Protecting Critical Information Infrastructures in India

By Sowmya Karun 

Last month, around thirty two lakh debit cards of various banks in India were compromised through a large scale cyber malware attack. As the biggest security breach ever experienced by the financial sector in India, this attack has also been described as the “first major successful attack on a critical information infrastructure in India”. It is to be noted that the breach failed to be promptly identified despite governmental bodies like the Reserve Bank of India (RBI) and the Computer Emergency Response Team-India (CERT-In) having issued advisories to banks to secure their information infrastructures against cyber criminals. This incident highlights the ever increasing vulnerability of information infrastructures in general to cyber attacks. This post lays down the legal and institutional framework dealing with the protection of critical information infrastructures in India.

The financial sector is only one of the many sectors which are now critically reliant on information infrastructures. Information infrastructures including computers, servers, storage devices, routers, and other equipment support the functioning of critical national capabilities such as power grids, emergency communications systems, e-governance and air traffic control networks, to name only a few.Such infrastructures are considered “critical”- due to their contribution to the services delivered by the infrastructure providers, as well as on account of the potential impact of any sudden failure on the well being and security of the nation.

These information infrastructures are especially vulnerable to cyber attacks and breaches. This is because, firstly, critical information infrastructures (“CII” or “CIIs”) are deeply interconnected and complex by design and also geographically dispersed. These infrastructures are especially vulnerable to attacks, as dedicated weapons systems or armies are not necessary to disable these systems. Any delays or disruptions in the functioning of these critical information systems can potentially spread across other CII, resulting in political, economic, social or national instability. The increasingly high dependence of critical sectors on CIIs coupled with the wide variety of threats they are vulnerable to, necessitate the need for an effective policy and institutional framework to protect CIIs.

“Protected Systems” under the IT Act

The Information Technology Act, 2000 (“IT Act”) provides the legislative basis for the protection of critical information infrastructure in India. Section 70 of the IT Act defines “critical information infrastructure” to be “the computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety”. Under this provision, any computer resource which directly or indirectly affects the facility of CII may be declared to be a “protected system” by the appropriate Government. Securing or attempting to secure unauthorized access to such protected systems is punishable. The Central Government has been vested with the authority to prescribe the information security practices and procedures for such protected systems.

Various computer resources have been notified as “protected systems” by the Central Government and other State Governments. In 2010, the TETRA Secured Communication System Network, its hardware and software installed at various locations in New Delhi was notified as a “protected system” by the Central Government. In 2015, the Central Government notified “Unique Identification Authority of India’s (UIDAI) Central Identities Data Repository  facilities, information assets, logistics infrastructure and dependencies installed at various locations” as a protected system. More recently, the Central Government declared the Long Range Identification and Tracking (LRIT) system under the Ministry of Shipping, its facilities, information, assets, logistics infrastructure and dependencies to be a protected system. State Governments including Tamil Nadu, Chattisgarh and Goa have also identified and declared different information infrastructures as protected systems. It is to be noted, however, that there is no exhaustive list of notified protected systems to be found in the public domain. Further, the indiscriminate declaration of information infrastructures as protected systems, as done by various State governments, is problematic. For instance, the “entire network of computer resources….including websites of the government and government undertakings” was declared to be “protected systems” by the Chattisgarh Government. Firstly, these infrastructures do not “directly or indirectly affect the facility of a critical information Infrastructure” and secondly, a high quantum of punishment can be meted out for an attempt to secure access to such protected systems. In light of this, the declaration of infrastructures as “protected systems” needs to be a calibrated and considered process, and should be clarified by the Government.

Institutional Framework for Protection of CII

Under Section 70A(1) of the IT Act, the Central Government is vested with the power to designate an organization of the Government as the national nodal agency in respect of the protection of CII. Towards this, in 2014, the Central Government notified the National Critical Information Infrastructure Protection Centre (NCIIPC), an organization under the National Technical Research Organization (NTRO) as the relevant nodal agency. Correspondingly, the Information Technology (National Critical Information Infrastructure Protection Centre and Manner of Performing Functions and Duties) Rules, 2013 (“NCIIPC Rules”) were also notified. Under the NCIIPC Rules, a “critical sector” has been defined to mean sectors, which are critical to the nation and whose incapacitation or destruction will have a debilitating impact on national security, economy, public health or safety. On the NCIIPC website, these sectors have been classified into five main groups; (i) power and energy; (ii) banking, financial services and insurance (“BSFI”); (iii) ICTs; (iv) transportation and (v) e-governance and strategic public enterprises. Unlike the critical sectors identified under the Strategic Approach of the Ministry of Electronics and Information Technology, the sectors identified by the NCIIPC do not include the defence sector. The defence sector has also been excluded from its purview under the NCIIPC Rules (Rule 3(4)).

While the Guidelines for the Protection of CII (Version 2.0) issued by the NCIIPC provide a basic framework for the protection of CII, it is both urgent and necessary to consultatively evolve sector-specific guidelines for the protection of these infrastructures. In this regard, while guidelines for the BSFI sector have been issued by agencies like the RBI and SEBI, critical sectors such as power and energy or transportation are yet to be provided with specific guidelines for the protection of their information infrastructures. It has also been argued that the effectiveness of the NCIIPC is undermined by virtue of being inaccessible to the public. Thiscriticismis bolstered, for instance, by the very limited information made available to the public on the NCIIPC website. The opacity of the institutional framework can also prove to be a roadblock in the coordination of cybersecurity efforts, especially for effective public-private collaboration to protect CIIs. This is particularly important because of the large number of CIIs in the private sector. Further, standard operating procedures for the notification of CIIs and the identification of public private partnerships are yet to be issued. No doubt, the notification of the NCIIPC as the nodal agency for the protection of CII has been a commendable step ahead in the protection of CII in the country. However, much work remains to be done and both the NCIIPC and the Government must proactively work with the private sector to ensure that our CIIs are secure and resilient against cyber attacks.

Sowmya Karun is a Project Manager at the Centre for Communication Governance at National Law University Delhi

Encryption- Backdoors or Trapdoors?

By Sowmya Karun

According to the National Cyber Security Co-ordinator, a national encryption policy is under consideration by the government and will be released soon. It has been reported that that the new policy will be designed to provide support to security agencies against terrorists, who are using tools like encryption to aid in their activities.  In our previous post on encryption, we had briefly examined the issue of exceptional access to encrypted communications for law enforcement and intelligence agencies. In this post, we take a closer look at the arguments for and against such exceptional access for government agencies- also known as access through “back-doors” installed in encryption systems.

While encryption was once used exclusively by the military or intelligence agencies, encryption tools are now affordable and available for all users of internet communication technologies- including terrorists and criminals. The use of encryption has been found to impede routine investigation into and prosecution of criminal offences. Terrorists and extremists groups have also been found to be increasingly using the “dark web” or encrypted messaging. This data cannot be accessed by intelligence and law enforcement agencies. Accordingly, it is alleged the pervasive use of encrypted tools that resulted in the loss of the technological advantages governments have previously had over terror groups and criminals. This is the context in which the installation of backdoors has been put forth by law enforcement agencies and governments as necessary and urgent.

In a report by Amnesty International, “backdoors” are defined as “technical measures which weaken or undermine encryption tools, devices and services in order to facilitate access to information and communications by actors other than the service provider, and parties to the information or communications”. This expansive definition of backdoors includes measures such as the generation and retention of encryption keys for government access; the placement of encryption keys “in escrow”; mandating diminished encryption strengths for usage; and the mandatory deployment of only approved forms of encryption.The ability to decipher encrypted communications through “backdoors”, it is argued, will allow law enforcement authorities to gather evidence in relation to operational details of terrorism, espionage and other criminal activities or act quickly in emergency situations.

However, the arguments against the installation of backdoors are many and as compelling. These have been articulated by civil society, academia, and technologists. The primary argument against such mechanisms for access by government agencies is that they are not technologically viable.  A report by the world’s leading computer scientists and security experts categorically states that any attempts to install backdoors for special access by law enforcement would pose “grave security risks” and “imperil innovation”. The installation of backdoors in encryption systems, according to the report, would be a departure from best security practices. These include, for example, the practice of “forward secrecy” which requires decryption keys to be deleted immediately after use; to prevent security compromises. Further, the installation of backdoors has also been criticized as it would lead to a substantial increase in the complexity of security systems leading to new and unaddressed vulnerabilities. The interconnectedness of the internet means that a weakness in one area will necessarily lead to weakness in others. Therefore, intentional flaws built into encryption systems, even for arguably legitimate purposes, will invariably undermine the security of all users online.

The compulsory installation of backdoors in encryption systems can also have economic consequences. Backdoors have been argued as undermining not only the security of businesses- but also their competitive position, in a market where consumers are constantly looking for the most secure products and systems. The health of the internet ecosystem depends on the proliferation of strong encryption and backdoors are fundamentally antithetical to this. Indian businesses are being found to be increasingly vulnerable to online attacks. Mandating backdoors in encrypted technology will not only affect financial technology but also off-shore data processing- a sector in which India has substantial investments.

However, the most compelling argument against the weakening of encryption through the installation of backdoors is founded in human rights. Encryption has been hailed as a critical enabler of the realization of the right to privacy and freedom of expression on the internet. Limitations on encryption are, therefore, are an infringement on the enjoyment of these rights.  Mandating the installation of backdoors in encryption tools, devices and products not only undermines the security of communications and data, it also indiscriminately affects all users’ online privacy. A blanket system of backdoors may be inherently disproportionate and impermissible under international human rights law.

In the Indian context, it is heartening to note there have been no legislative attempts to mandate backdoor vulnerabilities in encryption technologies yet. Nevertheless, it must be noted that the approach of the Government to encrypted communications has not been consistent. Reports indicate that in 2011, the Government pressurized the telecommunication company Research in Motion (which owns Blackberry) to allow access to messaging services and corporate e-mails through disclosure of their encryption keys. This approach of the government was also reflected in several provisions of the draft National Encryption Policy (“draft Policy”) which was released in September 2015, although it was promptly withdrawn. The draft Policy sought to establish permitted algorithms and key sizes for encryption, mandate the storage of encrypted data for 90 days, allow compulsory access to encrypted data for law enforcement agencies upon request, and registration of encryption suppliers with the government. Some of these features fall squarely within the definition of backdoors as described in the report by Amnesty International. Nevertheless, in a heartening move, the Government has specifically stated that there is no proposal to introduce “backdoors” for smart phone encryption (in response to a question in the Lok Sabha).

While security should not be sacrificed at the altar of privacy, the encryption dilemma requires the achievement of public policy objectives such as law enforcement and national security in an age where encryption is the norm. The debate needs to be reframed to also reflect the very real threats to security which are posed by the installation of backdoors. This is now being reflected in the flexible positions being adopted by governments globally. A position paper released by the Dutch Government categorically states that restrictive legal measures against encryption are not appropriate. In a joint statement, the Europol and the European Union Agency for Network and Information Security (ENISA) have noted that the “focus should be on getting access to the communication or information, not on breaking the protection mechanism’”. In a report by the US Department of Homeland Security, the need for continued and focused public engagement on the issue to develop policy and legislative recommendations has been emphasized upon.

 The new encryption policy has been reported to be developed on a multi-stakeholder model within which the Government will work with industry, academia and civil society. While it remains to be seen if this is truly reflected in the policy, there is a need for continued and active engagement to ensure that encryption systems are not weakened by the installation of backdoors. Meanwhile, intelligence and law enforcement agencies must devote more attention to investigative methods using existing vulnerabilities present in apps and systems of devices. While this might prove to be more expensive, it would be a desirable trade-off towards ensuring both the privacy of data and communications, as well as security interests.

Sowmya Karun is a Project Manager at the Centre for Communication Governance at National Law University Delhi

Violence against Women: Et tu, Internet?

By Sowmya Karun

In its beginnings, it was hoped that the internet would transcend the biases and discrimination that characterize offline spaces- to emerge as a frontier for gender equality. In line with the “cyborg manifesto” put forth by the feminist scholar Donna Haraway- identities on the internet were to become sexless or genderless, paving the way for equal and equitable spaces. Unfortunately, the development and use of the internet- like any other technology- has remained deeply embedded in the social and cultural contexts of a patriarchal world. The internet has now emerged as the newest breeding ground for the harassment and abuse of women and girls. An equal and inclusive internet culture remains elusive, which continues to mirror patterns of violence in the offline world.

While men are also victims of various forms of harassment, cyber harassment can be said to be gendered for two reasons: firstly, women are often disproportionately targeted and secondly, the harassment itself is gendered, i.e. it invokes gender in sexually threatening and degrading ways. Such gendered harassment assumes several forms, and is constantly evolving in form and execution, along with the expansion of digital platforms.  Online verbal abuse has been extensively documented- where women are subject to vile, abusive and threatening content through e-mail or messaging services.   The internet is used to continuously contact, annoy, threaten and scare victims by such persistent attacks. This form of abuse tends to reduce female victims to sexual objects and often include insults that reinforce gender constructed stereotypes. Image based harassment includes the relentless bombardment with obscene or vulgar images, circulation of morphed or appropriated photographs, and more recently, the phenomenon of revenge porn or “non-consensual pornography”.

A report by the UN Broadband Commission indicates that a staggering seventy three percent of women on the internet have experienced some kind of online violence. Nine million women are reported to have experienced serious forms of cyber violence since the age of fifteen. In India, quantitative reports and qualitative studies have captured the depth and impact of this kind of gendered harassment. These studies, along with extensive media reports and anecdotal evidence of online abuse suffered by women, serve to highlight the critical proportions such gendered online violence has come to assume.

There is no doubt that online abuse and harassment has a profound and distinct impact on its victims. The internet has come to occupy a very large aspect of our lives today- from work to education to social relationships. In these circumstances, being subject to online abuse or harassment has been found to cause immense psychological and emotional distress to women. Several reports have, in fact, indicated that victims take recourse to suicide to escape such abuse. It is in this context that there have been calls for the characterization of online abuse and harassment of women as “cyber violence against women”. This is in line with the definition of “violence against women” under the Convention on the Elimination of all Forms of Discrimination Against Women (CEDAW), which includes “any act of gender-based violence which leads to physical, sexual, or psychological harm of suffering to women”.  Further, online abuse also tends to undermine women’s agency in their lives. Victims respond to such cyber violence by withdrawing from online spaces– either by shutting down their social media accounts, websites or blogs or indulging in self censorship. The creation and perpetuation of unsafe online spaces for women, therefore, effectively functions as a fetter on their fundamental right to freedom of speech and expression. Cyber abuse and harassment also represents an invasion of victim’s privacy- as such abuse often involves the infringement of and publication of personal information of victims.

Consequently, online abuse leads to the creation of an internet where women tend to be systemically excluded. This affects not only the victims, but also the vibrancy and inclusiveness of the internet itself. This is problematic not only because it deprives women of the benefits of the internet in terms of access to opportunities and content, it also limits the use of the medium as a tool for emancipation of women at large.  

If India hopes to narrow the digital divide between the genders, it is essential that the increasing incidence of online violence against women is treated as a systemic problem in need of urgent and creative solutions. The primary barrier in this mission is the trivialization of online sexual harassment. Not only is the gendered nature of cyber abuse not acknowledged, reports indicate that police officials are, in many instances, simply not equipped to deal with the dynamic nature of these cyber crimes.  Further, reports have also indicated victims’ reluctance to approach the police when faced with such online assault. This is attributable to several reasons- such as police insensitivity to the impact of such crimes, fears that their identity will be revealed or because they are discouraged by their families and friends. The problem is further compounded by the abysmal rate of conviction in cyber crime cases in general. A survey of cyber crime incidents in Delhi, for instance, indicates that for every five hundred cyber crimes incidents that take place, only fifty are reported to the police and only one goes on to be registered. The relevant legal provisions in the Information Technology Act, 2000 (IT Act) and the Indian Penal Code (IPC) are also problematic. These provisions have been criticized as being based on archaic notions of obscenity and morality, and are not geared towards the preservation of women’s rights to freedom of expression and privacy on the internet.

The government has been alert to the increasing incidence of cyber crimes against women. In 2014, a national consultation was held by the National Commission for Women on the ways and means to safeguard women from cyber crimes in India. Some of the recommendations of the consultation were untenable- such as the creation of unique identification numbers to create accounts in social media. Nevertheless, the recommendations also recognized the need for constructive reframing of the provisions of the IT Act and the IPC. However, nearly two years into the consultation, the law as well as the approach of law enforcement agencies remain unchanged. More recently, the Ministry for Women and Child Development has set up a cyber cell to check online abuse. Reports also indicate that the matter has been taken up with the Ministry of Home Affairs (MHA) and Ministry of Information Technology, while also liaising with platforms like Twitter and Facebook. Additionally, in line with the recommendations of an expert committee on cyber crimes, the MHA has also proposed the setting up of a Cyber Crime Prevention against Women and Children (CCPWC) scheme to focus on crimes like online sexual abuse, harassment etc.

While it is heartening that the government is working proactively to counter online harassment of women, it is necessary to tread cautiously when considering remedies to tackle the issue. Reactive policies that seek to prohibit abusive content can easily transform into over-broad policies which will effectively censor online speech. Online harassment of women is deeply entrenched in the patriarchal bias of our society- and solutions which seek to merely prohibit or limit speech cannot stem the tide of misogynistic or sexist content. In this context, social media and technology companies will need to play an important role in dealing with cyber violence against women. Any solution must, therefore, be necessarily representative of all stakeholders- including users, platforms or intermediaries as well as the criminal justice system. In the face of a regressive legal framework, reliance must also be placed on non-legal strategies such as moderation of comments, reporting of abusers etc. User led movements such as the creation of the hashtag #MisogynyAlert– spearheaded by feminists on Twitter- is an illustration of the creative ways in which women are choosing to handle online harassment.

The internet has been hailed “as the most participatory form of mass speech developed”- and “the strength of our liberty depends upon the chaos and cacophony of the unfettered speech”. Online violence against women deprives them of the social, economic and political opportunities that the internet provides. It is urgently necessary that online violence against women is recognized as a systemic problem as significant as offline violence against women- while also identifying and evolving solutions that are effective and consistent with civil liberties on the internet.

Sowmya Karun is a Project Manager at the Centre for Communication Governance at National Law University Delhi

The India-US Cyber Partnership and Why Does it Matter?

By Shilpa Rao

India and the United States agreed on a joint cyber framework last month. This was at the second India-US Strategic and Commercial Dialogue held in New Delhi on August 31, 2016, which followed Prime Minister Narendra Modi and President Barack Obama’s discussion of such a framework in  in June 2016.

In the US-India joint cyber framework, both countries commit to maintaining an open, interoperable, secure, and reliable cyberspace. The framework lists steps that will increase cybersecurity cooperation. It also highlights the need to leverage cyberspace to promote economic growth and development, innovation, and commerce on the Internet.

The framework is likely to impact the US-India relationship in the context of cyber-security and defence. It may also result in India maintaining a steady commitment to the multistakeholder model of internet governance, which is an issue on which India has a history of wavering.

What Cybersecurity and Defence Commitments have we made?

Both nations have agreed to promote close co-operation between their law enforcement agencies to combat cybercrime. They will share information on cybersecurity threats on a real-time basis, and will develop joint mechanisms to mitigate such threats. They will also conduct joint training programs for law enforcement agencies as a capacity-building measure.

These commitments are likely to help India gain support and assistance with the investigation of  cybercrimes. This is much needed support that we have lacked, in part because of India’s refusal to sign the Budapest Convention, which  arguably limited our ability to tackle several cybersecurity issues. This is particularly so in the context of the jurisdictional issues and information sharing for which the Convention creates a framework. The US-India Cyber Partnership commitments resemble the Budapest Convention (on Cybercrime), 2001 recommendations (contained within Article 23).  

India and the US have been gradually  focusing on developing cyber tools that enable innovation, improve defence mechanisms and mitigate attacks in cyberspace. The US-India Defence Technology and Trade Initiative (DTTI), which promotes co-development and co-production of technical equipment, is one such effort. Separately trade restrictions, including over cyber tools, will be eased through the bilateral High Technology Cooperation Group .

Why does the commitment to Multistakeholderism in Internet Governance matter?

India has gone back and forth on its position on whether it is the multistakeholder model or the multilateral model that is most suitable Internet governance. For example, at the Internet Governance Forum 2012 in Baku, India supported the multistakeholder approach to Internet governance. However, at the International Telecommunications Union Plenipotentiary Conference 2014 in Busan,  India took the more multilateral stand that governments must play the major role in Internet governance. After this, India performed another volte-face, reiterating its support for a multistakeholder approach in June 2015.

In the India-US  cyber framework  India has clearly committed to  the multistakeholder approach. This Indo-US partnership might encourage India to introspect on its domestic policies, which some may argue reflect India’s reluctance  to embrace the multistakeholder approach. Nevertheless, the effectiveness of these bilateral ties in maintaining India’s commitment to multi stakeholder governance of the Internet  remains to be seen.

What are the significant takeaways from the framework?

The US-India cybersecurity framework positions India as a key player in Internet governance and cybersecurity. India stands to benefit from the framework- particularly with regard to information sharing and co-operation between law enforcement agencies in combating cybercrime and enhancing cybersecurity.

However, some of India’s most significant cybersecurity threats emanate from its neighbours – China and Pakistan. To confront these threats, India would benefit from regional engagement, particularly in Asia, on multistakeholderism and cybersecurity co-operation. In light of this, a multistakeholder, cooperative approach towards cybersecurity may be necessary and practicable towards combating cybercrime.

Encryption in India: The Way Forward

By Sowmya Karun

Earlier this year, the Supreme Court of India dismissed a public interest litigation petition calling for the ban of messenger apps like Whatsapp, Telegram etc for their adoption of end-to-end encryption. In the months since, service providers and companies across the world are increasingly choosing to adopt higher and more secure standards of encryption for data and communications. Slowly and steadily, encryption is becoming ubiquitous in all forms of communications, and it is urgently necessary to reflect on the formulation of a legal framework on encryption.

Contrary to the Government’s stated commitment to the adoption of best practices relating to encryption and other emerging technologies in the National Telecom Policy of 2012, its engagement with encryption technology has been blinkered and confused. In September last year, a draft National Encryption Policy (“draft NEP”) was released, only to be hastily withdrawn following widespread criticism on the ambiguous and impractical standards it sought to impose.

Encryption is the scrambling of messages, information or data into a form which is unreadable by anyone except the intended recipient. Most commonly, encryption is applied to data on a device, data in transit such as in e-mail, messaging etc. or even data stored in a cloud. Today, the bulk of our communications and data are facilitated electronically and over the Internet. Encryption has been rendered an indispensable instrument to ensure that digital communications- ranging from personal phone conversations to e-mail to online financial transactions- are protected from interference. Encryption allows for the preservation of the authenticity and integrity of these communications. As the internet continues to expand in size, the significance of encryption in protecting data transmitted online, whether for storage or for commercial and financial transactions will also grow alongside. Encryption has been rightfully recognized as a leading instrument for online security, enabling the exercise of the rights to freedom of opinion and expression as well as the right to privacy in the digital age. In an age where governments across the world are expanding invasive surveillance, encryption allows for the preservation of a safe and private space for free expression.

Under Section 84A of the Information Technology Act, 2000, the Central Government is authorized to prescribe the modes and methods of encryption for the secure use of the electronic medium and for the promotion of e-governance and e-commerce. In the absence of specific rules/ policy on encryption enacted under the said provision, reliance is placed on the license agreements between the government and telecom or internet service providers to determine the legal limits of encryption. Under the license agreement for the provision of Internet services, internet service providers are prohibited from using bulk encryption. The agreement, which follows a template drafted nearly a decade ago, also limits the use of encryption up to only 40 bits- which has been decried as a very weak standard by technologists and industry. Additionally, the use of higher encryption tools requires permission from and the disclosure of the relevant decryption keys to the Department of Telecom. The inadequacy of this encryption limit is most amply demonstrated by the variable mandates for encryption usage and limits by sectoral regulators within the government. The RBI, for instance, prescribes a minimum level of encryption of 128-bits for Internet banking transactions, and SEBI also prescribes a 64-bit/128-bit encryption for network security in securities trading over mobile phones or wireless applications. It must also be noted that this limitation of 40-bit encryption is applicable only to ISPs, and not to other OTT service providers such as Whatsapp etc. even though the encryption technology used by the latter has been referred to in the TRAI’s Consultation Paper On Regulatory Framework for Over-the-top (OTT) services.

Companies and individual users continue to operate within this regulatory vacuum of conflicting prescriptions. In light of India’s growing vulnerability to cyber attacks and data breaches, a clear and unambiguous regulatory framework is indispensable to enable innovation and the employment of stronger encryption tools to protect data and networks. At the same time, such a framework must also make space for the accommodation for the dynamic nature of technologies and push for an industry driven framework with user choice and convenience being given importance. This need is only amplified when considered through the prism of the Government’s focus on schemes such as Digital India, Smart Cities Mission etc. which will substantially rely on secure and reliable data storage and communication networks.

The necessity for a specific framework on encryption is especially important in light of the increasing tendency of governments across the world to seek access to encrypted communications. The kinds and scope of encryption being introduced into mainstream communications and products have contributed to fears of these networks “going dark”- rendering them completely immune to any interception by intelligence or law enforcement authorities. It has been asserted that encrypted communications render the investigation of financial crimes, illicit drugs, child pornography and terrorism difficult. Concerns have also been expressed about the use of encrypted technologies to facilitate harassment and similar offences on the Internet. Thus, technological moves towards higher and more secure levels of encryption have inevitably been countered by efforts to break such encryption by state agencies, triggering the proverbial “crypto-wars”. In the Indian context, the government had controversially sought and gained access to encrypted communications over Blackberry Messenger in 2013. It was also reported that the government had similarly required companies like Skype and Google to allow for interception of their data. The draft NEP also had various provisions which have been criticized as detrimental to network security and data privacy.

In this context, the discourse on exceptional access for law enforcement agencies to encrypted communications has been framed in terms of the conflicting interests of privacy versus security. The repercussions of locking out legitimate government access from possibly criminal communications need to be addressed. On the other hand, technologists and civil society activists have pointed out that weakening or building vulnerabilities into encryption systems can have far reaching and unintended effects. It is necessary, therefore, to stop viewing encryption and national security as competing forces and to adopt a nuanced approach in understanding these issues.

The encryption debate is a multifaceted one- involving considerations relating not to only national security, but also the integrity and authenticity of data, the rights to privacy and freedom of opinion and expression and business and commercial interests of a very large number of entities. Even though the draft policy was withdrawn, the government has stated that a robust NEP is necessary and will be re-introduced soon. While inputs have been sought from industry bodies on the proposed policy, civil society and other stakeholders remain conspicuously absent from these deliberations. At this juncture, it is very essential for those who are interested in protecting citizens’ fundamental rights and ensuring government and industry accountability to critically weigh in on these policy and legal formulation processes. This would ensure that such a policy framework is not only robust and secure, but also cognizant of the human rights of citizens as well as business interests.

Sowmya Karun is a Project Manager at the Centre for Communication Governance at National Law University Delhi

Internet Shutdowns: An Update

By Sowmya Karun

At the time of posting, mobile internet services continue to remain suspended in parts of Jammu & Kashmir for the sixth consecutive day. The shutdown was enforced in response to the tense law and order situation prevailing in the Kashmir valley following the death of Burhan Wani, a top commander in the terrorist outfit Hizbul Mujahideen.

This shutdown, already the fourteenth this year in India, comes on the heels of the adoption of a resolution by the UN Human Rights Council (UNHRC) on the “promotion, protection and enjoyment of human rights on the internet”. Although the resolution stops short of recognizing access to the internet as a human right, it affirms that human rights exercised offline should also be protected online. The UN HRC had previously resolved to protect human rights online in its 2012 and 2014 sessions, but this resolution marks a significant improvement as it specifically comments on the hitherto unaddressed issue of internet shutdowns. It condemns measures that “disrupt access to or dissemination of information online, in violation of international human rights law” and calls on states to refrain from such measures. The resolution is timely as it comes at a juncture when governments worldwide are, at an increasing frequency, adopting various strategies to shut down the internet. The internet has been shut down by governments to counter problems ranging from civil unrest or uprisings such as in Zimbabwe most recently and even to prevent cheating in exams such as in Gujarat earlier this year.

Contrary to media reports that India had voted against the resolution, India voted in favour of three amendments to the resolution mooted by Russia and China. While commentators have been divided on whether on these amendments are antithetical to the spirit of the resolution, India did vote on an amendment to weaken the emphasis on the “human rights-based approach” conceived of originally in the resolution.   The cruel irony of this is amplified in the context of the questionable human rights record of the armed forces and the police in Jammu and Kashmir- which has experienced the highest number of shutdowns in the country.

In our previous posts, we had argued that the implementation of shutdowns under Section 144 of the Code of Criminal Procedure, 1973 suffered from fatal over-breadth and was constitutionally unviable. In practical terms, the hazards of implementing a widespread internet shutdown simply cannot be understated. The suspension of the internet, especially in situations of riot or violence, becomes especially problematic for citizens. As reported in Jammu and Kashmir, the lack of reliable information through communication channels has contributed to the perpetration of rumours and the worsening of the situation in many parts of the valley. The communication breakdown has adversely affected the provision of much-needed health and emergency services in addition to disrupting trade and commerce significantly. The collateral damage of internet shutdowns becomes especially relevant when considered against the prism of the Government’s stated mission in endorsing programs like Digital India and the Smart Cities mission which will rely substantially on the internet for smooth functioning and delivery of services. With the mechanics of everyday life being increasing intertwined in the internet, it is essential to ask the question whether the internet should be shut down without procedural transparency.

As previously stated, India is not alone in implementing internet and communication network shutdowns of this nature. Not surprisingly, even in jurisdictions with a strong tradition of respect for free speech, executive procedures relating to shutting down the internet and other communication services at the government’s instance remain shrouded in secrecy. In the US, for instance, a policy known as the Standard Operating Procedure 303 allows for the shutdown of cell-phone services anywhere in the country in the event of a crisis situation. As in India, on account of the lack of transparency and accountability, activists fear that the power may be abused. A petition that sought more information on the protocol was declined by the Supreme Court of the United States.  In the UK too, a localized mobile network shutdown implemented by the City of London Police following the terrorist bombings in London came in for heavy criticism, having affected over a million individuals’ communications. A review committee found that the protocol needed to be reviewed and restructured to provide for adequate and effective procedures to follow.

Additionally, the conversation on internet shutdowns is also increasingly focused on the prospect of shutting down the internet in the event of a cyber attack. In the UK, for instance, specific legislations enable Government ordered suspension of the internet to bring about “web Armageddon”. In India, the debates and discourse around internet shutdown are nascent yet- but will only acquire increasing significance. The Government is in the process of considering amendments to the Information Technology Act, 2000 to ramp up cyber security provisions. As we progress toward systems that are completely digitized, the likelihood of cyber-attacks will only increase- which then begs the question of whether the Government can choose to shut down the internet and what procedures it is bound by in doing so.

The internet is a great enabler of democracy – having greatly lowered the hurdles to free speech and assembly. Any attempts at shutting down the internet must necessarily be accompanied by structured efforts to avoid the arbitrary exercise of such power. The imminent threat of an Emergency-like situation gagging the internet may seem alarmist at the moment- but there certainly needs to be an active and concerted effort to examine the legality and necessity of shutdowns while putting in place strict procedural standards.

Sowmya Karun is a Project Manager at the Centre for Communication Governance at National Law University Delhi

WhatsApp Encryption: To Ban or Not to Ban

By Sowmya Karun

Today, a division bench of the Supreme Court of India comprising of the Chief Justice Thakur and Justice Khanwalkar examined a public interest litigation petition seeking a ban on Whatsapp and analogous messenger apps. The petition, filed by Mr. Sudhir Yadav, states that the complete end-to-end encryption technology adopted by Whatsapp (and other messenger apps) are in violation of the mandated standards of encryption by the Government. The inability of the government to access these encrypted communications in any manner, it is argued, represents a threat to the national security of the country. Mr. Yadav approached the Supreme Court after an RTI application filed by him indicated that the Government is not in possession of the encryption keys to Whatsapp communications.

The issue came into the spotlight following the introduction of complete end- to-end encryption by Whatsapp earlier this year, which is used by over 96% of smartphone users in the country. While other apps have followed suit in ensuring secure communications through encryption, the encryption technology adopted by Whatsapp has been lauded for offering complete end-to-end encryption by default to a very large consumer base.  This technology does not allow for any kind of back-door access to the unencrypted or encrypted communications to other users, law enforcement agencies or even Whatsapp itself. This level of security in private communications, Mr. Yadav argued, poses a challenge to the Government and law enforcement agencies in maintaining national and cyber security. As indicated in the white paper released by Whatsapp, Whatsapp servers cannot access the private keys of their users and cannot comply with government or court orders seeking to intercept such data.

The government guidelines or mandated standards on encryption by web and information technology enabled services are inconsistent and ambiguous. S. 84A of the Information Technology Act, 2000 empowers the Central Government to prescribe the modes of methods of encryption. However, there have been no definitive requirements laid down by the Government under this Act. Various regulatory authorities such as the Reserve Bank of India and the Securities Exchange Board of India have adopted differing encryption standards for transactions under their parent legislations.  Furthemore, e-commerce companies and other web service providers have continued to adopt more secure standards of encryption following customer demands. In September 2015, the Department of Electronics and Information Technology had released a draft National Encryption Policy (“NEP” or “Policy”) proposing to lay down mandatory encryption standards and key disclosure requirements for users and web service providers. The draft Policy, however, was hastily withdrawn following widespread criticism on the ambiguous and impractical standards. Interestingly, an addendum to the draft Policy before it was withdrawn granted exemption to “mass-use encryption products…used in web applications, instant messengers and social media applications such as Whatsapp, Facebook, etc.” In the absence of any regulatory mechanism for over-the-top services such as Whatsapp, messenger apps such as Whatsapp are effectively free to adopt their own encryption standards.

The bench dismissed the petition as withdrawn and directed Mr. Yadav to approach the appropriate authorities or tribunal. Mr. Yadav now intends to make representations to the Telecom Regulatory Authority of India as well as the Department of Information Technology failing which he will be filing a petition with the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).

The crux of the issue can be reduced to the essential balance required between protecting the privacy of citizens vis-a-vis the legitimate need of the government and law enforcement agencies in accessing encrypted communications for reasons of national and cyber security. Reminiscent of the recent Apple-FBI furore in the United States as well as the temporary ban on Whatsapp by a Brazilian court, the issue also raises questions as to the liability of service providers such as Whatsapp who may not comply with interception requests by Government or court orders on account of the sheer technological inability to reveal such data. Even though the draft NEP has been withdrawn, the Telecom Minister has categorically stated that a robust NEP is necessary and will be re-introduced soon. With the draft NEP back at the drawing board and the Supreme Court’s refusal to engage with the issue, it remains to be seen whether the full end-to-end encryption offered by services such as Whatsapp will survive any future standards laid down by the Government.

Sowmya Karun is a Project Manager at the Centre for Communication Governance at National Law University Delhi