June 2020 ended with encryption wars brought back to the limelight. In America, three Republican senators introduced a bill – Lawful Access to Encrypted Data Act of 2020, which, if enforced, will compel platforms to aid the government in decrypting data. This bill is particularly similar to the Draft Intermediary Guidelines that India tried to introduce in 2018 and brings to the table essential conversations on the state of encryption debate in India.
The approach of the Indian government is to lower the encryption standards in order to access user data. This contributes to systematic surveillance, and also makes the Indian digital ecosystem more susceptible to cyberattacks. The adversarial approach of the Indian government towards encryption is highlighted from the blackberry case, to the draconian internet shutdowns in the recent past. In the late 2000s, the government asked blackberry to shut down its services or hand-over the encryption keys. In 2012, RIM (Research in Motion) relocated the servers with Blackberry user data to India and agreed to hand-over plaintext of the communications sent over the blackberry device to the enforcement agencies. In 2018, the government ascribed blame of misinformation lynchings to WhatsApp’s end to end encryption. The same year, the Indian govt introduced the draft amendments to intermediary guidelines. This amendment required Internet Service Providers (ISPs), as well as communication platforms to aid the government in tracing the originator of information on their platform.
There are multiple factors which can potentially create a hardened surveillance system in India.
A major factor would be the low standard for encryption set by the Indian government. The government of India has prescribed one standard for encryption (Section 84 of the Information Technology Act, 2000). However, sectoral regulations take precedence and effect. The Department of Telecommunications (DoT) stipulates encryption up to 40-bit key length, but any encryption higher than that requires the permission of the government. Further, any use of higher encryption requires that the decryption keys should be split into two and submitted with the Licensor. Other sectoral regulations, such as those from SEBI and RBI, use a higher encryption standard.
In contrast, the US Government has placed export restrictions on the sale of encryption products if their key length is above 40 bits so that the NSA can break into them if required. In 2014, India’s national security advisor pointed out that the US government retains a significant amount of control over information. The archaic 40-bit key length aids this ease of access to Indian user data.
Interestingly, Rule 6 of the Certifying Authorities Rules under the Information Technology Act, 2000 provides the requisite standards for public keys that can be used for encryption of digital signatures which are higher than 40-bit. This disparity hints that lower encryption standards for ISPs exist in order to allow government access to user data.
Another factor is the lack of an encryption policy leads to no set standard for data security. India’s attempt at a policy was by way of the National Encryption Policy, 2015. The policy faced backlash because it did not lay down any encryption standard. Instead, it allowed platforms to function as long as they complied with the regulatory mechanism laid down. This mechanism included service providers using encryption entering into an agreement with the government as a precondition and handing over hand over the encrypted text, plaintext, hardware, and software used for encryption upon receiving a request from law enforcement. The draft was immediately withdrawn. Mr Ravi Shankar Prasad, Union Minister of Communications and Information Technology, said that India lacks any sort of encryption policy, and the original draft will be refined for this purpose.
Further, data localisation requirements make access to user data equally easy for the government and cybercriminals. The draft personal data Protection Bill (PDPB) lays down that all user data should be domestically stored and processed. However, a lack of regulatory framework surrounding encryption leads to accumulation of all data at one place without any oversight. Illustratively, the Bharat Bill Payment System which collects personal and sensitive personal data akin to Aadhaar, stores sensitive personal data of millions of users in unencrypted form.
Moreover, the draft amendments to Intermediary Guidelines, push platforms to move away from end to end encryption. Under these guidelines, tech companies are required to hand over information demanded by law enforcement agencies and should be able to carry out tracing of information to lead to the originator. This pushes platforms to monitor the messages between the users, which cannot be carried out when end-to-end encryption is in place.
These regulations enable the state to carry out surveillance and intercept communications. The government has, however, failed to recognise that by lowering encryption standards, they are not only enabling themselves to access user data but also serving localised data of millions on a platter to cybercriminals. In a situation where there is no data privacy and data security framework in place, encryption is our only tool to preserve user privacy. Thus, India should focus on moving towards global standards for encryption and introducing the revised National Encryption Policy with adequate safeguards.
Varsha Singh is a final year law student.