By Sowmya Karun
Earlier this year, the Supreme Court of India dismissed a public interest litigation petition calling for the ban of messenger apps like Whatsapp, Telegram etc for their adoption of end-to-end encryption. In the months since, service providers and companies across the world are increasingly choosing to adopt higher and more secure standards of encryption for data and communications. Slowly and steadily, encryption is becoming ubiquitous in all forms of communications, and it is urgently necessary to reflect on the formulation of a legal framework on encryption.
Contrary to the Government’s stated commitment to the adoption of best practices relating to encryption and other emerging technologies in the National Telecom Policy of 2012, its engagement with encryption technology has been blinkered and confused. In September last year, a draft National Encryption Policy (“draft NEP”) was released, only to be hastily withdrawn following widespread criticism on the ambiguous and impractical standards it sought to impose.
Encryption is the scrambling of messages, information or data into a form which is unreadable by anyone except the intended recipient. Most commonly, encryption is applied to data on a device, data in transit such as in e-mail, messaging etc. or even data stored in a cloud. Today, the bulk of our communications and data are facilitated electronically and over the Internet. Encryption has been rendered an indispensable instrument to ensure that digital communications- ranging from personal phone conversations to e-mail to online financial transactions- are protected from interference. Encryption allows for the preservation of the authenticity and integrity of these communications. As the internet continues to expand in size, the significance of encryption in protecting data transmitted online, whether for storage or for commercial and financial transactions will also grow alongside. Encryption has been rightfully recognized as a leading instrument for online security, enabling the exercise of the rights to freedom of opinion and expression as well as the right to privacy in the digital age. In an age where governments across the world are expanding invasive surveillance, encryption allows for the preservation of a safe and private space for free expression.
Under Section 84A of the Information Technology Act, 2000, the Central Government is authorized to prescribe the modes and methods of encryption for the secure use of the electronic medium and for the promotion of e-governance and e-commerce. In the absence of specific rules/ policy on encryption enacted under the said provision, reliance is placed on the license agreements between the government and telecom or internet service providers to determine the legal limits of encryption. Under the license agreement for the provision of Internet services, internet service providers are prohibited from using bulk encryption. The agreement, which follows a template drafted nearly a decade ago, also limits the use of encryption up to only 40 bits- which has been decried as a very weak standard by technologists and industry. Additionally, the use of higher encryption tools requires permission from and the disclosure of the relevant decryption keys to the Department of Telecom. The inadequacy of this encryption limit is most amply demonstrated by the variable mandates for encryption usage and limits by sectoral regulators within the government. The RBI, for instance, prescribes a minimum level of encryption of 128-bits for Internet banking transactions, and SEBI also prescribes a 64-bit/128-bit encryption for network security in securities trading over mobile phones or wireless applications. It must also be noted that this limitation of 40-bit encryption is applicable only to ISPs, and not to other OTT service providers such as Whatsapp etc. even though the encryption technology used by the latter has been referred to in the TRAI’s Consultation Paper On Regulatory Framework for Over-the-top (OTT) services.
Companies and individual users continue to operate within this regulatory vacuum of conflicting prescriptions. In light of India’s growing vulnerability to cyber attacks and data breaches, a clear and unambiguous regulatory framework is indispensable to enable innovation and the employment of stronger encryption tools to protect data and networks. At the same time, such a framework must also make space for the accommodation for the dynamic nature of technologies and push for an industry driven framework with user choice and convenience being given importance. This need is only amplified when considered through the prism of the Government’s focus on schemes such as Digital India, Smart Cities Mission etc. which will substantially rely on secure and reliable data storage and communication networks.
The necessity for a specific framework on encryption is especially important in light of the increasing tendency of governments across the world to seek access to encrypted communications. The kinds and scope of encryption being introduced into mainstream communications and products have contributed to fears of these networks “going dark”- rendering them completely immune to any interception by intelligence or law enforcement authorities. It has been asserted that encrypted communications render the investigation of financial crimes, illicit drugs, child pornography and terrorism difficult. Concerns have also been expressed about the use of encrypted technologies to facilitate harassment and similar offences on the Internet. Thus, technological moves towards higher and more secure levels of encryption have inevitably been countered by efforts to break such encryption by state agencies, triggering the proverbial “crypto-wars”. In the Indian context, the government had controversially sought and gained access to encrypted communications over Blackberry Messenger in 2013. It was also reported that the government had similarly required companies like Skype and Google to allow for interception of their data. The draft NEP also had various provisions which have been criticized as detrimental to network security and data privacy.
In this context, the discourse on exceptional access for law enforcement agencies to encrypted communications has been framed in terms of the conflicting interests of privacy versus security. The repercussions of locking out legitimate government access from possibly criminal communications need to be addressed. On the other hand, technologists and civil society activists have pointed out that weakening or building vulnerabilities into encryption systems can have far reaching and unintended effects. It is necessary, therefore, to stop viewing encryption and national security as competing forces and to adopt a nuanced approach in understanding these issues.
The encryption debate is a multifaceted one- involving considerations relating not to only national security, but also the integrity and authenticity of data, the rights to privacy and freedom of opinion and expression and business and commercial interests of a very large number of entities. Even though the draft policy was withdrawn, the government has stated that a robust NEP is necessary and will be re-introduced soon. While inputs have been sought from industry bodies on the proposed policy, civil society and other stakeholders remain conspicuously absent from these deliberations. At this juncture, it is very essential for those who are interested in protecting citizens’ fundamental rights and ensuring government and industry accountability to critically weigh in on these policy and legal formulation processes. This would ensure that such a policy framework is not only robust and secure, but also cognizant of the human rights of citizens as well as business interests.
Sowmya Karun is a Project Manager at the Centre for Communication Governance at National Law University Delhi