This article has been written by Shams Rizvi pursuing the Diploma in Cyber Law, FinTech Regulations and Technology Contracts from LawSikho. This article has been edited by Zigishu Singh (Associate, Lawsikho) and Smriti Katiyar (Associate, Lawsikho).
Since the time when Edward Snowden leaked NSA documents and reported about the US cyber-surveillance program, internet privacy has become an important issue around the globe , and with that encryption technology, which earlier was usually reserved for companies and governments, has now become commercially available to people via social media and messaging apps such as WhatsApp, Signal etc.
Regulating Encryption under the Indian cyber law, which is open for debate and has come into the mainstream when the Supreme Court refused to allow a PIL seeking ban of WhatsApp on grounds of complete encryption. In this paper we will discuss the basics of encryption and how it is used. What are the key factors which can regulate encryption under Indian cyber law, and how India can create a better encryption policy which will be harmonious to its current regulatory systems in cyber law.
What is encryption and how is it used ?
Encryption is a way to make the data secure. It is a process where one encodes information from plain text to encoded text, the encoded text is referred as ciphertext, as ciphertext can only be encoded and decoded by public key, so for an unauthorised user, ciphertext will appear to be gibberish. This practice is widely useful when handling sensitive data and is usually used by governments especially in areas of national security such as defence, or when governments are communicating with their embassies abroad. Cryptography which is the study of encryption is as old as Roman and Greek civilizations. Over time it has had many practical applications, but emergence of computers and formation of digital economies across the world made encryption a necessity for both government and private organizations
As technology is progressing, encryption is becoming more and more complex and sophisticated. Nowadays, messages are encrypted by using bits (0 and 1 in the binary number system). Various key sizes can be used to encrypt data, depending on their strength. For example, an 80-bit encryption refers to the key size of 80 bits,. Hence a higher bit encryption provides a better security. The significance of bit-size in formulating encryption regulation will be discussed further in this article.
Major factors for regulating encryption under Indian cyber law
Encryption in today’s world is something which is equivalent to Privacy, and just like America and rest of the globe, the issue of Privacy is a very significant aspect for Indian Law and for Indian Policymakers, especially after the Puttaswamy Judgment,where it was unanimously recognized by the supreme court that Right to Privacy is a fundamental right. Hence, there are various factors which must be considered by Indian Lawmakers and Policymakers in order to regulate encryption under Indian cyber law. Some of them which will be discussed in this Article are listed below:
- Proportionality between Privacy and National Security;
- Establishing a Balance between Economic and Legal Factors in play.
The above factors are the key factors that must be considered by policymakers and lawmakers while forming encryption laws within cyber laws in India. The above list is not exhaustive, but they are the key factors which are significant in regulating Encryption laws in India. The factors are as follows :
- Proportionality between Privacy and National Security
This is one of the biggest concerns for citizens as well as lawmakers and it appears to be one of the greatest challenges for lawmakers and policymakers regarding Encryption laws in India. Although the issue of Proportionality is something which is applicable to most laws. But, Encryption laws are something which will have imminent legal, economical as well as geopolitical effects which are discussed in successive factors below.
Lawmakers must have a harmonious approach while forming Encryption laws in India as usually in most cases the state usually prioritizes the issue of national security over the issue of privacy. Just like any other nation, India follows the same suit. . The current functioning of the state and the present outlook of the government regarding Encryption regulations are discussed below through case laws :
- Case of Blackberry 2007-2012
The first issue of National security vs Privacy appeared in the year of 2007 when the Indian government directed RIM (Research in Motion). A Canadian company behind the smartphones of Blackberry, to give law enforcement access to its data which was encrypted. RIM as a manufacturer of Blackberry was not subjected to encryption controls which were applicable to telecom companies under the licensing agreement. Later, the Canadian Manufacturer was pressured by the government to hand over the encryption keys and move its servers to India, or the government would block blackberry services in India. As these requests by the state intensified after the 26/11 attack, as the Militants involved in the attack were using Blackberry handset in order to communicate with their handlers in Pakistan, RIM finally relocated its servers to India and handed over the encryption keys to the government. This step by blackberry lowered the popularity of Blackberry globally which in return also lowered its stock price. It also created a powerful precedent for the government to be used later.
- Case of Draft National Encryption Policy 2015
In September 2015, the central government released and circulated the draft of the National Encryption Policy. The main takeaways of National Encryption Policy are as follows:
- According to the Draft, the user shall reproduce the same Plain text and encrypted text pairs using the software/hardware used to produce the encrypted text from the given plain text. All information shall be stored by the concerned B/C (business/citizen) entity for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country.
- Only the government of India shall define the algorithms and key sizes for encryption in India, and it reserves the right to take action for any violation of this Policy. Businesses will have to keep all encrypted data and also make it available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country.
- Service providers offering encryption will have to register with the Indian government. Service Providers located within and outside India, using Encryption technology for providing any type of services in India must enter into an agreement with the Government for providing such services in India. The Government will designate an appropriate agency for entering into such an agreement with the Service provider located within and outside India. This Policy due to its terms and conditions got backlash from various members of society including lawyers, technology experts, civil societies, social activists etc. It was later withdrawn by the government.
Apart from case studies above, there are many examples available internationally where the government has prioritized the issue of national security over the concern of privacy of individuals. It includes Apple Inc. ‘s encryption dispute with the FBI(Federal Bureau of Investigation) in America, Russian government dispute with Telegram where the company refused to provide encryption keys to FSB(Federal Security Service) etc. This concern of privacy is a global one and usually companies and the state are at an impasse with each other. Hence, it is important to create a balance between both the issues despite it being a challenge for the government and lawmakers to do so.
- Establishing a Balance between Economic and Legal aspect of Privacy.
This factor is directly proportional to the above factor of Proportionality between Privacy and national security. As discussed above now Privacy in itself has become a feature for commercialization. Hence a country’s opinion on Privacy can affect the private sector and may affect the economy of a state at large.
Economic Factors- Privacy has become a major selling point now and the tech industries around the world are exploiting this in order to commercialize and sell their products. It is also necessary for countries to understand and consider the economic aspect of Privacy and how it became a selling point for many companies and industries and what economic benefits can a country get if a nation takes the issue of Privacy of an individual or an organization seriously by allowing it to encrypt its data and personal information and making suitable laws which are friendly towards individual privacy and encourage encryption.
Case analysis of Australian Encryption Laws
One must understand what economic loss a country can face if laws regarding encryption are not business friendly. In 2018, the heads of Australia’s law enforcement and intelligence agencies were given broad powers by the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, or TOLA Act, to gain access to encrypted communications. This resulted in causing uncertainty to foreign investors and domestic consumers in Australia. According to the study conducted by the Internet Society on the topic “The Economic Impact of Laws that Weaken Encryption”. There has been some evidence that due to the weakening of encryption law in the countries there are some economic effects which can be seen. The study states “Behavioural responses include changes in firms ’employment practices, investment behaviour, and innovation activity, which are related. For example, investments in business capacity depend on expectations regarding the future prospects for the firm, which depend on the firm’s competitive advantage and on the firm’s investments in R&D and sundry strategic investments (e.g., in its brand image, in cybersecurity, in intellectual property, etc.). As we explain further below, one of the potential behavioural responses that might be anticipated is for firms to reduce their investments in R&D and new product introductions in Australia that are expected to be adversely impacted by TOLA, whether directly or indirectly. To the extent that occurs, estimating the economic impact will depend on computing the future net benefits expected from the deterred investments or improvements in product choice and pricing that otherwise would have occurred. That is inherently more challenging than measuring what actually happened. Thus, the behavioural and outcome-related impacts depend on the business attitudes and expectations. The impacts are potentially economy-wide and even global.”
Hence it can be stated that economic loss and lack of investments in certain sectors due to weakened encryption laws can a be in real scenario, although this issue is further researched by many academicians as there is lack of empirical data to confirm such a scenario but it is one of the possibilities which must be considered in order to make encryption regulations in the country.
Although we already covered the issue of national security, but legal factors include the issue of under what circumstances can the government can ask for encryption keys of a particular encryption technology used by companies or individuals apart from the issue of national security and what checks and balance does the government and lawmakers should propose to provide accountability to this process which does not come under the ambits of arbitrariness and function under the due process of law of that nation. Some of the issues are listed below:
- The challenge of Decryption on demand- The issue of decryption on demand is the most controversial issue which most countries are facing right now, which include countries like Canada, USA, India, Ecuador, Russia etc. This issue is a huge issue especially for democratic nations as most of these nations have to face the challenge of enacting encryption laws which align with their respective constitutions and democratic framework. One of the reasons why it is a controversial issue is because many nations forgo the issue of checks and balances like Canada, which has proposed in its encryption policy that it would compel private companies to deliberately inject weaknesses into cryptographic algorithms or the applications that facilitate encrypted communications. This would create a strong and dangerous precedent which might become a norm in coming years. Hence lawmakers must consider this issue before forming an encryption policy.
- Public safety and Cyber Security- Issues like Weakened encryptions protocols and standards, decryption on demand, questions the transparency of the government and this undermines the values of the state and makes a compelling case for individual freedom as a citizen and the issue of privacy which is discussed above. Hence although the concept of encryption is something new as most countries are still working on it and trying to make policies according to their nation’s legal systems.
Although the above factors play key role in determining the encryption laws of a nation, there are other factors which needs to be considered before making encryption laws of a nation which includes Geopolitical effects, formation of encryption laws which can be applicable to all commercial and non-commercial sectors in the country and formation of encryption policy which is future proof. But, countries are still in the phase of trial and error and have not fully understood the effects of encryption policy and the effects which will be there on their people, and what are the long-term effects which it can have on that particular nation in terms of international trade and commerce. Hence, India as a nation must learn from the current international trends and from examples of various countries which have adopted encryption regulations and what short-term and long term effects it has on such countries before adopting and forming its own encryption regulations under cyber law.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:https://t.me/joinchat/J_0YrBa4IBSHdpuTfQO_sA