Opened 10 months ago

Last modified 4 months ago

#2358 new enhancement

Review decision to block I2P on Google Play Store downloads from India (and any other countries)

Reported by: slumlord Owned by: Meeh
Priority: minor Milestone: undecided
Component: apps/android Version: 0.9.37
Keywords: android, india, google play store Cc: str4d, Meeh, sadie
Parent Tickets: Sensitive: no

Description

Users in certain countries are blocked from downloading I2P on the Google Play Store

I2P is currently blocked to any user from India - it may be blocked in other countries too where there isn't any official traffic-management policy in place which would identify & block I2P's website or traffic. I propose that a list of countries where I2P has been determined to be in violation of some country's crypto-treaties (e.g. USA's laws/regulations around export of software which makes use of cryptography) and entirely blocked to users of said countries be produced — as well as any other reasons for preventing users from accessing the I2P software. Subsequently, this list of countries should be reconsidered as to whether the blockage is still necessary or relevant.


India

Android users in India are blocked from downloading I2P from the Google Play Store. I am unaware as to when this decision was made and the reasons for such a decision. Other privacy tools such as Tor, Signal, Telegram, Threema etc. are all easily available through the Google Play Store so blocking users from countries such as India on the basis of existing laws/regulations does not seem to be valid.

India has an estimated 400 million internet users:
(clearnet) https://en.wikipedia.org/wiki/List_of_countries_by_number_of_Internet_users

India is estimated to have around 500 million smartphone users in 2018:
(clearnet) https://indianexpress.com/article/technology/india-set-to-have-530-million-smartphone-users-in-2018-study-4893159/

Data rates for mobile phone users in India are amongst the lowest in the world:
http://blogs.worldbank.org/opendata/where-are-cheapest-and-most-expensive-countries-own-mobile-phone


The decision to block Google Play Store users from downloading I2P on the basis of country may have made sense at the point where it was made — I can't really say since I don't have any of the discussions/those whom I have asked don't recall the basis for the decisions/those who made the decisions aren't communicative/responsive other than for a mere 1% of a year despite having been responsible for major decisions affecting the I2P project.

Moving forward, I think the basis for these decisions should be documented and displayed on our website so that experts, legal or otherwise, who actually live in these countries and have the requisite knowledge & experience may be allowed to comment and provide their own input.

At a time where the I2P project is trying to grow the userbase and is positioning themselves as a project that passionately supports privacy, freedom & security it seems to be a major oversight to block users from certain countries, in some cases countries with a large population of internet users, from easily participating in the I2P network.

Subtickets

Change History (6)

comment:1 Changed 10 months ago by zzz

Cc: str4d Meeh added
Component: package/otherapps/android
Owner: set to Meeh

The list of blocked countries on GPlay was developed and implemented by str4d, based on his review of Google rules and applicable U.S. crypto export regulations and associated guidance that he researched. As he is apparently the unresponsive person you reference above, unfortunately we will have to redo all that work. There's no shortcut.

You're correct that I don't recall the details and I don't have any records. I do remember generally that there was no definitive guidance to be found - just posts about what other projects did, and how they interpreted the rules. But the final list was not at all arbitrary, it was based on research and a synthesis of the information gathered. Of course, the rules or the industry consensus may have changed in the years since.

We also need meeh to give us the current list of blocked countries from the GPlay admin interface.

As android is essentially unstaffed at this point, I doubt anybody will get to this soon.

As far as your suggestion to post the decisions and reasoning somewhere, I'm not sure that's a good idea - to put your legal analysis out there for all to see just begs somebody to disagree and get us in trouble. Also, there's no use soliciting expert opinion from legal experts in banned countries - the law that applies is U.S. law.

comment:2 Changed 9 months ago by Masayuki Hatta

This site might help: http://www.cryptolaw.org/cls-sum.htm

I'm not sure it was really about the U.S. law - I heard India has Information Technology Act 2000 which requires mandatory decryption (the refusal is punishable).

comment:3 in reply to:  1 Changed 9 months ago by slumlord

Replying to zzz:

The list of blocked countries on GPlay was developed and implemented by str4d, based on his review of Google rules and applicable U.S. crypto export regulations and associated guidance that he researched. As he is apparently the unresponsive person you reference above, unfortunately we will have to redo all that work. There's no shortcut.

Understandable, I am happy to go over what should be looked into and what we need to be aware of when making such decisions at 35C3 — these resources can be collected and used as a starting point for any future discussions/decisions. It may also be good to connect with other open source projects who may be present at 35C3 like Tor, Tails, Signal, Telegram, Threema, Wire etc. and also EFF to understand how they made any such decisions.

You're correct that I don't recall the details and I don't have any records. I do remember generally that there was no definitive guidance to be found - just posts about what other projects did, and how they interpreted the rules. But the final list was not at all arbitrary, it was based on research and a synthesis of the information gathered. Of course, the rules or the industry consensus may have changed in the years since.

I have looked briefly online and here are a few useful/interesting links

Based upon 740 Supp 1.pdf, India falls under groups A:1, A:2, A:3 and A:5 as well as group B — Not a group which, as far as I can tell, is part of any existing sanctions as far as software which uses cryptography is concerned.

Multiple sites have described the following:

Under Section 740.13(e) of License Exception TSU, publicly available encryption source code may be exported without a license, so long as the notification requirement is met (and updated accordingly). This exception is not limited only to those who distribute their software under an open-source license for free, it is also applies to code that is licensed for a fee or royalty. Hence, making your source code publicly available has the double benefit of simplifying your compliance with the EAR and making your software safer and more trustworthy, since anyone can examine it to ensure there are no mistakes or backdoors. - https://www.thoughtworks.com/insights/blog/encryption-open-source-and-export-control

The applicability & validity of such an exception specifically to the I2P software is something that would have to be carefully determined.

We also need meeh to give us the current list of blocked countries from the GPlay admin interface.

As android is essentially unstaffed at this point, I doubt anybody will get to this soon.

As far as your suggestion to post the decisions and reasoning somewhere, I'm not sure that's a good idea - to put your legal analysis out there for all to see just begs somebody to disagree and get us in trouble. Also, there's no use soliciting expert opinion from legal experts in banned countries - the law that applies is U.S. law.

That's a good point. mhatta makes a good point too — some countries could have import laws relating to software that implements cryptography; whether these import laws would matter to us, or if we just need to be aware of American laws is also good to know. Perhaps it would be good to document this internally with a note on our website acknowledging which countries I2P isn't going to be made available on the Google Play Store? Having some internal documentation for the basis of our decisions would help, for example in the event that any decisions had to be re-evaluated or if new laws/regulations were introduced.

An additional concern - since an Android user can download an .apk from our website, this would also bring up the question of whether such .apk installations are able to update themselves automatically or if the user would have to manually download another .apk to update the I2P router on their device.

Thanks for your comments, zzz.

comment:4 Changed 4 months ago by Meeh

Can we get a lawyer on this? I have no clue where to even begin with this task.

comment:5 Changed 4 months ago by zzz

@meeh the clues on where to begin are in the links provided above. Also please ask str4d for references, if he has become responsive again.

comment:6 Changed 4 months ago by zzz

Cc: sadie added
Note: See TracTickets for help on using tickets.