India’s Feud With Encryption

Adesh Arora & Aarush Sharma[1]
Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect.
– Bruce Schneier

The origins of the internet can be traced back to around 50 years. In the last 50 years, the internet has grown from a connection of a few computers in the United States to a worldwide network of over 3.5 billion users. This advancement, unsurprisingly, has also demanded development in internet security and privacy. Encryption, which refers to the process of encoding information, such that it can only be accessed by a few people, plays a vital role in the same.

The legal status of encryption, however, is different all around the world. The general right to encryption is available in only 10 nations[2], whereas obligations on providers to assist government authorities are present in around 30 nations[3]. Currently, India is not a part of any convention on the protection of personal data, which has also led to a lack of data protection agency[4]. The Information Technology Act, 2000 is India’s sole legislation which deals with cybercrime. Sections 43A and 72A of the IT Act may remotely cover the intricacies of data privacy since they deal with the right to compensation for improper disclosure. However, the IT Act does not completely govern the technicalities that are attached with encryption, though it does bestow some powers on the authorities to intercept and gather electronic evidence[5].

Therefore, there is a pressing need for reforms as technology and its userbase has grown exponentially while internet security is still in its infancy. The current available system is inadequate[6]to protect India and its citizens online. For instance, in June 2020 it was found that over 1 lakh scanned documents of Indians were available for sale on the dark web[7]. In a recent survey[8], it was found that over 80% of Indians were worried about internet security which also indicated that there is a high level of awareness regarding the same among Indians.

National Security v. Individual privacy concerns
In the span of two decades, encryption has gone from being a heavily restricted technology falling under the arms-control legislation, to becoming a key enabler of all online communications and commerce[9]. This evolution makes the encryption of user data a paramount concern. Prior to the proposed Data Protection Bill, India had very mild regulations over users’ data. Sections 69 and 84 of the IT Act, 2000[10] permit law enforcement agencies to collect and scrutinize user data under special circumstances which include protecting the sovereignty and integrity of India, in the interest of defence and security of India, for maintaining friendly relations with foreign states, maintaining public order, or for preventing incitement to the commission of any cognizable offences. These provisions have been unsuccessfully challenged in court[11] before as they make the enforcement of encryption laws in India very difficult.

Globalization and technological advancements in the modern era have made encryption a very vital part of online communication, with international companies like WhatsApp and Signal offering end to end encryption and complete protection. Although there have been concerns regarding the new privacy policy of WhatsApp wherein people speculated that WhatsApp was ending end-to-end encryption[12] on its services by sharing user data with its parent company, Facebook. WhatsApp has categorically denied these allegations[13]. To ensure privacy, encryption needs to be an integral pre-requisite in any online communication channel. However, this acts as a hurdle to the government[14] who wants to ensure national security, because with encryption governments cannot access a suspected individual’s conversations or data.

This war between privacy and national security dates back to the quarrel between Blackberry and the Indian government where Blackberry was criticized to have an encryption system so strong that it facilitated the 2008 terror attacks. Eventually, Blackberry had to surrender[15] and decrypt its data. Since then, there has been a trade-off between privacy and national security. While national security is important, privacy is an inherent right of an individual and lack of encryption jeopardizes and compromises the citizen and their data.

The current concerns with the encryption system in India are as follows:

  • Law enforcement is given a free hand[16] in accessing anyone’s data and keeping the encryption to themselves whenever they deem necessary.
  • There is no central act governing the usage of stored user data by corporations or by the government itself.
  • There is ambiguity around the question of when a government can gain access to such data, and whether that constitutes an infringement on the citizens’ rights.
  • Political activists who are already threatened by acts like UAPA, AFSPA fear that the non-existence of encryption will lead the government to spy on them[17].
  • If encryption is not end-to-end, people fear that third party hackers can access and leak their private data easily as the key to the encryption would be easy to break.
  • Currently, corporations are not liable for any sort of interaction between their users on their platform because they aren’t themselves allowed to access user data[18] but if encryption laws are weak then these companies might be able to collect and store user data and sell it to advertisers for money. An example of the same could be ‘Uber’s God View’[19] where an employee at Uber used the “God View” tool to track a journalist who was late for an interview with an Uber executive. “God View” allowed the company’s staff to track both Uber vehicles and customers.

There have been various attempts at bringing reforms to the data protection status in the country. One of the most significant ones was in 2015 when the Draft Encryption Policy was introduced. The policy required users to keep a record of messages shared via different services for 90 days. Companies were to store data in plain text and thus, this meant that the unencrypted data would remain vulnerable for 90 days. The policy was withdrawn[20] as quickly as it was introduced, owing to the huge backlash that it received.

Problems in the Personal Data Protection Bill regarding Encryption
The Government of India’s proposed Personal Data Protection Bill[21], is aimed at reforming the digital space in India, with the introduction of the Right to be Forgotten and an establishment of India’s first data protection authority. The Bill aims to be the solution to user data concerns in the nation. Despite this, the bill was met with harsh criticism by activists and corporations. Even Justice BN Srikrishna, who led the committee that drafted the Personal Data Protection Bill (PDP), said that the bill placed in Parliament is “dangerous” and can turn India into an “Orwellian state”[22].

Another concern regarding this bill is that it is the world’s first bill to do away with end-to-end encryption almost completely and it would force corporations to make posts traceable to their origins as per Section 35 of the Bill which empowers the central government to exempt any agency from all or any provision of the Bill. This would diminish the privacy of billions which will include activists, victims of abuse, and dissenters. One example of this could be where the government used airline and railway reservation data[23] to track suspected infections and find hand-stamped people who had promised not to travel while Kerala authorities used telephone call records, and mobile phone GPS[24] systems to trace contacts of COVID-19 patients, and published detailed time and date maps showing the movement of people who have tested positive.

These changes would make the tech sector more expensive as companies will be forced to create 2 types of systems[25] one with end-to-end encryption and one without it.

Reforms Needed in the encryption policies for a better future
There is a pressing need to make changes in the proposed bill. These changes can include:

  • Deleting clause 35 – This clause provides provisions under which the government can exempt its own departments from the very application of the law itself. These powers should be limited to reduce the risk of mass surveillance and other privacy harms.
  • Amending Clause 12, 13, 14 – These clauses allow the authorities to process personal data without the consent of the individual for “reasonable purposes” and for “the exercise of ant function of the state”. These clauses are vague and hence prone to misuse.
  • Amending Clause 5, 17, 19(2) – Clause 5 of the bill provides that personal data shall only be processed “for the purpose consented to by the data principal” but is diluted by further vague allowances. The right to data portability is also diluted by the presence of the vague “necessary for functions of the state” exemption in clause 19(2)(a).

Conclusion
With increasing online transactions and communications, a reform in India’s encryption laws is extremely necessary.

First and foremost, the privacy of every individual must be respected in all aspects. The state has imposed reasonable restrictions for protection of national security regarding the transparency of data, however, the right to privacy is a Fundamental Right of every citizen of the state, which places it on a higher threshold. Therefore, there is a need to strike balance between lawful data usage and the maintenance of national security. All applications which facilitate online communications should be allowed to enforce an end-to-end encryption system with no backend key to the conversations of people. The people must recognize the importance and value of their private data, and should be made well aware of their rights, for instance, the right to allow or deny a certain app access to their phone’s data.

Secondly, India needs a specific law that addresses the privacy of individuals and in accordance with that, sets clear instructions for corporations, law enforcement agencies, and individuals regarding the management of user data. There is an urgent need to update existing laws and regulations to deal with the proliferation of secured communication services. This would come with an upgrade in the overall standard of security in cyberspace to enhance free speech and to stimulate e-commerce. India should also look towards identifying and adopting international best practices in information security and data protection for which it can take inspiration from the European Union’s General Data Protection Regulation[26].

Thirdly, currently due to the IT Act, 2000, and the pressure of law enforcement agencies, many corporations need to remain within the domain of certain restrictions. Companies like Blackberry were forced to take down their highly secure systems due to government restrictions. Telecom companies are not allowed to implement complete encryption[27] due to government restrictions in the license agreement. All this takes a heavy toll on corporations as they need to store a massive amount of data in localized servers[28]. If encryption is allowed, even the corporations would not have access to the data. Consequently, they would either not store it, or they would store it in central foreign servers. However, with these restrictions in place they need to specifically establish localized servers so that the government can have access to the data. All of these restrictions must be eased for better technological advancements in the modern world.

The right to privacy comes with the virtue of being a human being living in a society. The state must ensure any and all measures to protect such rights and encryption is an integral part of the same. While India certainly is moving forward in the realm of protecting privacy of its citizens, it needs to move forward in the right direction at the right pace.

[1] Adesh Arora is a 2nd-year student at ILNU and is an active core member of several student-run committees at his institute. He is an avid mooter with interests lying in Constitutional Law and philosophy. For any discussion related to the article, he can be contacted via mail at adesharora12@gmail.com. Aarush Sharma is a 2nd-year student at ILNU and is an avid debater. His interests lie mainly in public speaking, political discourse, and reading. For any discussion related to the article, he can be contacted via mail at aarush.sharmasml1@gmail.com.
[2] Global Partners Digital, https://www.gp-digital.org/world-map-of-encryption/ (last visited on 24th January 2021)
[3] Ibid.
[4] State of Privacy In India, Privacy International Org, https://privacyinternational.org/state-privacy/1002/state-privacy-india (last visited on 23rd January 2021).
[5] Bedvyasa Mohanty & Madhulika Srikumar, Hitting Refresh: Making India US data sharing work, Observer Research Foundation, (last visited on 25th January 2021), https://www.orfonline.org/research/hitting-refresh-india-us-data-sharing-mlat/.
[6] Krishna Sharma, Why India needs to do much more on Data Privacy, CNBC TV18, https://www.cnbctv18.com/views/why-india-needs-to-do-much-more-on-data-privacy-3038081.htm, (last visited on 25th January 2021).
[7] Gautam Mengle, 100 GB of Indians’ Data up for sale on the Dark Web, The Hindu, https://www.thehindu.com/sci-tech/technology/internet/100-gb-of-indians-data-up-for-sale-on-dark-web/article31742537.ece, (last visited on 25th January 2021).
[8] Jude Sannith, Post Covid, Indians most worried about Identity Theft and Internet Security, CNBC TV 18, (https://www.cnbctv18.com/telecom/post-covid-indians-most-worried-about-identity-theft-and-internet-security-says-study-6209171.htm, last visited on 25th January 2021).
[9] Vinay Kesari, India’s Upcoming Encryption Wars, Factor Daily, https://archive.factordaily.com/indias-upcoming-encryption-wars/, (last visited on 25th January 2021).
[10] Information Technology Act, 2000, No. 21, Acts of Parliament, 2000 (India).
[11] IFF files rejoinder in PIL seeking surveillance reform, Internet Freedom Foundation, https://internetfreedom.in/iff-files-rejoinder-in-pil-seeking-surveillance-reform/, (last visited on 24th January 2021).
[12] Roobina Mongia, How WhatsApp’s new Privacy Policy Impacts Users, NDTV, https://www.ndtv.com/india-news/how-whatsapps-new-privacy-policy-impacts-users-faqs-answered-2357148, (last visited on 25th January 2021).
[13] After Backlash WhatsApp Clarifies its New Privacy Policy, The Economic Times, https://economictimes.indiatimes.com/tech/technology/after-facing-backlash-whatsapp-clarifies-its-new-privacy-policy/articleshow/80226028.cms, (last visited on 25th January 2021).
[14] Bedvyasa Mohanty, The Encryption Debate in India, Carneige Endowment for International Peace, https://carnegieendowment.org/2019/05/30/encryption-debate-in-india-pub-79213, (last visited on 25th January 2021).
[15] Bedvyas Mohanty, ‘Going Dark’ in India: Legal and Security Dimensions of Encryption, Observer Research Foundation, (2016), https://www.orfonline.org/wp-content/uploads/2016/12/ORF_Occasional_Paper_102_Encryption.pdf., (last visited on 25th January 2021)
[16] State of Privacy In India, Privacy International Org, https://privacyinternational.org/state-privacy/1002/state-privacy-india (last visited on 23rd January 2021).
[17] Casey Newton, India’s proposed Internet Regulations could threaten privacy everywhere, The Verge, https://www.theverge.com/interface/2020/2/14/21136273/india-internet-rules-encryption-privacy-messaging, (last visited on 24th January 2021).
[18] Nandagopal Rajan & Shruti Dhapola, Explained: How private WhatsApp, what can Facebook see, and should you look alternatives?, The Indian Express, (last visited on 25th January 2021), https://indianexpress.com/article/explained/how-private-is-whatsapp-7143928/#:~:text=Neither%20WhatsApp%20nor%20Facebook,will%20continue%20to%20be%20so.&text=WhatsApp%20does%20not%20keep,“privacy%20and%20security%20risk”.
[19] Rich McCormick, Uber allegedly tracked journalist with internal application called ‘God View’, The Verge, https://www.theverge.com/2014/11/19/7245447/uber-allegedly-tracked-journalist-with-internal-tool-called-god-view#:~:text=Uber%20is%20investigating%20its%20top,meeting%20with%20Josh%20Mohrer%2C%20general, (last visited on 25th January 2021).
[20] India withdraws controversial encryption policy, BBC News, https://www.bbc.com/news/world-asia-india-34322118, (last visited on 26th January 2021).
[21] The Personal Data Protection Bill, 2018 (India).
[22] Megha Mandavia, Personal Data Protection Bill can turn India into an ‘Orwellian State’: Justice BN Srikrisna, The Economic Times, https://economictimes.indiatimes.com/news/economy/policy/personal-data-protection-bill-can-turn-india-into-orwellian-state-justice-bn-srikrishna/articleshow/72483355.cms?from=mdr, (last visited on 26th January 2021).
[23] India uses and-stamping; airline and railway reservation data for contact tracing and quarantine enforcement, Privacy International Org, https://privacyinternational.org/examples/3470/india-uses-hand-stamping-airline-and-railway-reservation-data-contact-tracing-and, (last visited on 26th January 2021).
[24] Roli Srivastava & Anuradha Nagraj, Privacy fears as India hand stamps suspected coronavirus cases, Thomson Reuters, https://www.reuters.com/article/us-health-coronavirus-privacy/privacy-fears-as-india-hand-stamps-suspected-coronavirus-cases-idUSKBN21716U, (last visited on 26th January 2021).
[25] Hannah Quay- de la Vallee, Proposed Indian Internet Regulations would harm Global Internet Security, Centre for Democracy & Technology, https://cdt.org/insights/proposed-indian-internet-regulations-would-harm-global-internet-security/, (last visited on 26th January 2021).
[26] General Data Protection Regulation, 2016, Regulation (EU) 2016/679, European Parliament, 2016 (Europe).
[27] Bedvyasa Mohanty, The Encryption Debate in India, Carneige Endowment for International Peace, (last visited on 25th January 2021), https://carnegieendowment.org/2019/05/30/encryption-debate-in-india-pub-79213.
[28] A Free and Fair Digital Economy, Committee of Experts Under the Chairmanship of Justice BN Srikrishna, https://www.meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf , (last visited on 26th January 2021).

CONTACT

Any queries can be addressed via mail at cictl@mnlumumbai.edu.in  (Kindly mention “Query – Blog) at the mail.

Maharashtra National Law University Mumbai Post Box No: 8401 Powai, Mumbai – 400 076 Tel: 022-25703187, 022-25703188 Email: nlumumbai@mnlumumbai.edu.in

Leave a Comment

Your email address will not be published. Required fields are marked *