This article articulates the meaning of encryption, and how it is becoming an intense discussion between the legislature and judiciary. What would you do, if you were to send a secret message to ‘A’ and it had to go through ‘C’ who is eavesdropping on you? A simple way is to make code words that only you and ‘A’ would understand. This is something Julias Caesar did too! He used cipher text by shifting 3 letters down. So only those who knew his scheme would understand his messages. This is what encryption does. It is a way of protecting data from malicious hackers, spy and online criminals. In an encryption scheme, there is a mathematical algorithm that scrambles plain text in gibberish- ‘cipher text’ so that the data is protected and it becomes difficult to decode it.
Schedule V of the Information Technology (Certifying Authorities) Rules, 2000, defines encryption as-
“The process of transforming plaintext data into an unintelligible form (cipher text) such that the original data either cannot be recovered (one-way encryption) or cannot be recovered without using an inverse decryption process (two-way encryption).”
Now, this is becoming a major cause of debate, as enforcement agencies are demanding to weaken the encryption patterns through back doors to facilitate easier access to information. But on the other hand, weakening the encryption patterns would violate the right to privacy as it one of the tools available to individuals to protect them from Big Brother and Big Tech. As digital networks are increasingly becoming the preferred channel for commerce, encryption is critical for maintaining security and trust in this medium. But does India have comprehensive laws that can regulate adequate encryption?
Encryption and the Data vulnerability in India
A petition filed before the Supreme Court of India said that messaging apps, including WhatsApp, Viber, Telegram, Hike and Signal were somehow helping terrorists and criminal elements by encrypting the messages. Thus a threat to national security was surrounding these apps and hence they should be banned. The honorable Supreme Court refused to entertain the petition. It stated that there was no urgency to put a ban on WhatsApp and other similar applications because they use strong end to end encryption technologies to safeguard the communications done on their services.
Anyway, India does not have dedicated provisions of the law on encryption. However, a number of sectoral regulations including in the banking, finance and telecommunication industries do carry stipulations such as the minimum standards of encryption that can be used in securing transactions. A draft National Policy on Encryption under Section 84A of the Information Technology Act, 2000 was published on 21st September 2015 and invited inputs from the public but it was unfortunately withdrawn on 23rd September 2015. Section 84A permits the Central Government to prescribe encryption standards and methods to secure electronic communications and at the same time to promote e-governance & e-commerce.
The crypto discussions in India have much to learn from the conflict between Silicon Valley and the United States government. Yet, there are many unique considerations that the legislature must keep in mind. India’s domestic legal system, anyway, suffers from a lack of privacy legislation, inadequate data protection rules, and a surveillance regime that is, for most of the times, guided by colonial legislation. How a country regulates its encryption will have implications on the rights, commerce and national security of its citizens. It will need to harmonies the regulatory landscape in order to balance the interests of various stakeholders who are involved.
Draft National Encryption Policy to regulate the use of encryption
The draft of the policy applied to use the encryption technologies for storage and communication of information which was primarily held with the government, businesses, and citizens. The Central Government had delegated the required powers to specify and notify the encryption protocols and technologies that could be used for the same. Unfortunately, the policy was withdrawn owing to certain grey areas in the provisions of the policy. It was feared that it might cause upheaval not only in the IT sector but also with the users. Soon after the release of the draft policy, a proposed afterword to the draft of the encryption policy was issued by DeitY. The proposed afterword exempted the following from the purview of the draft national encryption policy:
- The mass use encryption products, which are currently being used in web applications, social media sites, and social media applications such as Whatsapp, Facebook, Twitter etc.
- SSL/TLS encryption products being used in Internet-banking and payment gateways as directed by the Reserve Bank of India.
- SSL/TLS encryption products being used for e-commerce and password-based transactions.
Within two days of its release, the draft was unfortunately withdrawn. With reference to the encryption technologies, the provisions in the draft were said to be vague and unfeasible. Mr Ravi Shankar Prasad, Union Minister of Communications and Information Technology said that India is lacking any kind of encryption policy, and therefore the original draft is going to be refined for this purpose. Realising unclear policy provisions would only make matters worse. The draft Policy received an outsized amount of criticism from the companies, IT sector, users and civil society advocacy groups. The subsequent were a couple of points of criticism leveled against the policy:
- The provision that mandated the retaining of plain text copies of encrypted communications for 90 days by users and businesses.
- Registration for Foreign Service providers before they create their services available to the Indian population.
- The Government specifying the key length, and algorithm to be utilized in encryption technologies for all users and businesses entailed that the govt could restrict the utmost standard of encryption that would be used, without leaving any room for discretion for a user to subscribe stricter security standards.
- The provision that put the first responders on users of foreign services for retaining and handing plain text copies of communications when sought by an enforcement agency.
Other laws/regulations pertaining to the use of the regulation of encryption
Apart from Section 84A that grants the Central Government the authority to frame any rules on how to use and regulate encryption, the Information Technology Act, 2000 which is the regulatory body which is the regulator of the electronic and wireless mode of communication, remains silent on any substantive provision. No such rules have been framed by the Central Government under this section. Besides that, there are a few sectors where the use of encryption technology and products have been regulated and mandated by specific conditions and terms:
Department of Telecommunication (Dot) License with Internet Service Providers (ISPs)
The terms and conditions of the license agreement between the Department of Telecommunication & the Internet Service Providers permit the utilization of encryption technologies only up to 40 bits with RSA algorithms or its equivalent with none prior approval from the DoT. For a better encryption standard can only be used with permission and submission of the decryption key split in two parts to the DoT. Moreover, there's an entire prohibition on using bulk encryption by ISPs under these license terms (Clause 2.2 (vii) of the License Agreement between DoT & ISP, January 2010). However, it is vital to note that although the terms of the Unified Service License Agreement also explicitly prohibit bulk encryption (Clause 37.1), they're doing not prescribe to a 40-bit standard. Rather, they state that the permissible encryption standard under this Agreement is getting to be governed by the policies made under the knowledge Technology Act, 2000(Clause 37.5). But, no rules have yet been drafted that can prescribe or regulate the usage of encryption technologies in India under the IT Act.
Securities and Exchange Board of India (SEBI)
According to the Report on Internet Trading through the Securities Exchange Board India Committee on Internet-based Trading & Services, 2000, a 64/128 bit encryption standard is advisable to secure all transactions and online trading. It is highly recommended that "128-bit encryption should be allowed to be freely used". Nevertheless, it comes with a clause that the policy prescribed by Department of Telecommunication will be adhered to with regards to encryption. In paragraph 30 of the cybersecurity and cyber resilience framework of Stock Exchanges, Clearance Corporations and Depositories, and for Registrars to an Issue / Share Transfer Agent with a portfolio of over two crores, SEBI requires that "Data in motion and data at rest should be in encrypted form by using strong encryption methods such as Advanced Encryption Standard (AES), RSA, SHA-2, etc."
Reserve Bank of India (RBI)
In paragraph 6.4.5 of the Report on Internet Banking released in the year 2001, Reserve Bank of India mandated a minimum security standard for using the Secure Socket Layer for server authentication and the use of client-side certificates. It further mentioned the use of 128-bit SSL encryption for communication between the browsers and server following encryption of sensitive data like passwords in transit within the enterprise itself.
While setting decryption mandates, it is important to understand that in order to truly achieve best-in-class security standards that encourage not only the entry of communications providers but also the growth of competing services, the policy must conform to the test of ‘necessity and proportionality’. The United Nations Special Rapporteur for Freedom of Speech and Expression has urged state governments to not ban any comprehensive protections on encrypted services and to impose restrictions on a case-by-case basis. He has also urged them to resort to court orders for imposing specific limitations. India’s encryption policy must, however, go beyond merely setting decryption mandates. Rather, the policy must aim to:
- Update existing laws and regulations to deal with the proliferation of secured communication services.
- Upgrade the overall standard of security in cyberspace to enhance free speech and stimulate e-commerce.
- Encourage the growth of research and development in cybersecurity and cryptographic tools domestically.
- Identify and adopt international best practices in information security and data protection.
- Prescribe limits on lawful access to encrypted communication that is proportionate and effective.
The encryption policy that is drafted now is likely to set the market standards for the coming 25 years. In that time, it is hoped that the Indian market will have replaced foreign communication providers with those that are developed domestically. It will be essential to ensure that information belonging to Indian citizens is not compromised by foreign intelligence agencies and non-state actors.
In the light of cybersecurity, privacy and national security, India is in a need for a well-established encryption/decryption framework in order to address the concerns of both information technology industry and law enforcement agencies. The private sectors are required to constantly adapt and evolve in order to keep up with the technology. In this regard, their ability to combat cybersecurity threats and to protect their technological infrastructure against such threats depends mostly on the presence of a clear national framework or regulatory environment. It is also important that any regulation dealing with encryption should not require the private parties to make a choice between either weaker encryption or the burden of giving prior notice and decryption key escrow for stronger encryption. Such a requirement, especially for an Internet Service Provider may prove to be too onerous in the sense that it can create a disincentive for such private players to deploy robust encryption which will eventually contribute to India’s vulnerability to cyber-attacks. It is to be noted that the requirement of notice and deposit is usually the norm in other jurisdictions. Therefore, any regulations regarding encryption provided by the Government should be flexible and adaptive to constant innovations in encryption technology. Also, the Government must ensure that any encrypted communications or data should not pass through any third party or government’s agent who may derive benefits from such encrypted communications.