This article is written by Shreya Pandey from Banasthali University. This article deals with the need and use of access to encrypted communications by the government.
The Internet provides many ways of communicating with friends, family, strangers, or co-workers. There is a great chance of snooping by a third party into the communication who can read, track, and use them. So, to keep all such conversations and activities secret and prohibit others from snooping, it is important to use encryption codes.
Encryption is a process through which any information is encoded to prevent any other unintended third party from viewing it. Encrypted communications would prohibit any unintentional recipient to enter and get details of the conversations. Encrypted communication is a communication in which the data between the sender and recipient is secured between the two and no other third party could gain access to the communication. These encrypted pieces of information are stored with the original protector and can only be unencrypted by the relevant cryptographic keys.
Encrypted communication works in such a way that the information written in the online message or text is only readable to the intended recipient, any other third-party who tries to get access to that information can not read it as it is in the form of unreadable text. For example- if A texts B “how are you?”, when the message is received by B it looks like “how are you?” but to any other third-party, it would look like “rdgrtcsrtrgmdkdmrrklrmfdggf” that is it will not be in a readable form.
Advantages of encrypted communications
Encryption is important to secure information from being exfiltrated. The communication between two-person involves secrets and sensitive pieces of information that a third party can misuse. Thus, encrypted communications prevent any other person from intervening and get the information. The major advantages of encryption are:
- To facilitate the secret communications of individuals.
- To provide secure conversations without any third-party intervention.
- To prohibit the data to get leaked or misused or exfiltrated.
- To carry out secret data transfers in the military and governments.
- To protect data that is stored in a computer or any storage device.
- To prevent any person’s confidential data or personal records from being exposed.
- To protect the data even if the physical security measures fail.
- To protect data in transit.
These advantages can be broadly understood as that to protect any data whether in transit or at rest needs protection from any other third person who inadvertently is gaining access to those data. Thus, through encryption certain specific codes are generated through which no person other than the sender and the intended recipient could gain access to it.
The need for access to encrypted communications
Although encrypted communications can not be accessible to any other person, yet there are some circumstances when there is a need to access those communications. The encrypted communications are stored by the original protector and when such circumstances arise when there is an urgent need to access those communications then relevant cryptographic keys are required to gain access to those communications. There must be certain exceptional or unique circumstances or situations when any person, company, or government can gain access to these encrypted communications. Such circumstances can be broadly divided into 3 categories:
Government exceptional access
The government needs to gain access in certain circumstances to any encrypted information to carry out any legal purpose authorized by law. There may be many such circumstances where the government would require accessing the encrypted communications. For example: detecting any conspiracy to commit a serious crime, investigating a crime, etc.
Employer exceptional access
In this case, an employer has legal rights to access the encrypted information of the employees. An employer may need to have access to the employee’s encrypted data when the employee has not finished his work on time or any other such circumstance in which an employer can access the employee’s encrypted information. To obtain access, the employer needs to have specific keys necessary to unencrypt that information and sometimes intervention of a foreign institutional entity is required.
End-user exceptional access
Sometimes the person who has encrypted the information loses or forgets the key to open it or the one whom any information is sent through encryption have lost the means to obtain such access, then such user when needs to gain the access to the information needs to prove his identity to be the party holding the backup key and that he is authorized to have the duplicate copy of his key.
The need for government access to encrypted communications
In any investigation and prosecution, information and evidence play a key role. Criminals would thrive to protect their information relating to the crime or their activities from the authorities enforcing the law. In criminal cases, the police officers or law enforcement authorities have the power of search and seizure.
So similarly, in digital communications, wiretapping is used as the best source of obtaining information. To pursue the court’s order or function in any other government processes, the government can require the companies to decrypt encrypted communications or to give the government such means to decrypt such communication. Certain specified intelligence agencies are established by governments to obtain access to required encrypted communications.
Different countries have different laws when they need to decrypt encrypted communications.
In France, when a senior minister makes a written request which gets authorized by the Prime Minister or his delegate, national intelligence and security services can obtain access to encrypted communications. The national intelligence and security services can read private communications and can ask for the means of decrypting encrypted communications from the providers of cryptology services for specified enumerated reasons and circumstances. Investigative judges can order to intercept, record, and transcript private telecommunications in criminal case investigation, and any qualified person could be asked by the law enforcement authorities to obtain authorization that would enable them to allow access to the required information.
In Belgium, a special independent commission authorizes the Belgium Intelligence to gain secret access, listen to, or record private communications. They can serve a written demand to the network operator or service provider who has the technical ability to provide copies of decrypted communications to provide for technical assistance. The authorization by the investigative judge must be made only when certain legally-defined circumstances arise. He can also order anyone who has particular knowledge of a relevant encryption service to provide access to communication in a readable format.
In the UK, under certain circumstances, intelligence officials and specified law enforcement officials can serve any person or corporate body to provide access to or disclose their encrypted information in intelligible form through a written notice.
In Australia, a court can order police to obtain information from any computer or storage device against whom a warrant has been made, then the police can ask for assistance or information from certain persons so that the police can unlock it or to provide information to decrypt data on such devices in intelligible form.
In Japan, during a criminal investigation or court trial, police can request the court to order the decryption of encrypted data or information.
In South Africa, an application of “decryption direction” is made by law enforcement authorities before the court to enable the decryption key holder to provide access to the private encrypted information.
Canada and Taiwan
In countries like Canada and Taiwan, a legal framework is made under which government surveillance communications shall be assisted by the telecommunication companies with such technological feasibility that would enable government surveillance communications to decrypt information.
In Brazil, regulations provide that the communication providers must utilize the technological resources and data relating to the suspension of telecommunications confidentiality to certain authorities of federal telecommunications agencies. Telecommunication companies are obliged to provide decryption assistance to the government.
In Israel, the Ministry of Defence regulates and licenses encryption activities. Officials of the Defence Ministry are empowered to enter any area where encryption-related activities are being performed and can ask to provide information of an encryption license at any time.
In Germany, a principle that a suspect cannot be compelled to cooperate in an investigation through which he can incriminate himself is followed. So, there is no law relating to private end-users providing their private keys to encrypt any information. But, certain intelligence and law enforcement agencies are empowered to obtain access and intercept communications through whatever technologies they have to unlock encrypted communications. These officials can demand telecommunication providers to remove encryption from certain required communications.
In Sweden, laws are enacted under which a Swedish court would force an ISP, encryption firm, or other entity to decrypt data. The Swedish law provides that the warrant must satisfy a proportionality test and an order of decryption is not considered to be proportional.
The European Union
The European Union (EU) legislation has no provision of disclosing the keys of encrypted materials to law enforcement authorities by the tech companies or to decrypt any communication at the request of the government.
In India, certain laws like the Indian Telegraph Act,1885, National Telecom Policy, 1999, The Information Technology Act, 2000, and other sector-specific regulations govern and regulate encryption or allow access to the encrypted information to the government.
Governments all around the world have tried to limit encryption to gain access to information. In 2016, Apple Inc. refused to give access to its system through backdoors to the Federal Bureau of Investigation. The US, UK, and Australia conjointly requested Facebook to stop its end-to-end encryption plans in 2019. National security, law enforcement, and foreign policy are the reasons because of which the government tries to gain access to encrypted communications. Ways through which government regulates encryption are:
It is a method through which encrypted data can be accessed undetectably, therefore, the government tries to make laws to require communication providers to install backdoors in their system so that the information is easily accessible by the government.
Standard encryption is estimated by the fact that how easily a third-party can decrypt the encrypted information. Governments to regulate encryption set encryption standards for their country. The United States National Institute of Standards and Technology endorses Advanced Encryption Standards (AES) as the encryption standard. Its key size is 128, 192, or 256 bits.
In case if the intended user loses the information, it can be retrieved by the third party who has the “key” to access the information as a back-up. The third party is known as escrow.
There is always a debate on government access to encrypted information. Although, an individual has a right to privacy and prevents any other person from having access to his information. But, it is equally important to understand that cybercrimes are growing rapidly and the government must intervene in certain circumstances to investigate and prevent crimes. Companies and network providers try to prevent government access to encrypted communications therefore to gain access to the encrypted information government should take some measures like:
- Companies must understand that to prevent or solve crimes, it is necessary to provide access to encrypted information to the government.
- The government should provide concrete proposals as to how to design the system in such a way that that can be accessible to the government whenever required.
- The government should focus its attention on imperfect yet attainable goals.
- The government should try to exploit existing vulnerabilities instead of forcing manufacturers to design new vulnerabilities.
- “Lawful hacking” should be used by the government.
- Government officials should gather detailed statistics on the extent to which encryption hampers law enforcement.
- The government should fund research and production of secure encrypted systems that are accessible to the government.
- The government should try to rebuild its relationship with technological communities.
- Such programs shall be established to allow members of the technological community to collaboratively work with law-enforcement agencies.
- Government authorities should not use tactics to force companies to give access to the information due to which the companies get provoked.
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: