TikTok is front and center in the US debate on technology, privacy, cybersecurity, and US-China relations. Yet, the app has also been subject to conversation about national security in another country: India. Just before the Trump administration issued its executive order in August 2020 attempting to ban TikTok in the United States (later struck down in multiple courts and then withdrawn by the Biden administration in June 2021), New Delhi banned TikTok in June 2020. In the time since, India expanded this strategy, banning hundreds of other apps in the country—many with links to China—citing national security and sovereignty justifications.
The most recent iteration was in February, when the Indian government initiated a process to ban 138 betting apps and ninety-four lending apps, many of which it claimed have links to China. Authorities walked a few of these bans back after Indian companies like LazyPay and Kissht reportedly demonstrated they had no such links. Some US policymakers have praised India’s app bans, namely Federal Communications Commission Commissioner Brendan Carr, who said in January of this year that India set an “incredibly important precedent” by banning TikTok from the country.
But India’s app bans are not an example of constructive, careful, and established policy and process on the risks posed by foreign technology companies, products, and services.
Government overreach with no transparency
The administration of Prime Minister Narendra Modi is grossly mistaken in playing hundreds of rounds of whack-a-mole against Chinese apps. The bans were imposed with very little transparency and little or no public consultation. They were followed up by state orders—which went largely unquestioned—for internet service providers (ISPs) in India to filter out Indians’ access to TikTok servers. To top it off, India has no comprehensive privacy regime—exactly what it needs to better protect Indian citizens’ data, including from the undemocratic Modi government.
Instead, the country is witnessing overreaching government policies that make sweeping assessments of mobile apps behind closed doors, with few avenues of recourse by the public. Citizens’ data, meanwhile, remains vulnerable to widespread abuse.
India has banned hundreds of apps since the first round of app expulsions in June 2020. The government banned fifty-nine Chinese apps in June 2020, forty-seven apps in July 2020, 118 apps in September 2020, and forty-three apps in November 2020. In February 2022, over a year after the prior set of bans, New Delhi announced fifty-four new app bans. Most recently, in February 2023, the government initiated a process to ban 232 apps; the exact number of banned applications is unclear due to a lack of media coverage on subsequent walk-backs.
A data analysis of the bans indicates that they focus heavily on utility apps, photo and video apps, social media apps, messaging and social networking apps, and gaming apps. In many of these cases, New Delhi has asserted that the apps are prejudicial to the national security and sovereignty of India. Clearly, this language was selected because it pulls from Section 69(A) of India’s Information Technology Act of 2000, the legislation which the Indian government invokes with these bans. The provision states that:
“Where the Central Government or a State Government or any of its offers specially authorized by the Central Government or the State Government, as the case may be, in this behalf may, if satisfied that it is necessary or expedient to do so, in the interest of the sovereignty or integrity of India, defense of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offense relating to or above or for investigation of any offense, it may be subject to the provisions of sub-section (2), for reasons to be recorded in writing, by order, direct any agency of the appropriate Government to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information generated, transmitted, received or stored in any computer resource.”
With each of these app bans, the Indian government has given little public notice or none at all. For example, the scramble in the wake of the February 2023 bans—where companies in India were banned because of alleged links to China, though they subsequently demonstrated nothing of the sort—suggests the companies were not approached or notified by the government prior to the bans’ public announcement. New Delhi has also consistently provided insufficient information on its reasoning for the bans. As the nonprofit Internet Freedom Foundation in India wrote after the first round of June 2020 bans, “currently we only have a press release and not the actual order,” which is needed “since it contains the reasons for the ban which are important when we try to assess the legality and validity of the ban.” The lack of public notice is especially significant given that the actions did not target a single app or company at once; instead, each round of bans threw dozens or even more than one hundred apps out of India at a time.
Governments need to provide a clear public explanation (if not also evidence) for decisions to restrict a tech company, product, or service’s market access for “security” reasons. This is because not every risk posed by a technology company, product, or service is the same. Consider a hypothetical example: a social media platform could raise questions about the risk of corporate data abuse; foreign government data access; foreign government content manipulation; addictiveness for children; and so on. Each of these are different concerns requiring unique diagnoses and policy responses. Hence, broadly claiming “security” and “sovereignty” is an insufficient justification for a complete ban—just as US policymakers who initially said “TikTok is owned by a Chinese firm” were not properly breaking down the perceived risks. Democracies (even if backsliding) should provide the public, the private sector, and civil society with explanations for their tech policy decisions.
In India’s case, the state has failed to properly do so time and time again with these bans.
A lack of due process for ban policies
The process for India’s app bans is also highly concerning. The so-called IT Blocking Rules from 2009 laid out regulations for how these types of bans should take place (as required in Section 69(B) of the Information Technology Act). But, as the Internet Freedom Foundation noted in June 2020, it was unclear if the Indian government’s decision to enact these bans followed the proper process—to include holding a pre-decisional hearing. Process rarely makes for interesting conversation, but it’s vital. How a government reviews tech companies, products, and services for security risks; how it makes determinations about those risks; whether it consults with outside voices on those risks; and how it communicates those risks and that process to the public all shape whether government security reviews are nuanced, transparent, and accountable.
Even if one agrees with the result of a ban—such as expelling TikTok from India—how the Modi government arrived there, and its unilateral power to block and censor in this area, are still great reasons for concern. There has been woefully insufficient press attention, in India and even more so in the West, to the fact that New Delhi quickly got Apple and Google to remove apps from their stores and then ordered ISPs, at least in TikTok’s case, to filter Indians’ web traffic to block access to servers.
There is also a strong political dimension to these actions. When the Indian government first started banning China-linked apps in June 2020, including TikTok, it followed an India-China border clash in which twenty Indian soldiers and four Chinese soldiers reportedly died. That India’s app bans were compared to “digital counterstrikes” from India to China underscore the fact that the move was heavily politically motivated, meant to signal to the Indian public that the Modi government was responding, and to China that India was willing to constrain Chinese apps’ market access. New Delhi was able to signal resolve against Beijing (at least in its mind), defending Indian “sovereignty” (as per the ban press release) without taking military action.
Modi’s administration has also been increasing pressure on tech companies operating in India. For instance, there was significant media reporting about Facebook, India, and the ruling Bharatiya Janata Party (BJP); in addition to underinvesting in content moderation in India and many other countries, Facebook reportedly had internal pushes to relax its rules for BJP officials spreading hate speech because the users in question belonged to the party in power. Indian police also raided (empty) Twitter offices in 2021—a move reminiscent of the Russian government’s coercive tactics—after the company applied a “manipulated media” label to a tweet from a BJP official. Even with discussions of data localization in India, one of the many motivations at play was the Indian government’s interest in applying pressure to—and holding leverage over—tech companies operating there.
The app bans fit within this broader context of tech company coercion and state efforts to increase control of the tech environment.
No data privacy regime means “anything goes”
Lastly, India has no comprehensive privacy law. The new Digital Personal Data Protection Bill is a mixed bag for privacy but has some improvements over the previous legislation (the Personal Data Protection Bill) which had broad data localization requirements among other things. Negotiations are still ongoing. Yet, that is exactly the point: the Modi government has banned hundreds and hundreds of apps, many with links to China, in the past 2.5 years, while India is still without a law to constrain corporate data collection, rein in the sale of Indians’ data by data brokers, and place guardrails around expanding Indian government surveillance.
Without a doubt, the Chinese government is heavily engaged in espionage against countries around the world—India included—and it’s safe to assume that most if not all Chinese tech firms must answer to Beijing when asked. China is not micromanaging all companies all the time (as that would be unwieldy) but the risks of Chinese state influence on Chinese tech firms are certainly present.
The Indian government needs to build a comprehensive, transparent, and accountable means of addressing data privacy and security risks. Playing endless rounds of arbitrary whack-a-mole against apps—with little to no public consultation—is a step in the wrong direction with serious consequences.
The author thanks Rose Jackson for comments on an earlier draft of this article.
Justin Sherman (@jshermcyber) is a nonresident fellow at the Atlantic Council’s Cyber Statecraft Initiative and the founder and CEO of Global Cyber Strategies, a Washington, DC-based research and advisory firm.
The South Asia Center serves as the Atlantic Council’s focal point for work on the region as well as relations between these countries, neighboring regions, Europe, and the United States.
SouthAsiaSource Mar 6, 2023
Amid Pakistan’s political and economic turmoil, risks to curbs on digital freedoms grow
By Uzair Younus
Growing polarization and instability in Pakistan have increased the likelihood that as elections draw near, curbs on speech, largely limited thus far to television channels, may extend to internet platforms like YouTube, Facebook, and Twitter.
SouthAsiaSource Dec 5, 2022
India’s data localization pivot can revamp global digital diplomacy
By Anand Raghuraman
India’s stance on data localization constrained its ability to engage in digital diplomacy. With a new privacy bill, however, it has outlined a compromise option.