Chipping Away at Encryption – Bit by Bit

Chipping Away at Encryption – Bit by Bit

[This post has been authored by Simrandeep Singh and Shambhavi Sharma, students at the Tamil Nadu National Law University.]

Imagine wanting to simply lock your house and leave but the government keeps you from doing so unless an additional key is provided to them. This is exactly what the government has repeatedly attempted to do with encryption in the digital space – something as important to our digital privacy as a physical key is to our homes.

Encryption[1] involves turning plain text such as messages, emails etc., into a random string of incomprehensible characters called cypher text. Decryption is the opposite of this process. Both of these require the use of a ‘key’. In simple terms, encryption is a coded version of all our data that can only be decoded when one has a key to convert it into readable plaintext. All of our data-at-rest i.e., data in hard drives, is encrypted using symmetric encryption, in which the same key is used for both encryption and decryption; while data-in-transit, such as text messages, is asymmetrically encrypted, wherein, two separate keys (a public key and a private key) are used for encryption and decryption. This, latter process, is also referred to as end-to-end encryption (E2EE) and is commonly used by messaging applications such as WhatsApp, Signal, etc.

This article seeks to trace a brief trajectory of major policy developments which seek to weaken and bypass encryption, and the implications of such measures when tested against constitutional thresholds. To this end, we first look at the origins of the persisting disagreement on weakening encryption. The same debate, in the Indian Encryption Landscape, bears no exceptions, as the policy trend tilts in the direction of reducing privacy baselines of users by restricting the use of strong encryption. Further, we argue that while the decryption assistance mechanism may have a relatively higher privacy baseline, the legal framework which vests such powers in the authorities is far from constitutional. In the background of analysing these developments, we finally come to observe the new IT Rules which have introduced a traceability requirement as an obligation upon significant social media intermediaries which casts serious doubt on the mechanics of identifying the originator of a message given the pervasive use of E2EE across platforms. The last section discusses solutions to this continual conundrum posed by the lack of procedural safeguards under Section 69 of the IT Act and the New IT Rules.

A brief history of the encryption debate

The debate surrounding encryption (referred to as the “crypto wars”) goes as far back as the 1990s when Law Enforcement Agencies (“LEA”) in the United States lobbied for weakening encryption because it hampered their ability to access encrypted data and surveil criminals, terrorists, child pornographers, etc. They contended that encryption, instead of making all of us safer – through strengthening our informational privacy – makes all of us less safe by hampering the powers of LEAs.

Privacy experts, however, pointed out that deliberately weakening encryption or creating backdoors to bypass encryption creates vulnerabilities in the design of encryption that can be easily exploited by criminals or enemy nations. Encryption tools, therefore, need to have high privacy baselines, and this leaves the LEAs with the only option of seeking exceptional access to encrypted data.

This debate is often framed as a balance to be struck between strong encryption for users and the LEAs ability to access encrypted data, however, such ‘balance’ is not only elusive but also undesirable because the risk posed by weakened encryption far outweighs its benefits. The aftermath of the crypto wars was the widespread implementation of encryption and the rise of e-commerce globally.

The Past is the Present: The Indian Government’s History with Encryption

Prior to 2013, there were certain restrictions in place on the strength of encryption that could be used by Internet and telecommunication service providers, but these were done away with after 2013. Presently, while there are no restrictions on the strength of encryption that can be used, the government has routinely pushed for increased access to encrypted data, especially in the case of end-to-end encrypted products, and has invoked familiar grounds of public safety and security.

In October 2020, the Government of India signed an International Statement on end-to-end encryption released by the U.S Department of justice, which called upon technology companies to enable LEA’s access to encrypted data in a readable format and to engage in consultation with governments to enable access in a way that “influences design decisions”.

This is a troubling development because measures that restrict the use of strong encryption or create insecurities within the design of technology are aimed at reducing the baseline of our privacy. These measures are aimed at deliberately weakening the design of encryption technologies or at creating backdoors for LEAs to easily access encrypted information. Once created, these in-built design flaws are open to attack and abuse by bad actors, who can now, just as easily gain access to encrypted data.

On the contrary, laws which require technology companies to provide the government with assistance to access encrypted data (“decryption assistance”), simply, create an exception to a system where the privacy baseline is generally high. These laws do not aim to change the design of encryption, but simply create exceptions that could be used in suitable cases. The Information Technology Act and the Rules framed under it empower the government to access encrypted data.

Providing Access to the Government

The Information Technology Act, 2000 (“IT Act”) was amended in 2008 to introduce S.84A which empowered the government to prescribe modes of encryption to promote e-commerce. S.69 further, empowers the government to intercept/decrypt/monitor any information on grounds of sovereignty and integrity of India, the security of the state, friendly relation with foreign states, or public order or preventing incitement to the commission of any cognizable offence.

The Information Technology (Procedure and Safeguards for the Interception, Monitoring and Decryption of Information) Rules, 2009 (the “Decryption Rules”), framed under S.69 read with S.87(2)(y) of the IT Act, prescribe the procedure to be followed by the government to obtain access to user data stored by technology companies. Rule 3 of the Decryption Rules empowers the “competent authority to issue a decryption direction to the decryption key holder of any information involving a computer resource.” Decryption direction, as per Rule 2(d), refers to a direction to disclose a decryption key or to provide decryption assistance for encrypted information.

The rules also provide some safeguards such as Rule 8, which provides that the authority should consider all other means of acquiring the information before issuing a direction under Rule 3.

Rule 9 deals with the specificity of the information sought to be decrypted, it specifies that the direction can relate to any information sent to or from “any person or class of persons” or relates to “any subject matter”.

The breadth and scope of Rule 9, as well as of the grounds mentioned in S.69, allow unfettered discretion to the government to compel decryption of any information it desires, without any judicial oversight. The competent authority does not need a warrant, or even reasonable cause to issue a direction to compel the decryption of any information. Any such encroachment of personal liberty must satisfy the three-fold test laid down in the Canara Bank case and the PUCL case, subsequently upheld in the Puttaswamy Judgement.[2] The first prong of Legality requires that there be a validly promulgated legislation behind state’s action; the second prong of legitimate state aim signifies the need for such a law and thirdly, proportionality ensures that the measure pursued is the least restrictive and intrusive means to achieve the aim (rational nexus between the objects and means adopted). A plain reading of the above provisions indicates that they are in violation of the above tests.

Making the Impossible possible: The New IT Rules

The new Information Technology (guidelines for intermediaries and digital media ethics code) Rules, 2021 (“IT rules 2021”) supersede the intermediary guidelines of 2011. The new rules have been introduced to ensure transparency, accountability and rights of users related to digital media.

Rule (4)(2) of the IT rules 2021 requires a significant social media intermediary (such as Facebook, WhatsApp, Instagram etc.), offering “services in the nature of messaging” to identify the “first originator of any information on a computer resource” as may be required by a judicial order or an order under s.69 of the IT Act. This poses significant problems for encryption, as end-to-end encryption makes it impossible for intermediaries to provide information regarding the content of a message or the originator of that message without breaking the encryption. Further, a choice has been given to the government of either relying on a judicial order or a decryption order issued by a competent authority under s.69. This choice enables LEAs to bypass the judicial process and simply make use of the wide discretion provided to the government under s.69, which as mentioned above, is overbroad and lacks any meaningful constitutional safeguards.

The Way Forward

The new IT rules are the latest in a series of blows against encryption dealt by our government – these have either sought to restrict the use of stronger encryption or have enabled the government to easily access or decrypt encrypted data without any judicial or constitutional oversight. All of this, especially, in the absence of a comprehensive data framework to pin obligations upon data controllers and empower users to hold corporations and governments liable, is greatly concerning for our digital privacy and security. Multiple legal challenges have already been filed against the new IT rules and it is possible, although unlikely, that it will die a quiet death just like the Draft Encryption Policy, 2015.

However, the debate does not end at this, whatever may be the case, any new policy concerning encryption needs to safeguard both privacy and security without sacrificing one at the expense of another. We propose a two-fold approach that holistically addresses these issues:

First, legislating strong encryption standards. This could reasonably occur as a by-product of the rather controversial Personal Data Protection Bill, 2019. Keeping aside the differential standards of compliance for state authorities under the Bill, if passed, it would set the overall tone for the data protection regime in India. Modelled on the EU’s General Data Protection Regulation, the bill promotes the use of higher encryption standards[3] with the ultimate aim of achieving data subject’s privacy. This obligates data fiduciaries[4] to embed privacy by design which requires checks like encryption to be implemented at each stage from collection to processing of data.[5] These trends already exist in the EU region with the presence of GDPR, a similar approach to encryption may come about with the PDP Bill, 2019.

And Second, creating judicial oversight mechanisms for accessing encrypted data, which incorporate the safeguards laid down in the Puttaswamy case. Currently, the competent authorities do not need a warrant or a reasonable cause to compel decryption of data, as argued above, this does not satisfy the three-fold test of legality, necessity and proportionality.

Digital India’s increasing reliance on online services means that the government will need to find better ways to keep data safe. Any new encryption policy must incorporate these suggestions and adopt principles that will not become redundant by technological changes. Weakening encryption is not the only solution for LEAs to ensure online security. It may be argued that localizing data for domestic authorities using key escrows – involving decryption of a lawfully confiscated device using a key which is stored in the device itself – balances competing interests of both sides; however, this ‘balancing’ makes encryption safeguards more vulnerable to attacks. In such a scenario, the key is under a persistent threat of being stolen and misused, risking individual privacy.

[1] Schedule V, Information Technology (Certifying Authority) Rules, 2000

[2] Justice KS Puttaswamy v Union of India (2017) 10 SCC 1, Para 188

[3] Section 24(1)(1), Personal Data Protection Bill, 2019 (Bill No. 373 of 2019)

[4] Section 3 (13), Personal Data Protection Bill, 2019 (Bill No. 373 of 2019) (“data fiduciary” means any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data)

[5] Section 22, Personal Data Protection Bill, 2019 (Bill No. 373 of 2019)

Leave a Reply

Your email address will not be published. Required fields are marked *