By Sowmya Karun
According to the National Cyber Security Co-ordinator, a national encryption policy is under consideration by the government and will be released soon. It has been reported that that the new policy will be designed to provide support to security agencies against terrorists, who are using tools like encryption to aid in their activities. In our previous post on encryption, we had briefly examined the issue of exceptional access to encrypted communications for law enforcement and intelligence agencies. In this post, we take a closer look at the arguments for and against such exceptional access for government agencies- also known as access through “back-doors” installed in encryption systems.
While encryption was once used exclusively by the military or intelligence agencies, encryption tools are now affordable and available for all users of internet communication technologies- including terrorists and criminals. The use of encryption has been found to impede routine investigation into and prosecution of criminal offences. Terrorists and extremists groups have also been found to be increasingly using the “dark web” or encrypted messaging. This data cannot be accessed by intelligence and law enforcement agencies. Accordingly, it is alleged the pervasive use of encrypted tools that resulted in the loss of the technological advantages governments have previously had over terror groups and criminals. This is the context in which the installation of backdoors has been put forth by law enforcement agencies and governments as necessary and urgent.
In a report by Amnesty International, “backdoors” are defined as “technical measures which weaken or undermine encryption tools, devices and services in order to facilitate access to information and communications by actors other than the service provider, and parties to the information or communications”. This expansive definition of backdoors includes measures such as the generation and retention of encryption keys for government access; the placement of encryption keys “in escrow”; mandating diminished encryption strengths for usage; and the mandatory deployment of only approved forms of encryption.The ability to decipher encrypted communications through “backdoors”, it is argued, will allow law enforcement authorities to gather evidence in relation to operational details of terrorism, espionage and other criminal activities or act quickly in emergency situations.
However, the arguments against the installation of backdoors are many and as compelling. These have been articulated by civil society, academia, and technologists. The primary argument against such mechanisms for access by government agencies is that they are not technologically viable. A report by the world’s leading computer scientists and security experts categorically states that any attempts to install backdoors for special access by law enforcement would pose “grave security risks” and “imperil innovation”. The installation of backdoors in encryption systems, according to the report, would be a departure from best security practices. These include, for example, the practice of “forward secrecy” which requires decryption keys to be deleted immediately after use; to prevent security compromises. Further, the installation of backdoors has also been criticized as it would lead to a substantial increase in the complexity of security systems leading to new and unaddressed vulnerabilities. The interconnectedness of the internet means that a weakness in one area will necessarily lead to weakness in others. Therefore, intentional flaws built into encryption systems, even for arguably legitimate purposes, will invariably undermine the security of all users online.
The compulsory installation of backdoors in encryption systems can also have economic consequences. Backdoors have been argued as undermining not only the security of businesses- but also their competitive position, in a market where consumers are constantly looking for the most secure products and systems. The health of the internet ecosystem depends on the proliferation of strong encryption and backdoors are fundamentally antithetical to this. Indian businesses are being found to be increasingly vulnerable to online attacks. Mandating backdoors in encrypted technology will not only affect financial technology but also off-shore data processing- a sector in which India has substantial investments.
However, the most compelling argument against the weakening of encryption through the installation of backdoors is founded in human rights. Encryption has been hailed as a critical enabler of the realization of the right to privacy and freedom of expression on the internet. Limitations on encryption are, therefore, are an infringement on the enjoyment of these rights. Mandating the installation of backdoors in encryption tools, devices and products not only undermines the security of communications and data, it also indiscriminately affects all users’ online privacy. A blanket system of backdoors may be inherently disproportionate and impermissible under international human rights law.
In the Indian context, it is heartening to note there have been no legislative attempts to mandate backdoor vulnerabilities in encryption technologies yet. Nevertheless, it must be noted that the approach of the Government to encrypted communications has not been consistent. Reports indicate that in 2011, the Government pressurized the telecommunication company Research in Motion (which owns Blackberry) to allow access to messaging services and corporate e-mails through disclosure of their encryption keys. This approach of the government was also reflected in several provisions of the draft National Encryption Policy (“draft Policy”) which was released in September 2015, although it was promptly withdrawn. The draft Policy sought to establish permitted algorithms and key sizes for encryption, mandate the storage of encrypted data for 90 days, allow compulsory access to encrypted data for law enforcement agencies upon request, and registration of encryption suppliers with the government. Some of these features fall squarely within the definition of backdoors as described in the report by Amnesty International. Nevertheless, in a heartening move, the Government has specifically stated that there is no proposal to introduce “backdoors” for smart phone encryption (in response to a question in the Lok Sabha).
While security should not be sacrificed at the altar of privacy, the encryption dilemma requires the achievement of public policy objectives such as law enforcement and national security in an age where encryption is the norm. The debate needs to be reframed to also reflect the very real threats to security which are posed by the installation of backdoors. This is now being reflected in the flexible positions being adopted by governments globally. A position paper released by the Dutch Government categorically states that restrictive legal measures against encryption are not appropriate. In a joint statement, the Europol and the European Union Agency for Network and Information Security (ENISA) have noted that the “focus should be on getting access to the communication or information, not on breaking the protection mechanism’”. In a report by the US Department of Homeland Security, the need for continued and focused public engagement on the issue to develop policy and legislative recommendations has been emphasized upon.
The new encryption policy has been reported to be developed on a multi-stakeholder model within which the Government will work with industry, academia and civil society. While it remains to be seen if this is truly reflected in the policy, there is a need for continued and active engagement to ensure that encryption systems are not weakened by the installation of backdoors. Meanwhile, intelligence and law enforcement agencies must devote more attention to investigative methods using existing vulnerabilities present in apps and systems of devices. While this might prove to be more expensive, it would be a desirable trade-off towards ensuring both the privacy of data and communications, as well as security interests.
Sowmya Karun is a Project Manager at the Centre for Communication Governance at National Law University Delhi