The pandemic has presented unprecedented challenges, shifting almost the entirety of our communications, be it with the government or financial institutions, into the digital sphere. This renders the need to ensure privacy and a robust cybersecurity regime all the more crucial. A tremendous amount of economic and government activity has shifted on to online communications services, raising concerns regarding the security of our data on the platforms. With greater digitization looking increasingly likely, even more activity will be occurring through the Internet. The field of cybersecurity will continue to grow in importance with encryption being its major load-bearing pillar.
The Indian Encryption Regime
The ubiquitous utilisation of Industrial Revolution 4.0 technologies serves not only as a powerful tool for enhancing national security but also for creating new and serious vulnerabilities and security risks. Having a comprehensive national security strategy would enable the identification of critical infrastructure that may be vulnerable to cyber-attacks. Anticipating cyber-attacks and hardening systems against them has become even more necessary as economic and governance activities increasingly rely on digital technologies. If the privacy and security of government employees or members of financial institutions were compromised, this would pose a serious risk to our national security, making it quite clear that the privacy and security of an individual’s data is essentially the cornerstone of national security in itself. Be it the Aadhaar ecosystem, which was, in fact, secured by high-end encryption following the data leak of 7.2 crore Indians, the National Health Stack, telemedicine, online banking, e-commerce, or e-wallets, all need to be protected via high-end encryption. Recognising the importance of encryption in ensuring user privacy, data security and enabling the digital economy, Clause 24 of the Personal Data Protection Bill, 2019, which was tabled in the Parliament by the government last year, encourages data fiduciaries to use encryption. Acknowledging the importance of secure messaging, the Indian Army recently launched an in-house secure messaging platform called, “Secure Application for Internet (SAI)”. The end-to-end encrypted app highlights the importance of high-end encryption in communication. Previously, both the Draft National Encryption Policy 2015 (now withdrawn) and the Draft Intermediary Liability Guidelines 2018 (not enforced) which sought to introduce ‘traceability requirements’ in encrypted platforms received criticism from all quarters. Although law enforcement access to data is critical, it is also important to enhance the state›s capacity to conduct metadata analysis and utilise traditional surveillance capabilities more efficiently and effectively.Moreover, the government launched a competition to develop an indigenous video calling application that is also end-to-end encrypted, recognising the growing need of encryption to enhance the security and privacy of the people of India.
The Global Encryption Debate
The American government has been pushing for backdoors to encryption for quite some time now. Their latest move is the recently forwarded “EARN IT Act”. It targets the minimal liability (safe harbour) enjoyed by intermediaries. Under this act, a tech intermediary would not automatically be exempt from liability against content related to child sexual exploitation but will have to ‘earn it’. Similarly the LAED Act, 2020 mandates backdoor access to encrypted platforms for investigation in criminal and national security cases. Accordingly, tech companies might not be able to earn their liability exemption while offering endto-end encrypted services. Functionally, this would put them in the position of either having to accept liability, undermine the protection of end-to-end encryption by adding a backdoor for law enforcement access, or avoid end-to-end encryption altogether. In either case, they will end up compromising the fundamental right to free speech and the privacy of users. Recently, the Five-Eyes (US, UK, Australia, Canada and New Zealand) along with India and Japan appealed to the tech companies to create escrowed or backdoor cryptographic protocols, getting tech companies to reduce the level of encryption security they offer customers on their services in the interest of national security. Such a mandate requires the intermediary (platform) to identify the user (say, sender of a message) on the production of a legal warrant. The challenge is that, to implement such a mandate, the intermediary would have to introduce a vulnerability in the security architecture of its platform which can be exploited later, leaving our communication systems vulnerable to espionage, foreign surveillance and hacking by non-state actors and foreign governments alike. Which is why cryptographers, the global encryption coalition and Indian intelligence veterans have recommended against breaking encryption and recommended to find solutions via meaningful collaboration between law enforcement and technology companies
Encryption Enabled Digital Economy Earlier in the year, it was revealed that hacker group “Keeper” broke into at least 570 e-commerce stores globally, including India, procuring payment and card information of over 184,000 customers. This would generate nearly INR 52 crores given the prices for such information on the dark web. This group is likely to continue their assault on ecommerce platforms across the world. If strong encryption protocols are done away with and backdoor channels provided to governments, we run the risk of compromising individual privacy and rights as well as national security issues relating to the economy at large. One of the fundamental facets of the debate around privacy is the future of encryption and the controversial existence of a backdoor for applications and smartphones to allow law enforcement access to data. After five years of deliberation, taking into consideration the global stance on the issue of the regulation of OTT platforms and the deliberations at the International Telecommunications Union, the Telecom Regulatory Authority of India (TRAI) recommended how it is not the right time to regulate OTT platforms beyond the extent of laws already in place and recognised the need to secure encryption. It stated that mandating lawful interception by compromising encryption will render the users’ personal data susceptible to attacks by unlawful actors and, therefore, the privacy and security architecture of the OTT services must not be compromised by embedding vulnerabilities.
The Way Forward
We must be wary of nonstate actors and terror groups developing their own modes of communication services illegally. Which is why creating ‘backdoors’ to popular encryption services could lead to compromising security, as such non-actors actors would then create their own communication services, which would end up causing bigger problems for law enforcement, both in India and globally. Websites like GitHub are a storehouse of free open source software, including free high-end encryption protocols like that of Signal. Thus, the moment criminals get to know that vulnerabilities have been embedded in popular messaging platforms, they shift to their own secured platforms. Al-Qaeda developed a software called Mujahideen Secrets back in 2007 to encrypt their online communications, which was basically a friendly wrapper around publicly available PGP. This nullifies one of the main positives of this move while having a major impact on the privacy of citizens who are now susceptible to cyber-attacks owing to the introduction of vulnerability-by-design. Instead of compromising with privacy enabling and free speech promoting tools like encryption, the government must work towards building the capacity of law enforcement. Studies show that millions of CSAM reports are submitted by tech companies to the NCRB, however, only a few hundred of them are used to register FIRs. To that end, it is crucial to appreciate the exact challenges faced by law enforcement agencies with the help of reliable data. This should be complimented with a framework for enhancing the metadata analysis capabilities of LEA which would help in carrying out investigation. Such efforts must not be overcompensated by asking platforms to collect excessive data in violation of the data minimisation principles envisaged under the PDP Bill, 2019. Lastly, cross industry-academia efforts must be encouraged to build tools like PhotoDNA that can tackle abuse on the platform to an extent, without compromising end-to-end encryption These collaborative efforts are quintessential to find privacy-enabling methods of surveillance which do not render the whole population vulnerable in the name of national security, or else we might end up shooting our own leg.
Kazim Rizvi is founding director of The Dialogue, a New Delhi-based policy think tank, while Pranav Tiwari is a policy research associate at The Dialogue.