The 2024 elections in India are widely regarded as the largest in history, with nearly a billion people eligible to cast a vote. Alongside the sheer human scale, there’s another aspect of the Indian elections that is surprising for its magnitude. This is the use of millions of deepfakes by Indian politicians in an attempt to sway voters, a topic on the most recent Ctrl-Alt-Speech podcast. As Mike noted during the discussions there, it’s a relatively benign kind of deepfake compared to some of the more nefarious uses that seek to deceive and trick people. But an article on the Rest of the World site points out that the use of deepfakes by Indian politicians is pushing ethical boundaries in other ways:
In January this year, M. Karunanidhi, the patriarch of politics in the southern state of Tamil Nadu, first appeared in an AI video at a conference for his party’s youth wing. In the clip, he wore the look for which he is best remembered: a luminous yellow scarf and oversized dark glasses. Even his head was tilted, just slightly to one side, to replicate a familiar stance from real life. Two days later, he made another appearance at the book launch of a colleague’s memoirs.
Karunanidhi died in 2018.
“The idea is to enthuse party cadres,” Salem Dharanidharan, a spokesperson for the Dravida Munnetra Kazhagam (DMK) — the party that Karunanidhi led till his death — told me. “It excites older voters among whom Kalaignar [“Man of Letters,” as Karunanidhi was popularly called] already has a following. It spreads his ideals among younger voters who have not seen enough of him. And it also has an entertainment factor — to recreate a popular leader who is dead.”
A Wired article on the topic of political deepfakes, discussed on the Ctrl-Alt-Speech podcast, mentions another Tamil Nadu politician who was resurrected using AI technology:
In the southern Indian state of Tamil Nadu, a company called IndiaSpeaks Research Lab contacted voters with calls from dead politician J. Jayalalithaa, endorsing a candidate, and deployed 250,000 personalized AI calls in the voice of a former chief minister. (They had permission from Jayalalithaa’s party, but not from her family.)
That raises the issue of who is able to approve the use of audio and video deepfakes of dead people. In India, it seems that some political parties have no qualms about deploying the technology, regardless of what the politician’s family might think. Should the dead have rights here, perhaps laid down in their wills? If not, who should be in control of their post-death activities? As more political parties turn to deepfakes of the dead for campaigning and other purposes, these are questions that will be asked more often, and which need to be answered.
This episode is brought to you with financial support from the Future of Online Trust & Safety Fund, and by our sponsor TaskUs, a leading company in the trust and safety field providing a range of platform integrity and digital safety solutions. In our Bonus Chat at the end of the episode, TaskUs SVP of Global Offerings Phil Tomlinson tells us about his time at the Trust and Safety Professional Association summit in Dublin, his key takeaways from the event, and the trust and safety lessons learned from well-designed conference lanyards.
We know that a lot of politicians (and media folks) in the US are pushing to ban TikTok. It has seemed notable, of course, that European countries don’t seem all that worried about TikTok, which should raise questions about how serious the “threat” really is. However, one major country did decide to ban TikTok a few years ago: India.
Of course, it was less about the threats TikTok posed directly (even though the Indian government pretended otherwise), and more about retaliation for the border dispute between India and China.
That said, we now have a few years of evidence as to how that’s worked out in India. In the last couple of days, both the Wall Street Journal and the NY Times have published articles looking at what happened when India banned TikTok. In both cases, it’s a mixed bag, but it didn’t work out as well as the government liked, generally helping big American companies and pissing off lots of young people.
But, let’s start by going further back. Last year, the wonderful site Rest of World published their own article on this question. They found that the only “winners” from a ban were basically the biggest American companies: Meta and Google. This is because both Instagram and YouTube got a big boost in traffic from people who formerly used TikTok in India.
As for those who lost out: people who had built up a large following on TikTok found it hard to replicate elsewhere. Also, a flood of local Indian startups and investors rushed into the void to try to create their own TikToks, only to find that it was tougher than they expected (especially with Instagram and YouTube offering such a large audience already):
Some venture capitalists in India tried to capitalize on the ban with their own competitors — but building a TikTok replacement proved harder than it looked. A little more than four months after the ban, at least 13 TikTok short-form video startups emerged — but today, only three of those apps are significant players: Moj, Josh, and Glance. They’ve raised significant funding and seen their valuations rise but struggled to fight the dominance of Reels and Shorts.
“Whatever hopes we had, they were proven wrong. We have not achieved the kind of numbers that we hoped for,” says Lunia, whose firm is a backer of Moj’s parent company. “Meta and Google have extracted their pound of flesh from these other [short-video apps] who want to get app downloads.”
So, given the concerns that many people have already expressed that Google and Meta are already too big, it seems like a weird move for those same politicians to help those companies out by kneecapping TikTok. Of course, this also explains why Meta hired political tricksters to plant stories about the supposed dangers of TikTok. Meta knows that it would stand to benefit a ton from a TikTok ban.
As the more recent NY Times article highlights, there was a real negative impact for Indian creators, even those who moved over to the big American platforms:
India’s online life soon adapted to TikTok’s absence. Meta’s Instagram swooped in with its Reels and Alphabet’s YouTube with Shorts, both TikTok-like products, and converted many of the influencers and eyeballs that had been left idle.
The services were popular. But something was lost along the way, experts said. Much of the homespun charm of Indian TikTok never found a new home. It became harder for small-time creators to be discovered.
Nikhil Pahwa, a digital policy analyst in New Delhi, tracks the overall change to the departure from TikTok’s “algorithms, its special sauce,” which was “a lot more localized to Indian content” than the formulas used by the American giants that succeeded it.
Still, the NY Times piece suggests that once you get past all that, some former TikTok stars have succeeded on other platforms.
The WSJ article, though, suggests younger users in India are still angry about how all this played out and don’t feel particularly happy with what they’re left with:
Today, some of the platform’s fans in the South Asian country still mourn its absence. They say rival Indian services that sprung up in TikTok’s wake aren’t as appealing. While new short-video offerings from YouTube and Instagram have offered alternatives, some feel they lack TikTok’s allure. And some fans are still angry at the government for booting out TikTok.
Indeed, as people interviewed by the WSJ note, the whole thing seemed to be for no real reason other than a weird power flex by the government:
“India is a free and democratic country and authorities can’t just force decisions and restrict freedom of speech and expression just because you have political disagreements with another country,” said 18-year-old Noushad Ali, who used to make TikTok videos about teenage romance.
“Why did the Indian government ban it?” asked Ritik Tannk, a former TikTok creator who made comedy videos, one of which garnered 16 million views. “Our data gets passed on through other apps also, like Facebook and YouTube. Why ban just TikTok for data privacy?”
The WSJ piece also notes how some ancillary businesses were impacted by TikTok shutting down in ways you might not expect:
TikTok’s absence in India is felt by local vendors working in New Delhi’s Connaught Place, a shopping district where crowds of creators once gathered to shoot their videos.
Ramesh Gupta runs a snack shop in the area. His sales have fallen about 20% since the TikTok ban, he said. He enjoyed watching young men and women with colorful hair and shiny sunglasses dance and sing, and liked serving them meals when they rested between shots.
“They would break for lunch and have tea and snacks like noodles, samosas and cutlets at my shop,” he said. “Those days are gone now.”
Again, it’s not as if the world will end if the US bans TikTok as well, but it seems like a weird way to deal with any actual privacy issues. It also seems like an even stranger way to support basic freedoms in the US, by suggesting that American freedoms can’t withstand a popular content app from China.
People in India felt a real loss to having TikTok shut down. Young people were angry about their government making nonsense moves. I imagine the response in the US would be quite similar.
Usually when we discuss trademark disputes, we tend to highlight examples and stories where the dispute is initiated by a party where we really, really don’t think they have much of a leg to stand on. This story is different in that respect. In India, an eBike company called Yulu has sued a company called Kinetic Green over it’s eBike that is branded as the “Zulu.” If you squint at this whole dispute just right, you can begin to see the concern Yulu might have.
The names are very similar, with only one letter difference between the brands, and that one letter difference is the letter next in the alphabet to the original. Both make eBikes, though the product lines are somewhat different. They both operate in the same geographic market. You get it.
According to media reports, Yulu filed the lawsuit in January after Kinetic Green launched its new Zulu range of electric scooters. The company believes that it sounds too similar to its own brand and may cause confusion among customers.
Meanwhile, the Karnataka High Court reportedly ordered a temporary injunction on February 5, 2024. The court has restrained Kinetic Green Energy from using, selling and advertising with ‘YULU’ and associated trademarks or similar words, including ‘ZULU’ and ‘Kinetic Green Zulu’.
Here’s the thing though: I don’t think there’s any real reason to be worried about confusion in the public. Why? Several reasons, actually.
The branding for the companies doesn’t otherwise resemble one another, for starters. The Kinetic Green bikes and branding are not particularly similar generally.
As you will see, the look and feel of the products themselves is quite disimilar. Add to that the fact that Yulus seem to be in the category of eBike rental stations scattered throughout cities, versus the Zulu product just being a thing you buy, and it’s hard to see how anyone is going to seriously get confused here.
And now let’s tack on the fact that “Zulu” is itself a very recognizable term, having been the name for a large ethnic group that exists in southern Africa. This isn’t two fanciful names that sound alike, but rather one original name and one that has solid footing in the global lexicon. Again, where is the confusion really going to occur here?
And that’s probably why Kinetic Green is itching to get this trial started.
In response, Kinetic Green’s lawyers have requested the High Court to advance the date and allow them to file their objections sooner. The final decision on the interim application is expected to be made by the Commercial Court by March 11, 2024.
That date is only a few days out at this point, so it seems like we’ll get our answer on this sooner rather than later. From my perspective, I don’t see any real reason why Kinetic Green shouldn’t be allowed to sell its Zulu bikes.
Back in December, we wrote about Appin. We were not writing about the reports (of which there have been many) that the organization that started as a sort of cybersecurity training school, but morphed into a kind of “hack-for-hire” scheme was involved in all sorts of nefarious activity. Rather we wrote about their (ab)use of the Indian court system to order Reuters to remove a big, detailed, investigative report on the company.
The history of Appin, and reporting on its involvement in hacking schemes, goes back a over a decade. Reports of Appin trying to hide and suppress such stories is a bit shorter but are abundant. And Appin has, at times, been quite successful, especially in trying to remove the name of the guy regularly accused of being behind Appin, Rajat Khare. See this SwissInfo report on how Qatar “spied on the world of football,” which was forced to remove Khare’s name while leaving in Appin’s.
Or how about the Bureau of Investigative Journalism story published in 2022, Inside the Global Hack-for-Hire Industry. An earlier version of that report names Khare. In April of 2023, the article was updated, and all mentions of Khare disappeared. There are many more examples as well.
In a move that has press freedom campaigners troubled, Rajat Khare, co-founder of Appin, an India-based tech company, has used a variety of law firms in a number of different jurisdictions to threaten these U.S., British, Swiss, Indian, and French-language media organizations.
On Nov. 16, Reuters published a special investigation under the headline “How an Indian startup hacked the world,” detailing how Appin allegedly became a “hack for hire powerhouse that stole secrets from executives, politicians, military officials and wealthy elites around the globe”—a claim that Khare strongly denies. Khare retained the powerhouse “media assassin” firm Clare Locke LLP, which boasts on its website about “killing stories,” to send Reuters several legal threats over the past year about the story, according to two people familiar with the matter.
After the removal of the Reuters story, which at least involved an actual court order, others appeared to be bullied into submission as well. Perhaps most shockingly, Lawfare (who, of anyone, should understand how ridiculous this is) redacted their version of the story about Reuters pulling down its article, saying that they did so after receiving “a letter notifying us that the Reuters story summarized in this article had been taken down pursuant to court order in response to allegations that it is false and defamatory. The letter demanded that we retract this post as well.” And they did so, despite no legal basis:
Unsurprisingly, we also received similar demands. We received multiple emails claiming to represent “Association of Appin Training Centers” legal department, and claiming (falsely) that by quoting the Reuters article (which we did not even do) we were also liable for violating the court order. Similar demands were also sent to our CDN provider, our domain registrar, and the domain registry.
The only thing we quoted from Reuters was their announcement about the removal — not from the original article. The other parts we quoted were from SentinelOne, the security research firm that Reuters used to analyze the data. At the time we wrote the article, SentinelOne’s report remained online (it, too, has since been removed “in light of a pending court order … out of an abundance of caution”).
In the meantime, though, all these attempts to pull down and hide the content appears to be causing a bit of a Streisand Effect. Beyond the Daily Beast article calling out the campaign, the website Distributed Denial of Secrets decided to republish the Reuters piece as part of its new “Greenhouse” project, noting:
In response to the unacceptable censorship by Appin and the Indian courts, Distributed Denial of Secrets is launching a new initiative to combat censorship: the Greenhouse Project. The Greenhouse Project continues DDoSecrets’ mission of ensuring the free transmission of data in the public interest by making the ‘publisher of last resort’ concept proposed by George Buchanan in 2007 a reality. By ensuring the reporting and source files are preserved, the Greenhouse Project builds on previous efforts creating a “warming effect” to reverse the chilling effects of censorship.
In addition, the Freedom of the Press Foundation, Politico, and Columbia Journalism Review have all run stories on Appin’s attempt to silence reporters. And, of course, all of this just keeps bringing more and more attention to the underlying claims about Khare and Appin. If Khare disputes those claims he could respond to them and refute them directly. Instead, he appears to be continuing a campaign of legal threats and dubious legal filings to seek to scare off reporters.
A few weeks back, we found out that our friends at Muckrock, the operators of DocumentCloud, had also received similar threats regarding documents hosted on that site.
Earlier this week, EFF sent a letter to the Association of Appin Training Centers, on behalf of both us and Muckrock, pointing out that the arguments they made in their letters to both of us did not appear to match what was in the actual court filing, which (1) does not clearly establish that the articles were defamatory based on the full evidence and a complete defense by Reuters, and (2) very clearly only apply to Reuters and Google. Furthermore, the letter points out that we are protected by the First Amendment, and any move to enforce a foreign order that violates the First Amendment would be barred under the SPEECH Act.
This kind of censorial bullying may work on other publications, but BestNetTech believes that (1) important stories, especially around surveillance and hacking, deserve to be read and (2) it’s vitally important to call it out publicly when operations like Appin seek to silence reporting, especially when it’s done through abusing the legal process to silence and intimidate journalists and news organizations.
We want to thank David Greene and Aaron Mackey at EFF for their help with this.
To the Association of Appin Training Centers:
We represent and write on behalf of BestNetTech and MuckRock Foundation (which runs the DocumentCloud hosting services), each of which received correspondence from you making certain assertions about the legal significance of an interim court order in the matter of Vinay Pandey v. Raphael Satter & Ors. Please direct any future correspondence about this matter to us.
We are concerned with two issues you raise in your correspondence.
First, you refer to the Reuters article as containing defamatory materials as determined by the court. However, the court’s order by its very terms is an interim order, that the defendants’ evidence has not yet been considered, and that a final determination of the defamatory character of the article has not been made. The order itself states ‘this is only a prima-facie opinion and the defendants shall have sufficient opportunity to express their views through reply, contest in the main suit etc. and the final decision shall be taken subsequently.
Second, you assert that reporting by others of the disputed statements made in the Reuters article ‘which itself is a violation of an Indian Court Order, thereby making you also liable under Contempt of Courts Act, 1971.’ But, again by its plain terms, the court’s interim order applies only to Reuters and to Google. The order does not require any other person or entity to depublish their articles or other pertinent materials. And the order does not address its effect on those outside the jurisdiction of Indian courts. The order is in no way the global takedown order your correspondence represents it to be. Moreover, both BestNetTech and MuckRock Foundation are U.S. entities. Thus, even if the court’s order could apply beyond the parties named within it, it will be unenforceable in U.S. courts to the extent it and Indian defamation law is inconsistent with the First Amendment to the U.S. Constitution and 47 U.S.C. § 230, pursuant to the SPEECH Act, 28 U.S.C. § 4102. Since the First Amendment would not permit an interim depublication order in a defamation case, the Pandey order is unenforceable.
If you disagree, please provide us with legal authority so we can assess those arguments. Unless we hear from you otherwise, we will assume that you concede that the order binds only Reuters and Google and that you will cease asserting otherwise to our clients or to anyone else. ———————————————————– David Greene Civil Liberties Director/Senior Staff Attorney Electronic Frontier Foundation
Israeli malware developer NSO Group found itself the subject of international headlines a couple of years ago. Not the good kind either. A leaked document apparently showed who was being targeted by the company’s cell phone exploits — a long, disturbing list that contained journalists, lawyers, activists, dissidents, religious leaders, and plenty of politicians.
The months following that initial leak have been even less kind to NSO. To be fair, NSO deserved every bit of this backlash since it had spent several years courting the business of some of the most abusive governments in the world.
NSO is pretty much out of the malware business at the moment, but even if it chooses to get back at it, it will be an extremely uphill battle. It’s been sanctioned, sued, and the subject of multiple investigations by governments apparently shocked to discover they themselves have been maliciously deploying malicious software.
India is one of several countries to open an investigation into NSO and possible use of its phone exploits. This investigation was actually opened by the nation’s top court, which has already been told by the Modi government that it’s not interested in cooperating with the Supreme Court’s inquiry. And the government still wants surveillance tech to (presumably) abuse. But, for the moment, it’s not interested in purchasing it from NSO Group.
Factoring into this latest news is a move Apple made after these revelations about NSO. It sued NSO towards the end of 2021 — a lawsuit that came with a new notification program attached. Apple stated it would notify any users it suspected to be targeted by state-sponsored hacking attempts. It made good on this promise almost immediately, notifying a Polish prosecutor that their phone had been subjected to hacking attempts. Many more notifications soon followed, with the company notifying victims in Thailand, El Salvador, and Uganda.
All of that has added up to this: the government of India being super-pissed Apple is letting people know state-sponsored hackers are trying to access their devices. Gerry Shih and Joseph Menn, reporting for the Washington Post, have the details:
A day after Apple warned independent Indian journalists and opposition party politicians in October that government hackers may have tried to break into their iPhones, officials under Prime Minister Narendra Modi promptly took action — against Apple.
Officials from the ruling Bharatiya Janata Party (BJP) publicly questioned whether the Silicon Valley company’s internal threat algorithms were faulty and announced an investigation into the security of Apple devices.
Understandably, it’s embarrassing getting caught doing the sorts of things people already suspect you of doing. But rather than say something useful — like the government will be looking into this to see if this is a misuse of the tech — the Modi government chose to accuse Apple of being incompetent and place it under investigation instead.
According to anonymous Modi administration officials, the government is placing a ton of pressure on Apple’s India reps to come up with an alternative to the notification program and/or the notifications themselves. Apparently, the government believes the notifications are having a negative “political impact.” Again, rather than alter its tactics, it’s pressuring Apple India reps to alter theirs. They’re seeking alternative wording that might suggest the Modi government has a better reason for hacking phones than simply to spy on people who aren’t fans of Modi or his administration.
That’s going to be a tough sell. The facts speak for themselves.
Many of the more than 20 people who received Apple’s warnings at the end of October have been publicly critical of Modi or his longtime ally, Gautam Adani, an Indian energy and infrastructure tycoon.
Things look even worse when you take a look at which journalists were apparently targeted by state-sponsored hacking:
Of the journalists who received notifications, two stood out: Anand Mangnale and Ravi Nair of the Organized Crime and Corruption Reporting Project, a nonprofit alliance of dozens of independent, investigative newsrooms from around the world.
If the Modi administration wanted to draw attention away from its abusive tactics and alleged corruption, it couldn’t have picked a worse way to do it. Thanks to Apple’s notification program, the entire world now has a clearer picture of how (and why) the Indian government deploys phone exploits. And the malware detected on Mangnale’s phone was none other than NSO Group’s flagship product: Pegasus.
NSO did respond to requests for comment from the Washington Post, but as usual, its contribution to the discussion was less than useful. Once again, NSO stressed it only sells to governments and only for the purposes of combating terrorism and “major crimes.” But this part of the statement is even more useless than the usual stuff NSO says when yet another report shows even more abusive deployments of its spyware.
“The company’s policies and contracts provide mechanisms to avoid targeting of journalists, lawyers and human rights defenders or political dissidents that are not involved in terror or serious crimes.”
“Provide” all the “mechanisms” you want, but it doesn’t actually prevent anyone from targeting the kind of people who shouldn’t be targeted by governments that bought malware and agreed to use it to fight terrorism and “major crime.” The correct response would be to terminate contracts and refuse to sell to governments caught abusing the tech. The incorrect response would be… well, pretty much everything NSO has done since the leak blew the lid off its plausible deniability.
It’s pretty easy to tell a powerful foreign government to fuck off from Cupertino, California. But things are far less simple for those having to deal with Indian government officials face-to-face. The Apple reps located in India appear to have been intimidated into at least some level of cooperation with the government’s preferred narrative.
Apple India soon sent out emails observing that it could have made mistakes and that “detecting such attacks relies on threat intelligence signals that are often imperfect and incomplete.”
But that appears to be the end of the concessions being made by Apple India. And Apple, for its part, flew an outside rep to India to meet with the government in an effort to disabuse it of its (clearly false) notions that Apple hacking warnings are generally just the result of incompetence by Apple’s security team.
For now, it appears the Modi administration believes it has won this match. Pressure to alter notifications has eased a bit as the government’s narrative is continually pushed by politicians who insist the notices were nothing but mistakes or, as one legislator put it, “fake” (as in news). The Indian government can try to enjoy this non-victory, but it’s still losing the long game. India’s citizens already know they can’t trust this government. This is just more evidence indicating the distrust is genuine and earned.
Over the years we’ve written about plenty of “cyberespionge” companies. Some engage in spyware or surveillance ware. Others actively hack devices. Almost all of these eventually get exposed through dogged investigative reporting.
Reuters has temporarily removed the article “How an Indian startup hacked the world” to comply with a preliminary court order issued on Dec. 4, 2023, in a district court in New Delhi, India.
Reuters stands by its reporting and plans to appeal the decision.
The article, published Nov. 16, 2023, was based on interviews with hundreds of people, thousands of documents, and research from several cybersecurity firms.
The order was issued amid a pending lawsuit brought against Reuters in November 2022. As set forth in its court filings, Reuters disputes those claims.
I had missed the original article, now that the court has forced Reuters to take it down, it seems likely to get much more attention. You can find archives of it in multiple places. Though who knows if those will remain up. You can also find articles building on Reuters’ investigative reporting.
The basic summary of the Reuters report is that an Indian firm, Appin Software Security, has been offering what is effectively “hack for hire” services for over a decade.
Notably, Reuters reporters handed over the data they found to SentinelOne who did their own analysis of what was found, and it’s pretty damning. Notably, the SentinelOne report appears to still be online.
Appin is considered the original hack-for-hire company in India, offering an offensive security training program alongside covert hacking operations since at least 2009. Their past employees have since spread to form newer competitors and partners, evolving the Appin brand to include new names, while some have spread into cybersecurity defense industry vendors. Appin was so prolific that a surprising amount of current Indian APT activity still links back to the original Appin group of companies in one form or another. Campaigns conducted by Appin have revealed a noteworthy customer base of government organizations, and private businesses spread globally.
Our analysis and observations corroborate the June 2022 reporting from Reuters noting some of Appin’s customers tied to major litigation battles. The group has conducted hacking operations against high value individuals, governmental organizations, and other businesses involved in specific legal disputes. Appin’s hacking operations and overall organization appear at many times informal, clumsy, and technically crude; however, their operations proved highly successful for their customers, impacting world affairs with significant success.
Of course, I might never have heard about this at all if a court in New Delhi hadn’t ordered Reuters to delete the story. And it’s possible that you wouldn’t have heard about it either.
I will note that in the original Reuters article, they note that the company’s US legal representatives is the law firm Clare Locke, which we’ve spoken about before. They’re the lawyers who often appear to brag about how their aggressive tactics are known to get stories killed in the media. Their website literally lists all the major media outlets they’ve gone after in the past.
So I guess it’s little surprise that the firm would seek to suppress the story about them.
But the data and the report seen by SentinelOne are pretty damning.
The cybersecurity firm’s exhaustive analysis of data that Reuters journalists collected showed near-conclusive links between Appin and numerous data theft incidents. These included theft of email and other data by Appin from Pakistani and Chinese government officials. SentinelOne also found evidence of Appin carrying out defacement attacks on sites associated with the Sikh religious minority community in India and of at least one request to hack into a Gmail account belonging to a Sikh individual suspected of being a terrorist.
“The current state of the organization significantly differs from its status a decade ago,” says Tom Hegel, principal threat researcher at SentinelLabs. “The initial entity, ‘Appin,’ featured in our research, no longer exists but can be regarded as the progenitor from which several present-day hack-for-hire enterprises have emerged,” he says.
Factors such as rebranding, employee transitions, and the widespread dissemination of skills contribute to Appin being recognized as the pioneering hack-for-hire group in India, he says. Many of the company’s former employees have gone on to create similar services that are currently operational.
Reuters’ report and SentinelOne’s review have cast fresh light on the shadowy world of hack-for-hire services — a market niche that others have highlighted with some concern as well.
And the demand that the Reuters piece get removed only should draw that much attention towards Appin’s behavior.
The Indian government really is showing the world what government censorship is all about lately. The country used to be somewhat better about speech issues online, but for years now we’ve been following the country’s descent towards censorship. Things really ramped up with the Modi government, where he seems ridiculously thin-skinned and unable to deal with even mild criticism. Under Modi, India has passed a series of increasingly draconian laws that have increased censorship online.
The country has also led the way in completely banning apps that people use to communicate with each other, starting with TikTok, which the country banned back in 2020.
However, now it has also banned… Element? Element is the “flagship” app used to access the decentralized, encrypted Matrix chat system. If you’re unfamiliar with Matrix, it’s kind of a decentralized, encrypted, protocol based version of… Discord or Slack or IRC. The people who created Matrix also started a separate operation, Element, which provides the most popular reference app for using Matrix (Element used to be called Riot). There are many other apps that can also be used to access Matrix chats, however, so banning “Element” seems like Indian regulators having no clue how any of this works.
We assume that this ban on Element is a result of a misunderstanding around decentralised and federated services such as Matrix (an open standard for real time communication). The Element app is just one of many apps that give access to the Matrix network. A simple parallel is that banning Element because it gives access to the Matrix network is the equivalent to blocking Google Chrome because it gives people access to the web, or Gmail because it gives people access to email.
Some governments see undermining encryption as the most effective way to combat the ills of terrorism or other illegal behaviour. That approach is completely flawed; it just removes ordinary people’s ability to communicate in private which leaves them vulnerable to all types of surveillance, crime and subjugation.
In actual fact, end-to-end encryption strengthens national security which is why Element has various parts of the French, German, Swedish, UK and US governments as customers.
The folks at Element say they have no idea why it’s been banned, and received no notice. They note that they received no explanation, and are only basing this on press reports. They also point out that they have responded to the Indian government when the government has reached out in the past, so they’re even more perplexed at this just coming out of the blue:
That is a bit of guesswork on our part, because we did not receive any prior notice of the decision; clarification from the Ministry of Electronics and Information Technology would be most welcome.
While Element never compromises end-to-end encryption or user privacy, we have been contacted by Indian authorities in the past and addressed them in a constructive fashion (typically responding same-day). Indeed our Trust & Safety team works with governments to build safer secure communications for everyone; while ensuring user privacy and protecting end-to-end encryption.
As much as people in India will be able to trivially circumvent the blocking of the 14 messaging apps, we want to resolve this situation and be available as usual in India. That resolution will have to be, of course, in a way that respects our users and understands our commitment to everyone’s right to private and secure communications. We look forward to talking with the Ministry about how to make that happen.
Of course, assuming this is not about anything logical, but rather childish lashing out that people can speak via Matrix, combined with technological illiteracy in failing to recognize that Element is not Matrix, it’s not clear what there is to talk about.
However, it is yet another reminder of how authoritarian governments are increasingly scared of the fact that people can speak with each other freely online, and why things like US officials wishing to “ban TikTok” only gives these authoritarian censors more cover for their actions.
