it. So Prashant, tell us about this report and the introduction is very scathing. And I'm wondering when the government would read it and how they would take the rest of the report. But tell us about your understanding and the need for this report. Yes, yes. In fact, I mean, when we started with this whole discussion, the background was when the government came out with the new intermediary guidelines rule. She talks about traceability, which talks about other aspects which could impact encryption. There were also reports of how countries across the world, not just India. For example, the five-wise countries, along with India and Japan, they came out with a statement of the need to have backwards. Now, to just give an example in India, in fact, last month, there were reports in the media about the parliamentary committee on home affairs proposing a ban on VPN services. Now, I'm sure my co-panelists who are from a tech background, along with persons who aren't listening to this, who have a tech background, they'll be wondering, how can you somewhat think of banning VPN? In the case of the pandemic, in the midst of the pandemic, if all of us could work, it was essentially thanks to stuff like VPN, where we could connect to our, let's say, organizations, the network, the devices, and work. How can a country which prides itself and calls for digital India, how can we think of doing something like this? But sadly, that's the state of debate that we are having with respect to encryption, with respect to security, with respect to privacy in our country. That is why we need to have a detailed discussion and more discussions like this, and to bring out reports like the one that we have published. Our report is available on our website, it is at sflc.in. You can go ahead and download the report. But yes, we need to have this debate going. I mean, the narrative seems to be that the citizens needs to compromise on her privacy. So that we can all have some security. But definitely this is a false debate. We recently saw how there was an attack on citizens, journalists, lawyers, human rights defenders, with military-grade software called Pegasus. The matter is not before the Supreme Court. We really don't know who did this. But for sure, one thing that we can learn is that we need to take our security seriously. It is upon the citizens to ensure that you take your security seriously. And that is where encryption comes in. In fact, we at sflc used to conduct various training programs for journalists, marginalized communities, et cetera, on digital security and things like encryption. When we initially used to have these sessions, people were not very clever. Like why do we really need to bother about encrypting our mails, et cetera? But now I can tell you, especially journalists, people are more concerned about this. People really want to learn how to encrypt their services, how to encrypt email, et cetera. One good thing that has happened over the years is that it has become easy to do encryption with open-source protocols, like Signal, which is now implemented by WhatsApp. And with that, now, I mean, other countries, as I said earlier, like the 5S Alliance plus other countries, including India, they want to now implement back doors in these services. And that is something which is a bit scary. And that's why we need to have more of these discussions and debates. Yes, Avalinder? Thanks. Now, Madhuri, you have worked around the world from your introduction. You've worked in various continents, in countries across the economic development spectrum. While, as the report says, there are many reasons that one can see how India's got it so wrong in the first draft that was created of an earlier policy document, which was withdrawn within two days, has any country really got it right? Because from what I saw of the report, and I just glanced through it. And today, I had a couple of hours to go through it. Other than Germany, that seems to want to make encryption stronger is on the side of encryption. Every other country seems to be pushing against it, irrespective of where it is on the economic development spectrum. Israel, I guess, doesn't care because they have a lot of softwares that they can intervene anyway. So have you seen it write anywhere from a point of view of how people view it and also how government policy views it? And thank you, Apurva, for your question. If any of our viewers have questions you can put in the comments section. I'll keep taking them in the middle. So thank you, Apurva, for your questions that we can take more in the comments section. Yeah, go ahead, Madhuri. Sure. So I think that it's hard to point anywhere and say that a country is getting it right, although I would note that the EU has repeatedly said it supports encryption. But a lot of countries do. Even the UK will say they support encryption. And they want to, and that they can devise ways to intercept encrypted messaging and it's still encryption. So it's also, at the end of the day, a bit of a semantics game about what actually would be end-to-end encryption if it's intercepted by a government in my technical view that is not any longer end-to-end encryption. And then, again, they're saying that they support it. I think that what's really important is what was just said a little while ago, which is to treat these laws not as trying to take away encryption because, well, it is effectively that. But they are, in spirit, actually trying to come up with new innovative technologies to support policing and intelligence agencies. They are tech solutionists at their heart. They're attempting to add additional features onto existing tech. There was a law I was familiar with for a while in India that was about traceability. That was, to me, a request for enhancing metadata. It's something that we criticize tech companies for doing if they have an end-to-end encrypted messaging system and they're using or they're creating too much data about data, which is what metadata is. They're learning too much about the system and about the users and how they use it is something we criticize them for because we want those platforms to be more private. That law was asking for more information about the platforming users. It was exactly what users don't want. And so a lot of these proposals that we see in the UK, in Brazil, in India, in Australia, actually Germany had one not very long ago that was not great for encryption, Brussels. We've been following this. US is not exempt, by the way, that happens here, too. The Global Encryption Coalition, which is something I can talk about a little bit later, perhaps, if people are interested, is actually set up for this very reason, to look across the globe to make sure that grassroots organizations and companies that are involved in combating some of these proposals can work together, learn from one another, support one another, and lift up those voices. Because really, I don't think tech is going to save us. I think we need to have the right to whisper online. We need to be able to communicate privately. And companies, or sorry, governments hoping to improve policing intelligence collection, need to make sure that their solutions to those problems do not infringe on these basic human rights. Thanks, Malri. Let me come back to Samuel, because Samuel, you had mentioned human rights. Throw that in the mix that proves that end-to-end encryption is a power of human rights because privacy is a power of human rights. Now, based on what Malri just said, there's a third thing that comes in the mix, which is corporations using metadata. Now, that's a part of them conducting business where you press the I agree without reading the 1,080, 800,000 pages or whatever it is. And I guess it would be rational and reasonable to argue that a company's rights to conduct business and have consenting adults share data. So now, it's not just a question of human rights and governments, even a company's right to conduct business comes into the mix. How do you negotiate this space? Can actually, would it help if governments mandated companies not to be able to collect metadata? Is there any downside to that? Would that protect human rights without really getting them into the mix or not? Well, I think even if companies weren't collecting and sharing metadata, government and intelligence agencies have other ways of accessing sensitive data on their citizens already. And I think that locating encryption and the debates around encryption within broader debates around what intelligence agencies have access to already is really important. As the Pegasus project revealed, lots and lots of governments already have technology that essentially can bypass encryption. That doesn't mean it can break the encrypted messages in transit, but it gives direct access to a citizen's phone and therefore they can see exactly what you're doing on it. Similarly, digital forensics technology which is used across the UK by police forces. It's like someone leaning over your shoulder and reading everything you're doing online. So I think that any discussions around encryption need to also, I'd rather be having a conversation about why we need to be discussing the capabilities and technologies that law enforcement agencies already have access to than just the need to kind of maintain and strengthen existing encryption systems. And with the metadata, I mean, the UK has been, yeah, conducting bulk interception of metadata for years now. And that continues. And I think that acknowledging how they are equally undermining and curtailing fundamental human rights is just as important. And I think that by acknowledging that, it helps kind of position these discussions around encryption a little bit more. Thanks, Gus. This is an area you've worked extensively on. How, with that coming into the mix, human rights and the rights of companies to do their work, does it add another element to complicate an already complicated situation? I'm sorry, my sound cut out. What was the first bit of your question? I'm sorry to ask. Since you work on human rights and you work to the UNHRC, what we were talking about the human rights, what is your take on it? And does companies right to conduct business complicate an already complicated situation when they can get so much of data and then governments can mandate certain encryption laws with them and then civil society is left out of the discussion. Yeah, so there's a really interesting, if we look just specifically at say the question around WhatsApp encryption, which is encryption applied within an app where it's end-to-end encrypted. That is, communications between me and you cannot be intercepted by anybody, including WhatsApp. That's right now, the reason why the five eyes law enforcement side is having this angry debate around end-to-end encryptions because they don't want WhatsApp to be doing that. And they don't want Facebook to also introduce this capability because Facebook is talking about making sure that Facebook messenger and WhatsApp can intercommunicate and that they're all encrypted end-to-end. And so this is the relatively insane situation we're in where we have ministers of interior and justice or from across the world telling a private company that it's wrong for them to lock themselves out of our communications. They instead want Facebook to continue to peer into all of our interactions. They still want Facebook to mine every single interaction we're doing and they're telling Facebook, don't lock yourself out because we want to have access to. That's just an insane situation that we have justice ministers citing with Facebook and with Mark Zuckerberg to say, yes, we can exploit more data. And so what end-to-end encryption does and what for the first time in Mark Zuckerberg's life, he finally said, we need to have less data. And he said, let's put on end-to-end encryption. So at least while we're tracking people in every aspect of their lives, when they're messaging one another, we will not have that insight. We will not be able to mine that data. We will not be able to advertise them based on that data. And then you have the Ministry of Justice knocking on their door saying, don't do that, please. This is ridiculous. Right, so I guess we live in an age where governments around the world across continents want to become civil and states. But I think the only person who is working for a private limit company, Arka, managing information risks is Shivangi. If you could come in and give us your take from the point of view of data, what are the risks since you do advise on risk management? Who is more at risk? Are governments more at risks? Are corporations more at risks? Or is the risk biggest for us individuals? Hi, is Shivangi here? Yeah. Hi. I think the biggest risk is still all of us as individuals. I mean, without say, it goes without a doubt because I think it's opening a completely different can of worms. But when you look at corporations, companies protecting data of all the individuals that they carry, I think the encryption is just one small part of it. They have a long way to go before they really are able to protect data properly of individuals. It's a bit like, so yes, I mean, the large corporations are very mature. But if you look at the long tail of small and mid-sized companies, most of them have a long way to go. And that does give sleepless nights, I think, to a lot of people. And so in that grand scheme of things, I don't even think people are thinking encryption as one aspect of what they do. It's, as I said, it's a completely different debate and a problem statement to solve. So to answer your question directly, I think it's us individuals who are at risk end of the day. So just since you're managing information risks, I may not completely understand what that actually entails as a company, but companies such as yours and many others, typically your clients would be governments or other organizations that are looking at data, are looking at information data. So we work only with organizations, not with governments. So we help organizations implement security and privacy. The fancy managing information risk translates into that. So yes, we do have a view into what really is going on on the ground. Unfortunately, organizations have to mature quite a bit. Till about a decade ago, the world was not as connected as it is today. So although large corporations always had, while they built their fortresses and did a good job, they've always had thousands of vendors who are small and mid-sized. And it takes a while to sort of, so whatever you work, whether it's a small company, whether it's a large company, the data is finally spread into many hands. And most people still do whatever they do for compliance rather than looking at it as a risk that they need to manage. Managing risk with data and technology is not given the same importance as let's say managing financial risks of an organization. And until they start coming up to considering it as critical as it is to manage, let's say financial risks of the company, I think we're going to have the same debate of catching up and what you do. Because I know of so many companies where even after they have been attacked, they've lost data, they still don't do enough because there is let's say no particular regulation or law or no customer telling them that, hey, if you don't do this, you know, X, Y, Z. And also the data as those are individuals and they're on their own. So a lot of that data is individual data. Yeah. So Prashan, you know, as Gus was saying, very few people would have any sympathy for Mark Zuckerberg and I completely am with him on that. But I will say that when I saw the congressional hearing he was on, some of those gentlemen who are from the pre-internet age, I think they were from the time when the printing press was invented. Some of the questions he was being asked, I was like, dear God, how are they going to make policy for the digital age? You have appeared before parliamentary committees. Speak about the inevitability of policy just not being able to comprehend the scope of what they're supposed to achieve. And, you know, like I was asking Shivangi that our governments or corporations, our primary clients, but since individuals are most at risk, who's representing us? Who will hire an Aarkava, another organization on behalf of individuals and say, oh, this is a paper we need, which then can be presented to policy makers? Did you have any questions like Mark Zuckerberg had about, you know, some of those guys not even understanding what the internet is? How tough a battle are we looking at? Well, I would say our parliaments are lucky since the proceedings for parliamentary committee are not televised or not shown live. Though they are meant to be confidential and so only persons who appear before the parliamentary committees know what transpires there. So really, I mean, see, if you look at the kind of reports, I mean, I mentioned the report of a committee which said we need to ban BPS. Then there's another committee which says talks about, which was on child pornography, which talked about preventing encryption and preventing end-to-end messages, end-to-end encryption. So that's the kind of debates that we are having with respect to parliamentarians, with respect to people who are making the law. Definitely your spot on, when you said we need to have more informed decisions, we need to ensure that parliamentarians really understand the issues. These are the people who are going to make the law. Yesterday, we had a parliamentarian on our debate on this panel, Mr. Karthichidambaram was there. So he was mentioning how this definitely is not an issue as far as electorate is concerned. The voter end of the day is not bothered about encryption. So unless we have a situation where a voter is bothered about encryption, that is, I believe, where we need help from journalists to make sure that people really understand what we are talking. These terms, encryption, end-to-end, this sound very esoteric. And see, when we talk about what's happening with WhatsApp, what's happening with end-to-end encryption, these are not issues which are happening only now. For example, in 2010, we had these debates about research in motion and the Blackberry messaging services. The Indian government want access to the encrypted messaging service of Blackberry. Yeah, I remember Blackberry was still considered cool back then, yeah. Yes, it was cool back then. But then, finally, research in motion acceded to the request of the Indian government and decided to have servers located in India. So this has been a debate which has been going on. I'm talking about 2010. We are on 2021 now. But unfortunately, the scenario has not changed much. We still have a problem with our lawmakers not really able to understand the issue. Everyone wanting backdoors, everyone wanting ban on everything. I mean, that's the easy thing that we want to do, right? Ban everything, ban films, ban, I mean, OTTs, whatever. So ban is the common word that we come across. Ban VPNs, ban entry and encryption. Yeah, that seems to be the solution for everything. Okay, we have some questions and I'll start taking questions from the audience. So please, you can put in the comment section. Apurva Singh has a question for Mallory and Gus. Apurva asks, what would your recommendation be to regulate misinformation on encrypted platforms? Well, yeah, Gus, you want to take that first and then I'll go to Mallory, but in the report, there was a case of Apple has got some sort of a database when you store anything on the cloud. If it is to do with child pornography, their machine learning can identify that image because that is part of their data set of existing child pornography stuff and that they alert the police. That's the only reference that I saw in the report. But yeah, when it comes to regulating misinformation or other such stuff, what would your recommendations be for encrypted platforms? Gus, you want to go first? Yeah, I'll be the unpopular one first and maybe Mallory can smoothen it. First, I don't know what an encrypted platform is in that I don't know of any. There's no encrypted Facebook. There's WhatsApp where you can have a number of chat groups where you're communicating in an encrypted manner, but I haven't seen somebody build a Facebook-like platform that is encrypted at rest where nobody can interfere. What instead you have is it's encrypted between your phone and the servers, but that's it. Now, if we were to build some encrypted platform where nobody except for the people who are communicating with each other can intercept and regulate the conduct of that platform, then the unpopular answer is you can't regulate misinformation. If you go back to, I think it was Mallory's excellent point that encryption's kind of like a whisper. An encrypted group conversation is like a bunch of people sitting down having a conversation. And generally we have accepted across society that they can talk about whatever they want. And if we all, but what's happening with this digital era where even our conversations that might've happened in a tea house or a coffee house are now have a company often based in the US as the intermediary that can somehow regulate what it is you actually say to one another and how you say it to one another. I think society, human society no longer functions as it used to. And I don't think we want that. All right, thanks Mallory. Your take on this question by a pool for its, it's aimed at you as well. Yeah, it's misinformation is very difficult as a societal problem. And it's only exacerbated by this, these quick connections, these platforms because that's what platforms want. They want our engagement. And so there is at the end of the day a sort of fundamental paradox between the way that we would maybe normally use our platforms and then the way the platforms want us to use them. And it's all about engagement and misinformation gets a lot of engagement. That's the issue. So those are not technical issues. I'm gonna talk about the technical issues. The Center for Democracy and Technology put out a research report in August that talks about content moderation and end to end encrypted systems because there have been a lot of proposals. And we actually talk about traceability as one and rejected as not preserving the promises of confidential communications, et cetera. And there are a few others that also don't work like client side scanning, which is what you mentioned with Apple's CSAM detection is an example of client side scanning. We also don't like that. The things that we evaluated that seem promising in terms of their ability to keep communications confidential while also moderating content are two potential avenues for further research. The first is how to make the platform better for users by making a user reporting, for example, but that gives users agency. It gives them the ability to say like I don't want this garbage, like please get it out of my feed and a variety of other things. There are many things that you can do to just improve the user experience. And then the other one is around also improving user experience but doing it through the server side to try to combat spam and abuse of the system. Cause I think of the one of the biggest problems with misinformation for me is just, it feels like spam. It feels like unwanted content. And I think there's a lot of us that feel that way, that it's just kind of a, it's an abuse of the platform. Like I'm receiving four words or I'm receiving lots of group text messages that I didn't really want because it's volume. It's virality. It's like these are things that have gone out of control. So using, we don't want to enhance metadata as I've said before. We don't want to make more data about data on these platforms, but given what you know already about senders, the number of messages they're sending, who they're contacting, there's a lot actually that we already know with the existing amount of metadata that you need to get one message from one place to another that can be used to try to combat spam and sort of abuse the platform. So we look to maybe machine learning or other kinds of, again, tech solutionism, but that could help just improve the platform experience by reducing things like spam, but then that I think also would talk or speak to the issues around misinformation as well. Thanks, Madhuri. This question's for you, Samuel. And the question for you is, do you think excessive metadata collection can be addressed by harmonizing it with purpose limitations such as using excessive metadata only for LEA access subject to adequate safeguards and laws? So first you're gonna have to just tell the rest of us what that means. I'm assuming you know what LEA access is, because I don't. Is it LEA, Law Enforcement Agency? Hi, Samuel, are you there? Hi, yeah. Law Enforcement, oh, okay, these are, right. So you got the question, should I repeat it? Yeah, if you wouldn't mind actually. The question is, Samuel, do you think excessive metadata collection can be addressed by harmonizing it with purpose limitation such as using excessive metadata only for LEA access? So I think limiting the amount of metadata that intelligence agencies have access to is important and purpose limitation certainly would be part of that. I think that the key part of this is what those safeguards might look like. At the moment, I think that there's a huge lack of transparency around the way that this metadata is being collected and analyzed and what, if any, those safeguards protecting citizens right to privacy actually are. So I'd question specifically on the safeguards and the need generally for kind of greater transparency particularly around LEA's use of this data as well as not just metadata, but other types of data and mass surveillance that is routinely being rolled out and expanded upon around the world. Thanks. This question is from Rajan Lard. Rajan asks, with big tech being almost like Pozai superpowers, how do countries, especially those who depend on these firms or communication with the public and force their laws for privacy, right? So how do you negotiate that space? Any volunteers who'd like to take that question? Okay, let me just throw that to Prashant then since you've been in the policy space for a while. Prashant, can you take that question? Yeah, definitely we need to have strong laws with respect to privacy and data protection. But that is a lack of that we have in India. We don't have a good laws for data protection is concerned. We are still debating on that and it has been, I mean, in the building stage for quite long now. So irrespective of how big a company is whether it's a Google or a Facebook, you need to ensure that there are strong laws which will take care of the privacy of the citizens. So I mean, the size of the companies don't matter. So if you have a strong legal framework that should be able to protect the privacy and data of citizens. But can you give us an idea of which country does have a very robust law on privacy and empowering the citizen when it comes to dealing with large super corporations? Yeah, I would say that Europe with this GDPR has shown that we can definitely have strong laws which protect the rights of citizens. And I mean, most of the good, I mean, jurisprudence on privacy and data protection has come from the European Union. Right, anybody else has anything to add on that? Does anyone want to come in before I move on to another question? Okay. Okay, not on that I guess. Okay, now I'll just speak about this, the bit that I read about the first originator and the traceability angle. Now, I mean, I feel I'm fairly well-versed with the pros and cons and the limitations and risks of the digital age. But I was under the impression that WhatsApp is end-to-end encrypted, which means no one can get access to it because the person who created a random key is formed with every message. So none has a pre-existing key. So could someone explain to me with this entire the IT rules of traceability provision? A, how does one get to the first originator? Is that even possible? How complicated is that process? And if there is a key possible, is there any truly end-to-end encrypted platform where our information is completely rock solid with certainty? I can say no one is getting this. Does it even exist? Or are we talking about something that doesn't really exist? Can I start with, let's go with the tech professional, Shivangi, does this even exist? See, we have to understand that there are two aspects to encryption. There is the actual encryption that happens and then there are keys that enable that encryption. Most of the time, and I'm not going to comment on the traceability aspect because I haven't done a deep dive, but conceptually, most of the time, it is harder or sometimes almost impossible to actually crack the encrypted channels or the encrypted data. But so what most people work with are trying to get hold of the keys. So the only way in an ideal world that you said, which is completely foolproof, if you find some way of getting rid of the keys, right? Which then beats the whole purpose because then people who need to have access will not have access. So that is, I think, essentially, if therefore people work on solving the problem of managing the keys and who gets access to the keys and so on and so forth. So if you deep dive into most debates and discussions, it boils down to that. Coming to traceability, exactly how WhatsApp does it, I don't know the answer. If somebody else can answer that, that would be good. Could someone else come in on that and shed some light on how is that possible and you've been told to send to an encrypted? Yeah. They don't do it now, but I've seen proposals for how they might do it. And they, again, in my view, it just increases the amount of data that you know about the system, even though you've not perhaps decrypted the message itself, the message in question. I would note here, though, that in most schemes or in most sort of workflows, I guess imagined by law enforcement or by the intelligence community is they actually already have the content of the message. Someone's forwarded to them, they've discovered it, something they already know what's inside the message, but what they're interested in is tracing it backwards. So we're not talking about a scheme that would decrypt it. However, we are talking about a scheme that would give you an intermediary like WhatsApp or then ostensibly anyone requesting that data through a court order or other means, the ability to see lots of information about that message as it traveled through a social network or an encrypted messaging system. So the scheme I saw was that you sort of wrap each message anew. So once the message is shared the first time, it's sort of wrapped in the encryption of the two private public key encryption scheme. But then when it gets forwarded or sent again, it gets sort of rewrapped. And all along the way, you have this ability to sort of unwrap these layers. So that's one scheme that I've seen. There's certainly a problem with any into indencrypted system or platform that can get access like this to your data. It's to me, not actually true into indencryption, but there are certainly applications and services out there. They do it the right way. And there's a great deal of work and effort that these services go through to make sure that they don't know what's going on in their system. It's the things that they're looking for are reducing metadata, not enhancing it. They're using strong cryptographic algorithms such that they can't easily brute force attack a message, which is another method where you just have the encrypted texts and you just run it through enough supercomputing that you can just decrypt it even if you don't have the keys. There's a few different methods and essentially a good service is trying to mitigate all those threats for the end user and make sure that itself as the sentence little as possible. Right. Thanks, Mallory. So we at the end of our one hour, in case I've missed anything out or if there's anything else that can be added to the discussion, could I please ask the panel to chip in because like I said, this is such a technical space that I am really not as well-versed with it as nearly as well-versed as any of you. Any part of this that you think our viewers would or should have an insight into which we haven't got into yet? Gus, Samuel, anyone? Shivangi, Prashant. I don't know if you can hear me. If there's one angle I want us to always go back to is that the entire digital infrastructure of our lives from our phones to our home routers to how the telephone networks be used, they're incredibly insecure. They're incredibly leaky. They leak data all the time and we need to get smarter about securing this infrastructure. And what we have been finding in our research is while we can focus on what is Facebook doing and what's Apple doing with their latest phones and the fights that they're having, the vast majority of the world are using Android phones that are so old or so cheap that they are inherently insecure. You don't need some sophisticated hacking technique or the police don't need some secret tool in order to get access to every detail of our lives because our phones or any of the devices in our lives, particularly home routers, are so insecure that we need to solve those problems before we get to the incredibly sexy problems of end-to-end encryption. We need to rebuild security from the ground up from the device level all the way up to all these services. Thanks for that, Gus. Anyone else before we wind up? Prashant, Samuel, Mallory, Shivangi, is there anything that we should touch upon before we wind up this discussion because we are over an hour now? Just to add on to discussion that Mallory had about end-to-end encryption and the traceability angle of it. See, the proposals that we had about having traceability in India, like the proposals that were before the courts and both in Chennai and the Supreme Court, of adding something to the messages so that you can identify the originator. One was of decrypting that, I mean, encrypting that, the metadata part of it, and then it's only WhatsApp can then decrypt it. Then there was a third proposal by Meti which talked about a hash chip. Now, all these, if you look at it, results in increasing the data. That's the metadata component of it. That is the data about data. Now, any good security practice and as practice which will enhance your privacy will be to reduce the amount of data stored by these entities. That is, essentially, we should be talking about data minimization. But on the other hand, now we're talking about data maximization where these platforms store maximum data about you. That definitely is a problem that we need to address. Yeah, I think Shivangi, you were gonna say something. Yes, I also wanted to actually add on to what Gus said, which is that, you know, I think the humongousness, if that's a word, or the vastness of the problem that the average citizen is exposed to both from a privacy and security angle is something which most people don't even fathom. And, you know, somewhere the debate always gets skewed towards what is Big Tech doing or what is somebody else doing? And as he said, the sexy problems. But I think that the problems on the ground are so huge and most people don't notice it. And the other sort of narrative that most, you know, that popular narrative that people seem to have is that, oh, my data is already out there. So why should I really care? You don't have anything to, or what do you have to hide? What's the big deal about privacy? And especially in a country like India, you know, the very popular thing is, oh, as a culture, we are not really, you know, privacy is no big deal. So why have this debate at all? I mean, people are completely missing the point that it is, you know, it's my data that is out there which is out of my control and people are doing whatever they want to do. And I think somewhere balance needs to come over. Thank you, Shivangi, for that. And thank you, Gus, Prashant, Samuel, and Mallory. And thank you, SFLC, for putting this report together. I have more time to read it now, but I increasingly worry about things that impact us in such profound ways as just regular citizens are getting more and more technical. And if the only way to remain an informed citizens is to have a resume like this panel, I think we are wholly ill-equipped to handle the digital age as far as policy is concerned. But hopefully such discussions shall keep us informed and we shall try to stay ahead of the curve on information. Thank you all. It's been a pleasure. I have learned a lot during the discussion and I hope our viewers have as well. Do stay tuned for all the other discussions SFLC and NewsClick bring you. Thank you all. Thank you.