Home Music and Digital Media Techdirt. Signal Says It Will Exit India Rather Than Compromise Its Encryption

Signal Says It Will Exit India Rather Than Compromise Its Encryption

Techdirt. 2022-10-26

Signal ensures its users’ security and privacy by encrypting their messages and refusing to collect a bunch of data governments or malicious hackers might find useful or interesting. That hasn’t made it many friends in governments (except with government officials who utilize the service to dodge public records requests).

An FBI official once compared Signal creator Moxie Marlinspike to a KKK member, which gives you some idea how entities, whose demands for data have been thwarted by Signal’s refusal to collect/store this data, feel about the ultra-secure messaging platform.

The government of India is one of several that take a dim view of encryption, feeling it does little more than allow criminals to avoid detection and otherwise threaten the security of the nation and the safety of the public. The Indian government is wrong, but that hasn’t stopped it from trying to mandate backdoors or just flat-out ban encrypted communications.

One route the Indian government has taken to justify its attempts to undermine encryption is the fight against online disinformation and abusive communications. A law put into place mandates encrypted services collect and retain metadata about encrypted communications, something some services — like WhatsApp — don’t currently do. That move resulted in WhatsApp suing the Indian government over the 2021 law, claiming the mandate — which would require WhatsApp to collect and retain all message metadata in perpetuity (since it obviously can’t know in advance what information the government will come looking for) — violates India’s own privacy laws.

The Indian government has now gone even further. Proposed legislation would give the government the power to intercept encrypted messages. Obviously, interception is useless against end-to-end encryption, so this new power would either require companies to provide assistance in decrypting and/or intercepting messages or it would require companies falling under the mandate to unplug at least one end of the end-to-end encryption so the government can listen in.

Signal is making it clear it won’t comply with mandates that require it to compromise its encryption, which means the Indian government’s pending threat to undermine its citizens’ security will remain only theoretical if it moves forward with this legislation.

In a wide-ranging interview with Nilay Patel for The Verge, Signal president Meredith Whittaker made it clear the company will exit India (and give up access to a market with more than a billion potential users) if the Indian government heads in the direction of backdoors or compelled decryption.

If India passes a law or deems Signal to not be in compliance with whatever encryption regulation, will you walk?

I mean, if the choice is breaking Signal or walking… A lot of times, these policies, strategies, and discussions are not a Boolean. It’s not a cut-and-dry engineering decision — these are very muddy. Frankly, these are not things that are usually best to go into detail on publicly. You have to think about a lot of different political and social dynamics all at once and make up-to-the-minute choices based on dynamic situations. That is a very broad answer. 

I think we are going to be keeping our eye on it. We are going to be doing everything we can to remain available to as many people as possible without breaking Signal.

It’s a broad answer to a specific question. If a government in the world says, “In order to operate in our country, we want the keys to your encryption,” would you just walk?

Yes, we would walk. We will not hand over the keys to our encryption, we will not break the encryption. In fact, with the way we are built, we don’t have access to those keys.

There will be no calling of Signal’s bluff because… well, it’s not a bluff. First off, it doesn’t collect or retain the metadata demanded by the law passed last year. And it doesn’t have the encryption keys the Indian government now seems intent on obtaining from encrypted communication services.

Signal can’t be pushed around because it’s a non-profit that doesn’t need to answer to shareholders or execs who expect to see constant growth. And there’s no magical in-between area where the Indian government and Signal can find common ground. Some things are a bit Boolean, as Whittaker states above, but some things are simply binary.

More from the president of Signal:

We are not going to compromise. That would imply that we are in a negotiating stance. Again, I have been in tech almost 20 years, so I have seen this sort of magical thinking recur. It’s this desire, particularly by state actors, to break encryption for their purposes, without understanding that that breaks it fundamentally across the board. This may sound a little bit dated, but there is no compromising with math.

If encryption is broken, it is broken. If Signal doesn’t keep its privacy promises, then there is no real point for us to exist as a nonprofit whose sole mission is to provide a safe, private, pleasant place for messaging and communication in a world where those are vanishingly few and far between.

That’s the entirety of Signal’s mission statement. Either Signal provides what it tells users it provides or it doesn’t. And Signal is unwilling to become a service that claims to offer secure communications but only if users reside in certain countries or allow Signal to hold their encryption keys or whatever.

It’s not often you see this sort of principled stand taken by communication service providers. And it’s refreshing to hear that no matter what compromises its competitors make to retain users, Signal won’t start valuing things like market growth over its promises to users.