Sturdy Legal guidelines to Shield Encryption Are The Want of The Hour
“ENCRYPTION safeguards the personal security of billions of people and the national security of countries around the world.”
The opening statement on the About page of the Global Encryption Coalition (‘GEC’), which consists of 180 members from among civil society organisations, companies and individuals, captures the essence of encryption.
Once considered a wartime necessity, encryption has steadily become the technological backbone for secure online communications, digital privacy and protection of national critical information infrastructure (‘CII’).
Indeed, it is crucial to protect data at a time when data breaches are only increasing. For instance, the Indian Computer Emergency Response Team (‘CERT-In’), a nodal executive agency which monitors cyber security incidents in India, has reported a steady increase in data breaches since 2017, in a response to a question in the Rajya Sabha.
Section 70 of the Information Technology Act, 2000 (‘IT Act’) defines CII as a “computer resource, the incapacitation or destruction of which shall have debilitating impact on national security, economy, public health or safety”.
Previously, the Union Government has notified the Unique Identification Authority of India-related facilities, assets and infrastructure as CII. Once declared as ‘protected system’ under section 70, any unauthorised persons accessing these resources may be jailed for up to 10 years, and fined.
Nonetheless, vulnerabilities are often exploited by malicious actors. For instance, in June 2021, a personal data breach of millions of public distribution system (‘PDS’) beneficiaries in Tamil Nadu, including Aadhaar details, was reported, after an online vendor claimed access to nearly 2 terabytes of PDS data on a hacker’s platform and demanded a payment of USD 1,950 in cryptocurrency for handing over the decryption code.
Also read: Aadhaar: India’s Honey Pot for Hackers
Position of law enforcement agencies on encryption
Governments and law enforcement agencies (‘LEAs’) are also increasingly undermining encryption to tackle crimes and criminal communications. This includes the ‘going dark’ challenge wherein, with strong encryption protecting all kinds of data, criminals use online communications channels to hide their plans and activities. In such cases, LEAs struggle to read investigation-related information and actively oppose encryption.
The most worrying of these has been the Five Eyes alliance which is composed of the governments of the United States, the United Kingdom, Canada, Australia and New Zealand. It voices the views of many LEAs in its unequivocal belief that “privacy is not absolute”.
Governments are trying to undermine encryption due to this issue through legislation, such as by introducing stipulations that erode strong end-to-end encryption deployed by many tech companies to protect consumer privacy and the integrity of personal communications. Since there is no way of knowing who may be subject to investigations, companies are required to store all communications in order to ascertain who said what, when they are required to do so.
A 2020 joint statement released by the Five Eyes, India and Japan goes against not just end-to-end encryption, but also a range of encrypted services available, including device encryption, custom encrypted applications and encryption across integrated platforms, purportedly to deal with potential child sexual abuse material.
In another statement, on countering child sexual exploitation and terrorism, it stated that “tech companies should include mechanisms in the design of their encrypted products and services whereby governments, acting with appropriate legal authority, can gain access to data in a readable and usable format.”
Further, since 2019, India is part of an international working group to deal with criminals online which states: “According to the participants, encryption is designed with no means of lawful access; it allows terrorists, drug dealers, child molesters, fraudsters, and other criminals to hide incriminating evidence.”
Governments are trying to undermine encryption due to this issue through legislation, such as by introducing stipulations that erode strong end-to-end encryption deployed by many tech companies to protect consumer privacy and the integrity of personal communications. This includes tracing the first originator of messages on instant messaging freeware service Whatsapp. Since there is no way of knowing who may be subject to investigations, companies are required to store all communications in order to ascertain who said what, when they are required to do so.
However, broad surveillance adversely impacts anonymity on the internet, access to strong encryption, the issue of traceability, and laws on identifying the first originator of a message.
Also read: Right to Privacy in the United States of America
Laws from different jurisdictions that hamper encryption
In 2018, Australia enacted the Assistance and Access Act, to allow LEAs access to messages on platforms like WhatsApp and Facebook. It enforced conditions on tech companies and service providers to build surveillance capabilities, such as through push notifications that download malware to a target’s computer or phone.
It was modelled after the U.K.’s Investigatory Powers Act 2016 (‘UK Act’), called the “Snoopers Charter” by its critics. The UK Act contains mandatory, broad and secret decryption obligations for service providers.
It allows for the U.K. government to order telecommunication providers to remove any electronic protection measure. Thanks to a series of cases by civil society organisations Liberty and Privacy International, the U.K. High Court of Justice found that it is unlawful for British security services like the Security Service, the Secret Intelligence Service and the Government Communications Headquarters, to obtain an individual’s communications data from telecom providers without prior independent authorisation, while carrying out criminal investigations.
However, it still allows indiscriminate snooping on people irrespective of whether they are suspected of crimes, although this is being appealed.
Mandatory traceability requirements, often introduced through legislation, undermines encryption.
That the Australian law followed the footsteps of the UK Act is hardly unique. A similar trajectory is noticeable with other countries.
The first in the series of similar Asian laws came from the People’s Republic of China (‘PRC’) which took the big brother trope to its farthest extent. PRC is considered the world’s largest surveillance State. Under the Cybersecurity Law of the PRC, 2017, companies must store users’ data on local servers and decrypt the data on request from State authorities.
The vaguely worded law enables policing and monitoring of the entire population for an expansive list of ideas like political, social and religious beliefs, and the online activities of at-risk populations, such as Tibetans, Uyghurs and Chinese human rights defenders, for which they face draconian criminal penalties like being unlawfully and secretly detained.
India’s position on surveilling the internet
In India, on January 25, 2020, a Rajya Sabha Ad-hoc Committee “to study the alarming issue of pornography on social media and its effects on children and society as a whole”, had submitted that the Information Technology (Intermediaries guidelines) Rules, 2011 should be modified to enable tracing of the originator of child sexual abuse-related messages shared on end-to-end encryption platforms.
Mandatory traceability requirements, often introduced through legislation, undermines encryption. It requires communication and social media apps to always be able to identify the first originator of any message, just in case law enforcement requires it in the future.
In May 2021, in the matter of WhatsApp LLC versus Union of India (2021), WhatsApp moved the Delhi High Court against the Union Government to halt the implementation of rules that mandate traceability, arguing that the requirements violated constitutionally guaranteed privacy protections. Notably, the government relied on similar moves by the governments of U.K., U.S., Australia, New Zealand, Canada and Brazil to justify its position.
Also read: Centre says right to privacy not absolute; terms WhatsApp’s plea challenging IT Rules “unfortunate attempt”
According to WhatsApp: “In order to trace even one message, services would have to trace every message…That’s because there is no way to predict which message a government would want to investigate in the future. In doing so, a government that chooses to mandate traceability is effectively mandating a new form of mass surveillance. To comply, messaging services would have to keep giant databases of every message you send, or add a permanent identity stamp — like a fingerprint — to private messages with friends, family, colleagues, doctors, and businesses.”
In Myanmar, the junta forced service providers to hand over personal data, and seized control of the telecommunications infrastructure. Apart from physical harm, protesters and ordinary internet users suffered enforced disappearances in retaliation for their online activities.
Consequently, India’s latest Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (‘IT Rules’) require large social media platforms to identify and disclose the “first originator” of a message pertaining to an “offence related to the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, or public order, or of incitement to an offence relating to the above or in relation with rape, sexually explicit material or child sexual abuse material”.
These terms are overboard, and the same arguments have been used to deny the rights of vulnerable communities. For instance, national security is an ambiguous term that is often used by the Union Government to repel courts from hearing human rights cases.
This includes the prolonged suspension of internet in Jammu and Kashmir that impacted religious minorities (which came up in the Supreme Court matters of Anuradha Bhasin versus Union of India (2020) and Foundation for Media Professionals versus Union Territory of Jammu (2020)); and again the Pegasus spyware case, wherein the government allegedly used foreign mass surveillance technologies to infiltrate the phones of human rights defenders and political dissidents (which came up before the Supreme Court in Manohar Lal Sharma versus Union of India).
Also read: Pegasus Snooping Victim Explains Why Users No Longer Believe WhatsApp and Mobile Phones Are Secure
The latest attempt at introducing broad surveillance powers in the name of national security comes in the form of the Indian Telecommunication Bill, 2022 (‘the Bill’) which was released for public consultation by the Department of Telecommunications, Union Ministry of Communications in July. Stakeholder comments are invited till October 20.
The Bill seeks to provide a comprehensive telecommunications legal framework by replacing the existing Indian Telegraph Act, 1885, the Wireless Telegraphy Act, 1933 and the Telegraph Wires (Unlawful Possession) Act, 1950.
The Union Government has broad discretion under the Bill, which allows for interception and tracking during public safety and public emergency situations, and for national security, which may lead to an unfettered exercise of power, threatening the creation or a surveillance State.
Similar stipulations have threatened virtual private networks (‘VPN’). In April, CERT-In issued directions that mandate cloud service providers and cryptocurrency exchanges to log user data for five years, including user names, addresses, contact numbers, period of subscription, email and Internet Protocol addresses, and the purpose of using their services. The provisions are not applicable to corporate and enterprise VPNs.
Also read: As CERT-In guidelines come into force, VPN companies flag their concern for the right to privacy of their users
Spate of copycat laws
Bangladesh has also floated a new draft legislation, the Bangladesh Telecommunication Regulatory Commission Regulation for Digital, Social Media and OTT Platforms (‘BTRC Rules’) which, among other things, makes it mandatory for messaging apps to enable traceability and identification of the first originator of any information.
One cannot help but notice the similarities between the Indian IT Rules and the Bangladeshi BTRC Rules. The Bangladeshi government had already reportedly increased its technical capacity to filter and block content, and conduct online surveillance on individuals under the National Telecommunication Monitoring Centre’s Content Blocking and Filtering Project, without a sufficient legal framework to protect against human rights abuses.
Also read: Shrinking space for liberty in South Asia: Analysing the Digital Security Act, 2018 of Bangladesh
In Brazil, a proposed Internet Freedom, Responsibility, and Transparency law in 2020 included similar, albeit narrower, traceability requirements which were subsequently dropped. However, proposed amendments to the Code of Criminal Procedure may oblige internet application providers to assist law enforcement in intercepting communications, including by introducing security flaws into their systems as a back door for LEAs that undermines end-to-end encryption.
While judicial intervention and opposition by civil society have helped curtail some surveillance activities, strong laws that protect encryption and curtail overbroad powers of LEAs are the need of the hour.
Pakistan’s latest rules have raised similar concerns about their impact on end-to-end encryption. The draft requires major social media companies and service providers to hand over personal data in a decrypted and readable format when requested by the Federal Investigation Agency. Similar cyber security related amendments have been introduced in Vietnam and Indonesia.
The worst impact of such laws may be in Myanmar, where the military launched a deadly coup in February last year. The junta forced service providers to hand over personal data, and seized control of the telecommunications infrastructure. Apart from physical harm, protesters and ordinary internet users suffered enforced disappearances in retaliation for their online activities. In a troubling move, the junta has floated a draft Cybersecurity bill that requires companies to hand over sensitive user data to the government, in violation of users’ privacy and expectations, without any due process or independent oversight.
New era of surveillance
Unsurprisingly, U.S.-based non-profit organisation Freedom House’s latest Global Freedom on the Net Report, 2022, aptly titled Countering an Authoritarian Overhaul of the Internet, found that internet freedom declined for the 12th consecutive year. It observes: “Disproportionate surveillance remains one of the most obvious problems affecting democracies’ internet freedom performance. Too often, rights considerations are disregarded in favor of the misguided belief that more intrusive tools and greater state access to data will necessarily contribute to a safer society”, and encourages democracies to protect end-to-end encryption, to limit the impact of excessive monitoring. According to the report, the Indian internet is partly free.
Surveillance is not new. Neither is law enforcement’s desire for ubiquitous surveillance, nor is State support for it. French philosopher, writer and political activist, Michel Foucault traced surveillance-based policing back to the 18th century.
In his book ‘Discipline and Punish: The Birth of the Prison’ (1975), Foucault observes: “In short, the eighteenth-century police added a disciplinary function to its role as the auxiliary of justice in the pursuit of criminals and as an instrument for the political supervision of plots, opposition movements or revolts. It was a complex function since it linked the absolute power of the monarch to the lowest levels of power disseminated in society; since, between these different, enclosed institutions of discipline (workshops, armies, schools), it extended an intermediary network, acting where they could not intervene, disciplining the non-disciplinary spaces; but it ﬁlled in the gaps, linked them together, guaranteed with its armed force an interstitial discipline and a meta-discipline.”
With 63 per cent of all people in the world being online following lockdowns related to COVID-19, according to the International Telecommunication Union, and nearly half of India’s population going digital, as per a report by the Internet and Mobile Association of India, the total number of people who may be surveilled through legislation is unprecedented.
Also read: India’s New Normal: Privacy in a Post-Pandemic World
Hasty legislation that rubber stamp government snooping en masse harken a new era of surveillance. While judicial intervention and opposition by civil society have helped curtail some surveillance activities, strong laws that protect encryption and curtail overbroad powers of LEAs are the need of the hour.
Until then, much like how LEAs are armed to collect more information than strictly necessary, it is important for human rights defenders and ordinary citizens alike, to arm themselves with the knowledge of the extent of online surveillance.
As Foucault said: “Knowledge is not for knowing: knowledge is for cutting.” When it comes to surveillance and encryption, knowledge works both ways.
October 21 is Global Encryption Day. Celebrate by being vocal about the need to protect and strengthen encryption, to make the Internet safer for everyone.