The Status of ‘Encryption’ in India’s Digital Policy Debate

While the country continues to take giant strides towards the dream of Digital India, the new data-fueled order and the growing digital interconnectivity has exposed greater vulnerability in the threat landscape. One of the major challenges that India must confront are related to the need for protecting its citizens right to privacy and freedom of expression. Encryption, as an enabler of the aforementioned rights, has gained prominence as one of the prime means of ensuring information security. However, the misuse of technology for malicious and illegal purposes ( such as terrorism, inciting violence, spreading fake news, causing harassment etc.) has diluted the guarantees of consumer privacy in favour of national security and has steered the conversation around regulating encryption.

At present, India does not have a unified encryption framework. An attempt was made through the National Encryption Policy 2015 but it was swiftly discarded after the industry, businesses, civil society and media decried it for being a ‘decryption policy rather than an encryption policy’. Encryption policy is currently spread across sector-specific regulations by the RBI, SEBI, Department of Telecom, Ministry of Health, UIDAI etc., each prescribing differing standards. Further, several laws and policies attempt to either limit encryption or gain access through decryption. The absence of a uniform encryption policy, intermingled with rapid legislative and policy developments in the field of data protection, data governance and intermediary liability, has complicated the issue even more.

1. Regulation of social media intermediaries- encryption versus traceability

(a) What is traceability?

Traceability, or the ability track down the originator of a particular piece of content or message, is at the heart of the debate around rules for regulating online platforms and social media intermediaries in India. The government recently notified the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“Intermediary Rules”) which mandates all significant social media intermediaries (“SSMI”) that primarily provide messaging services, to enable the identification of the first originator of a message when required to do so, either by a court order or by an order of the government under Section 69 [1] of the Information Technology Act, 2000 (“IT Act”).[2] An originator is a person who sends, generates, stores or transmits any electronic message or causes any electronic message to be sent, generated, stored or transmitted to any other person but does not include an intermediary. The government has set the threshold of fifty lakh registered users for a social media intermediary to be considered as SSMI.[3]

(b) What is end-to-end encryption (“E2EE”)?

E2EE is a cryptographic technique which creates a secure, encrypted communication channel between two users in a way that only the recipient can decrypt the message using a secure key that is unique to each sender-recipient pair. Decrypting messages via interception is practically impossible. Even the intermediaries cannot decrypt the private conversations between two users.

(c) Can traceability and E2EE co-exist?

While the government insists on traceability to track and prosecute individuals who spread content that adversely impacts public order or national security or use such platforms for illegal activities, platforms such as WhatsApp and Facebook have challenged the traceability requirement of being unconstitutional and violative of people’s right to privacy.[4] They argue that in order to comply with the aforementioned rule, platforms will be forced to break E2EE and considerably weaken the security and privacy of their product. Traceability undermines the right to communicate anonymously on the internet, a feature that makes it easier for human rights activists, dissenters, people belonging to vulnerable and marginalized groups to be targeted by authoritarian states, malicious actors, and those in power.

The Indian government insists that traceability is possible without undoing encryption and has suggested two potential solutions – tagging each message with the originator’s information, and comparing hash values of problematic messages with what the intermediary has. However, cryptography experts have said that enabling identification of the originator at the very least defeats the purpose of end-to-end encryption, if not entirely breaks it. ‘Tagging’ has been decried for having a chilling effect on free speech whereas ‘hashing’ has been criticized as it will require intermediaries to retain too much data and defeat the privacy-preserving principle of data minimization.[5]

(d) Whether traceability violates the right to privacy ?

The Supreme Court of India in K.S. Puttuswamy v. Union of India (“Puttuswamy”) [6] established the three-pronged approach for testing whether any State action violates the fundamental right to privacy. The three criteria which must be met are:

(i) Legality, which postulates the existence of law;

(ii) Need, defined in terms of a legitimate state aim/interest; and

(iii) Proportionality, which ensures a rational nexus between the objects and the means adopted to achieve them.

The traceability requirement is backed by a law, i.e. the Intermediary Rules read together with the IT Act. The government has assured that traceability measure will be used only for the purposes of “prevention, detection, investigation, prosecution or punishment of an offence related to the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, or public order, or of incitement to an offence relating to the above or in relation with rape, sexually explicit material or child sexual abuse material.” [7] Hence, the first two requirements of legality and legitimate state interest are met. However, it is not clear if mandatory traceability requirement meets the test of proportionality.

The Intermediary Rules state that beyond identifying the first originator, the SSMI will not be required to disclose the contents of any electronic message or any other information related to the first originator or any information related to its other users.[8] However, when read together with Rule 13[9] and Rule 17[10] of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 that require intermediaries to assist with decryption when they have the technical ability to do so, the government can easily gain access to the information underlying the encrypted data as well.

Further, the traceability requirement applies only to SSMIs who provide services “primarily in the nature of messaging”.[11] While WhatsApp, iMessage, Telegram and Signal are clearly covered under this requirement, it gets murkier when it comes to open and public social media platforms like Facebook, Twitter, Instagram, LinkedIn, YouTube etc., whose primary services are arguably not messaging. Does this mean that if a social media intermediary is primarily not a messaging service, it can implement preserving end-to-end encryption without enabling identification of the originator? Is this distinction tenable under law? Neither the Intermediary Rules nor any government notification sheds clarity on the rationale behind this distinction.

Creating backdoors in an encrypted platform, in reality, can never just be for the purpose of law enforcement. In order to meet the traceability requirements, online platforms will be compelled to weaken E2EE which will lower the wall of privacy and security for all. Hostile actors will find their way in and then threaten the security of the entire citizenry. Instead, sharing limited meta-data (and not content-data) such as when was the user last active on the platform, how often they use it, user registration data etc. may help the law enforcement agencies with their investigations without having the need to break the encryption. Further, such limited data sharing should also comply with the three-pronged test of legality, need and proportionality as prescribed in the Puttaswamy judgement.

2. Other legislative developments

Meanwhile, the Personal Data Protection Bill, 2020, if passed, would become the overarching law on data processing, storage and protection across all sectors. Section 24(1) of the Bill requires data fiduciaries to implement necessary security safeguards such as encryption, methods to prevent de-identification and integrity of personal data. However, the Bill also has the controversial section 35 that empowers the central government to exempt any of its agency from the application of the Act. Further, the Report by the Committee of Experts on Non-Personal Data Governance Framework, under the technology related guiding principles, mentions homomorphic encryption as a means for preventing the de-anonymization of data. One wonders whether these provisions will stand against the Intermediary Rules if an individual does not consent to data-sharing or chooses to erase his/her personal data and is then found to be the ‘first originator’ of some questionable content?

Further, NITI Aayog’s Data Empowerment and Protection Architecture (“DEPA”) Framework builds upon the PDP Bill’s concept of a ‘consent manager’ to manage a data principal’s consent for data sharing through an accessible, transparent and interoperable platform. These consent managers will be data blind i.e. they will not see or use personal data themselves; but simply serve as a conduit for data flows between the data principals and the data fiduciaries who will use such data. DEPA also necessitates end-to-end data security, which again appears to create a conflicting pressure on end-use data fiduciaries, expecting them to both be secure but also provide access on demand to government agencies.

3. Conclusion

The state and direction of encryption in India remains tenuous as it tries to balance the imperatives of individual privacy, security of digital infrastructure and public safety, order and national security. We must not treat privacy and security as trade-offs. Robust security provisions like cybersecurity protection, data leak prevention, and data encryption are essential to underpin privacy obligations. A comprehensive stakeholder consultation inviting law enforcement agencies, human rights workers, big tech, crypto experts, privacy advocates, data experts among other key players to better understand this challenge and its possible solution is the only way forward.

______________________________________________________________________________

[1] Section 69 of Information Technology Act, 2000 reads:

69. Directions of Controller to a subscriber to extend facilities to decrypt information.

(1) If the Controller is satisfied that it is necessary or expedient so to do in the interest of the sovereignty or integrity of India, the security of the State, friendly relations with foreign Stales or public order or for preventing incitement to the commission of any cognizable offence, for reasons to be recorded in writing, by order, direct any agency of the Government to intercept any information transmitted through any computer resource.

(2) The subscriber or any person in charge of the computer resource shall, when called upon by any agency which has been directed under sub-section (1), extend all facilities and technical assistance to decrypt the information.

(3) The subscriber or any person who fails to assist the agency referred to in sub-section (2) shall be punished with an imprisonment for a term which may extend to seven years.

[2] Rule 4(2), Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021

[3] Ministry of Electronics and Information Technology Notification F. No. 16(4)/2020-CLES, New Delhi, February 25, 2021, available at: https://egazette.nic.in/WriteReadData/2021/225497.pdf

[4] Nupur Thapliyal, ‘WhatsApp Moves Delhi High Court Challenging Traceability Clause Under New IT Rules As Violative Of Right To Privacy’, 26 May 2021, Live Law, available at: https://www.livelaw.in/top-stories/whatsapp-moves-delhi-high-court-challenging-traceability-clause-as-being-violative-of-right-to-privacy-174704

[5] Aditi Agrawal, Traceability and end-to-end encryption cannot co-exist on digital messaging platforms: Experts, Forbes India, 15 March 2021, available at: https://www.forbesindia.com/article/take-one-big-story-of-the-day/traceability-and-endtoend-encryption-cannot-coexist-on-digital-messaging-platforms-experts/66969/1

[6] K.S. Puttuswamy v. Union of India, 2017 10 SCC 1, decided on 24 August 24 2017

[7] ‘New IT rules not against privacy; tracing messages only for “very serious offences”: Govt’, Outlook- The News Scroll, 26 May 2021, available at: https://www.outlookindia.com/newsscroll/new-it-rules-not-against-privacy-tracing-messages-only-for-very-serious-offences-govt/2090345

[8] Proviso 3 to Rule 4(2), Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021

[9] Rule 13 Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 reads:

13. Intermediary to provide facilities, etc.

(1) The officer issuing the requisition conveying direction issued under rule 3 for interception or monitoring or decryption of information shall also make a request in writing to the designated officers of intermediary or person in-charge of computer resources, to provide all facilities, co-operation and assistance for interception. or monitoring or decryption mentioned in the directions.

(2) On the receipt of request under sub-rule (1), the designated officers of intermediary or person in-charge of computer resources, shall provide all facilities, co-operation and assistance for interception or monitoring or decryption of information mentioned in the direction.

(3) Any direction of decryption of information issued under rule 3 to intermediary shall be limited to the extent the information is encrypted by the intermediary or the intermediary has control over the decryption key.

[10] Rule 17 Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 reads:

17. Decryption key holder to disclose decryption key or provide decryption assistance.

If a decryption direction or a copy thereof is handed to the decryption key holder to whom the decryption direction is addressed by the nodal officer referred to in rule 12, the decryption key holder shall within the period mentioned in the decryption direction-

(a) disclose the decryption key; or

(b) provide the decryption assistance, specified in the decryption direction to the concerned authorised person.

[11] Rule 4(2), Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021

The views expressed in this article are solely those of the authors and they do not represent the views of DAKSH.