This article is written by Pearl Narang, pursuing a Diploma in Advanced Contract Drafting, Negotiation and Dispute Resolution from Lawsikho.com. Here she discusses “Regulation of Encrypted Online Communication Services Around the World”. 

Introduction

In 2016, the Federal Bureau of Investigation and Apple.inc got into a public fight once Apple refused to permit the bureau to access its system through a backdoor to the iOS. In 2019, US, UK, and Australia conjointly requested Facebook to stop its end-to-end encryption plans. Governments all over the world have tried time and again to limit encryption in order to gain access to information.

What is Encrypted Online Communication?

For most of us, communicating online has become a habit. From our personal photos to our credit card numbers, everything is online.  We have a tendency to upload heaps of information on the internet without considering the consequences of our data ending up in the hands of government officials, hackers, or service providers. This is why we need encryption.

Encryption is a way of encoding information so that only an authorized person can access it. All of us have seen the yellow bubble which appears in every WhatsApp chat window that states “Messages to this chat are secured with end-to-end encryption”. The message in the bubble means that only you and the intended receiver can read the message. No third party, not even WhatsApp can have any access to it. This kind of communication is known an Encrypted Online Communication.

Say, for example, you send a message to your friend:

Hey! Let’s meet up.

To your friend the message will look like this: 

Hey! Let’s meet up.

To any unauthorized person, the message will look like this:

wUwDPglyJu9LOnkBAf4vxSpQgQZltcz7LWwEquhdm5kSQIkQlZtfxtSTsmaw

Ways of Regulating Encryption 

Governments all over the world try to regulate encryption for reasons of national security, law enforcement and foreign policy. There are a number of ways governments regulate encryption. 

1. Backdoors

Backdoor is a method through which encrypted data can be accessed undetectably. Governments repeatedly try to pass laws that require communication providers to install backdoors in their systems so that, they can get access to information and spy on terrorists. 

2. Encryption Standards

Quality of encryption is judged by how easy it is for a third party to determine the original content of an encrypted message. To regulate encryption in their countries, governments have set encryption standards. Data Encryption Standards or DES was an early encryption standard endorsed by the United States National Institute of Standards and Technology. It was replaced by Advanced Encryption Standard (AES) which is said to be more secure with its key size of 128, 192 or 256 bits.

3. Key Escrows

Key escrow is a method in which a “key” is kept with a third party i. e. an escrow, so that, if the intended user loses the information it can be retrieved by the third party. 

How is Encryption Regulated Around the World?

India

Encryption is a hot topic of debate in India. There is no single legislation that governs encryption. Rules that regulate encryption are fragmented across a number of legislations of various sectors. These laws either regulate encryption or allow access to encrypted information to the government. These are: 

1. The Indian Telegraph Act, 1885

The Indian Telegraph Act is the principal legislation which regulates communication India. Section 4(1) of the Act empowers the Central Government to establish, maintain and work telegraphs within India. Section 3(1) of the Act, defines the term ‘telegraph’. The definition includes,

“… any appliance, instrument, material or apparatus used or capable of use for transmission or reception of signs, signals, writing, images, and sounds or intelligence of any nature by wire, visual, or other electro-magnetic emissions, Radio waves or Hertzian waves, galvanic, electric or magnetic means.”

This definition gives the government exclusive monopoly over all electronic communication and also includes the power to regulate telecommunication and internet services in the country.

2. National Telecom Policy, 1999

Under the policy, the government allowed the private players to provide these telecommunication and internet services by entering into licensing agreements with them. The version of the agreement depends on the type of technology provided by the private party.

The encryption limitations in two such agreements which have been made publicly available by the government include:

License Agreement for the Provision of Internet Services

Clause 2.1(vii) “The Licensee shall ensure that Bulk Encryption is not deployed by ISPs. Further, Individuals/ Groups/ Organizations are permitted to use encryption up to 40 bit key length in the symmetric key algorithms or its equivalent in other algorithms without obtaining permission from the Licensor. However, if encryption equipment higher than this limit are to be deployed, individuals/groups/organizations shall obtain prior written permission of the Licensor and deposit the decryption key, split into two parts, with the Licensor.”

This clause prohibits bulk encryption by the internet service providers and also places a limit on entities to use encryption up to 40 bits. The entitles can increase encryption only after taking permission from the licensor i.e. the government. 

License Agreement for Cellular Mobile Telephone Service

Clause 42.1 “The Licensee shall not employ bulk encryption equipment in its network. Any encryption equipment connected to the LICENSEE’s network for specific requirements has to have prior evaluation and approval of the LICENSOR or officer specially designated for the purpose.”

This clause also puts a limit to the use of encryption and mandates government permission if the encryption limit exceeds 40 bits.

3. The Information Technology Act, 2000

The Information Technology Act, 2000 is the Act that regulates all electronic and wireless modes of communication. The Act does not have any provision or policy on encryption. However, Section 84A of the Act empowers the Central Government the authority to frame any rules on the use and regulation of encryption. The government, however, has not made any laws to regulate encryption so far. 

The terms of the Unified Service License Agreement also explicitly prohibit bulk encryption (Clause 37.1), they do not prescribe to a 40-bit standard. Rather, they state that the permissible encryption standard under this Agreement will be governed by the policies made under the Information Technology Act, 2000(Clause 37.5). 

Section 69 of the Information Technology (Amendment) Act, 2008 gives power to the central and state government to direct any agency to intercept, monitor or decrypt any information stored on computer sources. This access is granted only if the information is related to:

1. Interest of the sovereignty or integrity of India,
2. Defence of India, 
3. Security of the State, 
4. Friendly relations with foreign States,
5.  Maintenance of public order,
6. Preventing incitement to the commission of any cognizable offence relating to above or,
7. Investigation of any offence.

4. Other Sector Specific Regulations

In addition to the above regulations, there are other sector specific regulations which prescribe a length of more than 40 bit for encrypting data. These regulations are:

Securities and Exchange Board of India (SEBI) Guidelines on Internet based Trading and Services

SEBI has prescribed a 64/128 bit encryption standard to secure transactions and online tradings. It strongly recommended in its report that “128 bit encryption should be allowed to be freely used”. 

Reserve Bank of India (RBI)

RBI released its Report on Internet Banking in 2001. In its report, RBI set a minimum security standard of using Secure Sockets Layer for server authentication and the use of client side certificates. Key length of 128-bit is the standard for encryption for communication between browsers and the server.

5. The Information Technology Procedures and Safeguards for Interception, Monitoring and Decryption of Information Rules, 2009

According to the rules, the Government can issue a decryption order for investigation of any offence. The rules also mandate that the orders for decryption must be examined by the review committee. The committee is set up under Rule 419A of the Indian Telegraph Rules. 

The review committee has to convene once every two months for the purpose of investigation.

Europe

The European Union states no requirement that law enforcement authorities get access to encrypted materials. It does not require any agency to decrypt communications in response to a government request. Member States of the EU have their own laws that regulate encryption.

United States of America 

The US does not have any general right to encryption. However, it has certain legislations that regulate encryption across various sectors. 

1. Gramm-Leach-Bliley Act: The Act is applicable to, 

1. Financial institutions and organizations within the United States (such as banks, securities firms, insurance companies, and other financial service providers). 
2. Institutions which are involved in providing financial products or services to consumers.

The law secures consumer’s data by penalizing companies that violate the provisions of the Act. 

2. Communication Assistance for Law Enforcement Act, 1994: Section 103(a) of the Act directs all telecommunication carriers to ensure that all their equipment which enables communication has certain capabilities. The capabilities include interception of communications and delivering the intercepted communication to the government.

3. The United States also imposes import and export controls on certain forms of encryption. The provisions relating to import and export controls are laid down in the International Traffic and Arms Regulations and the Export Administration Regulations.

4. California Consumer Privacy Act, 2018: The Act applies to California. It is only applicable to organizations

1. Share the personal information of at least 50,000 consumers and have more than 25 Million in their gross revenue. 
2. Derive 50% or more of their revenue from selling consumers’ personal information. 

The law states that organizations have to encrypt and secure data of their consumers, if they fail to do so they will be liable to be sued by their consumers. 

Australia

1. The Telecommunications Act, 1997: The Act lists three kinds of requests and notices that the government can issue to the telecommunication service providers: 

1. Technical Assistance Requests: Through this request law enforcement agency can ask the service providers take certain steps to ensure that the service provider is capable of giving help to the agency for the purpose of national security. 
2. Technical Assistance Notices: They require that the service provider take certain steps to help the law enforcement agency for the purpose of national security.
3. Technical Capability Notices: These can only be issued by the Attorney General and require that the service provider take certain steps which would ensure that the provider is capable of helping the security agencies in matters of national security. 

2. Cybercrimes Act, 2001: Section 3LA of the Act states that, if a law enforcement officer has a warrant, then the person who has knowledge of the computer shall assistance that is reasonable which allows the constable to:

1. Access the data held a computer or data storage device. 
2. copy data held in, 
3. Convert into documentary form or another form intelligible to a constable. 

Provided that, the computer or storage device,

(i) is on warrant premises; or

(ii) is at a place for examination or processing; or

(iii) has been seized under the Act

Non-compliance with the provision would be punishable with 6 months Imprisonment.

New Zealand

1. Telecommunications (Interception Capability and Security) Act 2013: Section 9(1) of the Act directs all network operators to ensure that all public telecommunications networks and services have “full interception capability”. 

2. Search and Surveillance Act 2012: Section 130 of the Act states that a person who has a search power can require another person to decrypt an encrypted information. If a person fails to decrypt or assist the person with the search power, he or she can face imprisonment up to 3 months.  

United Kingdom 

1. Regulation of Investigatory Powers Act, 2000: Section 49 and 50 of the Act, regulates the investigation of electronic data protected by encryption. It allows law enforcement agencies, to direct a person who holds encrypted information to produce the data in an intelligible format or to provide the key for its disclosure. If the person fails to do so, he or she is liable to be punished up to five years’ imprisonment in cases involving national security or child indecency, and by up to two years’ imprisonment in cases relating to any other offence.

2. Investigatory Powers Act, 2016: Sections 254 to 259 of the Act regulate “technical capability notices”. They allow the Secretary of State, when they consider it to be “necessary” and “proportionate”, and with the authorisation of a Judicial Commissioner, to impose a “technical capability notice” on a service provider imposing certain obligations. Such an obligation could include that service providers have to remove encryption that they have applied on communications.

Canada

1. The Canadian Charter of Rights and Freedoms: Section 8 of the charter states that “everyone has the right to be secure against unreasonable search or seizure”. This provision also applies to any law that limits encryption in Canada.

2. Export and Import Permits Act: Under Section 3 of the Act, the government establishes an Export Control List. The items on the list require an export permit before they can be exported from Canada. This list includes certain forms of cryptography as well.

3. Personal Information Protection and Electronic Documents Act: The Act applies to private-sector organizations that handle Canadian consumers’ personal data for commercial activity. 

The Act states that individuals and the Office of the Privacy Commissioner of Canada (OPC) can file complaints against companies, who do not,

1. use collected personal data as directed or,
2. Implement appropriate security safeguards. 

Organizations can be penalized for non-compliance.

Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skill.