This article is written by Sharad Yadav from the Institute of Law, Nirma University. This article will give you insight about the anti-encryption and the laws pertaining to the anti-encryption in India and USA.”
Table of Contents
Introduction
In the recent past year, a lot of digitalization has happened. People are now concerned a lot regarding their privacy. Many companies are now coming up with new technologies to secure customer data. This creates a barrier for the intelligence and law enforcement agencies to find out any terror planning due to end-to-end encryption. Indian laws especially the Information Technology Act, 2000 gave wide power to the law agencies to intercept and decrypt the communication but these are rarely exercised instead they rely on search and seizure provisions like Section 91 of the Code of Criminal Procedure, 1973 when seeking access to the electronic communication. This article will help you to understand the laws regarding anti-encryption in India as well as the USA.
What is the meaning of encryption?
Encryption is the process of taking plain text, like a text message or email and scrambling it into an unreadable format called “ciphertext”. The message or information which is used for the encryption scheme is called plaintext which is encrypted using the encrypted key generation by some algorithm. This algorithm generates the ciphertext which can only be read by decrypting it. This message can only be decrypted by the authorized recipient.
The best example of this is WhatsApp which uses encryption technology. When we send any message over WhatsApp it automatically gets encrypted and only decrypted by the authorized recipient. That’s why in WhatsApp you see the message. Messages and calls are ends to end encrypted. No one outside of this chat, not even WhatsApp can read or listen to them.
The need for anti-encryption laws
In recent times, most of the companies are using the end-to-end encryption technology. This end-to-end encryption prevents the law enforcement agencies from investigating the crime online in which terrorists are plotting something by messaging to one another. Something huge terror planning happened but due to an end to end encryption agency unable to get the information.
Anti-encryption law in India
In India, there was a large number of terrorist attacks happening in 2008. So the government came up with the Information Technology (Procedure and Safeguards for the Interception, Monitoring, and Decryption of Information) Rules, 2009. This gives the power to get the encrypted data.
Important definitions
Certain terms and definitions are given in Rule 2 of the Information Technology (Procedure and Safeguards for the Interception, Monitoring, and Decryption of Information) Rules, 2009:
- Decryption – It means the process of conversion of data into the non-intelligible form to an intelligible form via a mathematical formula, code, password or algorithm, or combination.
- Decryption assistance – It means any assistance to allow access to encrypted information, or facilitate the conversion of encrypted information into an intelligible form.
- Decryption direction – It means a direction issued under Rule 3 in which a decryption key-holder is directed to disclose a decryption key, or provide decryption assistance in respect of encrypted communication.
- Decryption key-holder – It means any person who deploys the decrypting mechanism and who is in possession of a decryption key for the purposes of after decryption of encrypted information related to communication which is directly or maybe indirect.
- Intermediary – It is with respect to any particular electronic records means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes internet service providers, telecom service providers, network service providers, search engines, online payment sites, etc.
Directions for interception or decrypting any information
Rule 3 talks about the direction for interception or monitoring or decryption of any information. This makes it mandatory for the competent authorities to issue an order, then only they can carry out the interception or monitoring or decryption of any information which is stored in the computer under Section 69(2) of the Act.
This interception can be carried out with the prior approval of the Head or the second most senior officer of the security and law enforcement agency but that should not be below the rank of Inspector general of police or the officers which is equivalent to this at the state or union territory. In case of an emergency, the officer who approves the interception or decryption of the data shall inform the competent authority within 3 working days and obtain the approval within 7 days if this is not approved then interception shall cease and information should not be intercepted after that without the proper authority.
Information outside the jurisdiction
If the State needs information that is beyond the jurisdiction of then, Rule 6 will be applied which states that the Secretary in charge of the home department of the state shall make a request to the ministry of home affairs for the issue of the direction for the intercepting or decrypting of the information.
Assistance in decryption
Rule 17 talks about providing assistance to the authorities who issued the direction to hand over the decryption key. They have to disclose the decryption key and provide assistance in decryption.
Blackberry case
The case is very famous because there was a tussle between encryption versus national security. The government of India directs Blackberry to give access to the encrypted data to the security agencies. As it was the device manufacturing company providing the encryption was not necessary under the license agreement. The government asked the blackberry device to stop the services in India unless they gave lawful access to the encrypted data. The demand increased when one of the terror attacks which happened in Mumbai in 2008, a person was found with a blackberry device whose connection was there with the agents of Pakistan, and these blackberry devices were used in communication between them.
After that, the government of India asked to relocate their server to India after which they relocated their server to India in 2010. In 2012 they agreed to submit the plaintext communication sent through blackberry devices. This set a precedent that the government can lower down the security of communication just by creating more pressure. Due to this the popularity of the blackberry device and the market share both declined.
Rollback of the National Draft Encryption Policy, 2015
In 2015, the Indian government came up with a new encryption policy according to which the government can access all encrypted information which is stored on the servers in India including all the personal messages, emails, and data also. This policy also wants the user to store all encrypted communication for at least 90 days and if the law enforcement agencies need it they have to provide the data.
Major problems in the policy
The problem in the policy is the following:
- This policy gives the power to the government of India to define the algorithms and key size for encryption. They also have the right to take appropriate action if anyone violated the policy.
- The companies which provide the encryption will have to compulsory register with the government.
- The companies, business organization has to keep all the encrypted data for 90 days from the date of the transaction and make available this data if any law enforcement agency needs it.
- How will users be able to figure out if their messages are encrypted or not, how will they be able to store the plaintext version of the encrypted communication for 90 days, and on top of that, keep it away from potential hackers?
After so much criticism from the general public, the government finally withdrew the draft policy which was put in the public domain for their comments.
Personal Data Protection Bill, 2019
The Bill was released on July 27, 2018, with the report of the committee chairman Justice B.N Srikrishna. The bill was drafted with the intention of securing the data of the people and providing a high level of data protection. The bill was framed according to the General Data Protection Regulation of the European Union and a landmark judgment of the honorable supreme court: Justice K.S Puttaswamy v. Union of India where the supreme court upheld the right to privacy as a fundamental right under Article 21 of the Constitution Of India. It was amended and reintroduced in 2019. This bill comes in the supersession of Section 43A of the IT Act. This bill mandates the company to store data locally within the territory of India.
Key provisions:
- The state will not require to seek individual consent for providing the benefit or services to the people of the state.
- This bill mandated the storage of a copy of personal data within the Indian territory so that law agencies can access the data.
- The data can be transferred to the other state under certain circumstances. If the central government gives permission to transfer the data. Or the Data Protection Authority approves the data transfer in the situation of necessity.
- The bill specifies more stringent grounds for processing sensitive personal data such as Religion, cast, political belief, genetic, financial data, and seeking the consent of the individual for processing the data.
Anti-encryption law in the USA
On June 23, 2020, a Bill was introduced by Graham, Cotton, and Blackburn with the name ‘The Lawful Access to Encrypted Data Act’. In the introduction, some points argued that the Break-proof encryption should not be there by giving instances of terror acts. This bill improves the power of law enforcement agencies to get encrypted data by lawful means. This law would give the power to get the data from any American company with more than 1 million users in the USA. The same goes for messaging apps, video conference apps, email providers, cloud storage apps, or any other that has at least 1 GB of memory.
Issue of an order by the court
According to Section 101(b) of The Lawful Access to Encrypted Data Act the court may order the assistance. some of the important points regarding that are given below:
- A manufacturer or operating system provider can be ordered to gives all the facilities and necessary assistance to access the information.
- The Manufacturer of the operating system provider will receive the reasonable expense incurred by them but that will not exceed $300.
- This will be included the searching of the information, decrypting it, and then give it to the agency in intelligible form.
Establishment of the prize competition
There are some rewarding things also in Section 601. The reward will be given to the researchers who manage to find the solution for access to encrypted data for the legal process. It means doing some work for the government and you will be going to get some incentive.
Serious concerns
- The proposed bill is not just likely to impact the privacy of the persons but is going to put a burden on the software and electronic industries. All types of software would have to be physically redesigned to enable such a backdoor and apps would have to be redesigned. The world has to be developed with the presumption that it may hit 1 Million users in the near future.
- They overlooked that any backdoor might be exploited by parties other than the government such as hackers.
- This would facilitate the death of the end-to-end encryption thing which is now enforcing by many companies for keeping their customer privacy safe
Conclusion
Privacy is one of the most important things for a person. Even though these laws are brought to encrypt the data for preventing the terror attack or any mishappening which is for the protection of the general public. Still, it is directly concerning the privacy of the person because we are now spending most of the time doing things online. We do some conversation privately which we do not want that can be read by someone. Even most of the companies now allow end-to-end encryption to make the data of the customer completely secure.
References
- https://www.barandbench.com/columns/the-conundrum-of-encryption-emergence-of-anti-encryption-laws
- https://carnegieendowment.org/2019/05/30/encryption-debate-in-india-pub-79213
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: