Explaining the technology and legality of end-to-end encryption in India
Last week Supreme Court dismissed a public interest litigation seeking to ban messaging applications like WhatsApp that use end to end encryption to secure communication between two users. While the petitioner admitted that he is not against the use of encryption per se, his contention is that the keys to decrypt such communications should be made available to law enforcement and security agencies in the interest of national security.
Across the world, government agencies are struggling to come to terms with new forms of technology implemented to encrypt end user data. Countries like Brazil have already tried to ban the use of WhatsApp, when they were not able to hand over end user data to law enforcement agencies. The FBI-Apple confrontation, where Apple was asked by the FBI to help in decrypting the phone of a terror convict, also fueled the debate globally. So how does the entire scenario around encryption technology stack up in India? More importantly, how does this debate impact end users of such technology in the country?
What is encryption technology and where do we use it?
Encryption is the commonly used term for an umbrella of technologies implemented for securing communication in the presence of a third party. It encompasses a wide spectrum of applications that scramble communication sent in plain text, and decrypt it when received by intended recipient. It could also mean setting up a secure channel of communication through which plain text data can be sent. You can see a functional example of this if the website you are accessing begins with HTTPS, instead of HTTP, which means that it is using a secure channel to transmit data. Also, websites are known to store large databases of user information in an encrypted form so that it cannot be accessed easily. End to end encryption used by WhatsApp is designed such that only the two devices communicating with each other are able to read the communication. In theory this makes it impossible for anyone to snoop on to such a communication, the flip side been that even the application company does not have any means to decrypt this data.
What are ‘Keys’ used in Encryption?
A ‘Key’ or a set of ‘Keys’ usually denotes a piece of code (algorithm) that when applied to plain text, will convert it into encrypted text. There are a variety of Keys such as Public Keys (used for encrypting) and Private Keys (used for decrypting). As the names suggest, a private key is always with the receipt of the message while a Public Key may or may not be sent along with the message depending upon the combination been used. The ‘bit’ added (40, 64, 128) after the key denotes the strength of the algorithm used to encrypt the data. Larger the bit size, stronger the encryption.
What are the legal provisions for use of encryption technology in India?
India does not have a law or regulatory framework for encrypting data. Sec 84A of the IT Act delegates responsibly on the Central Government to make rules regarding the use and regulation of encryption technologies in India. There are some sectoral regulations like those issued by the Securities and Exchange Board of India (SEBI), which asks for a 64/128 bit encryption standard to be used while engaging in online trading. The RBI on the other hand has mandated that a 128 bit standard should be used in all online transactions. The Department of Telecom, in its Internet Service Providers (ISPs) License permits the use of a 40 bit encryption standard; anything above this limit would be allowed only if copies of the keys are submitted to DoT.
What are the policy guidelines for the use of encryption technology in India?
In September 2015, the Department of Electronics and Information Technology (DEIT) came out with the draft National Encryption Policy. Its stated objective was to promote the use of encryption technology for security and confidentiality and to protect privacy in information and communication infrastructure without unduly affecting public safety and national security. However, provisions in the policy that mandated end users to store copies of their communication in plain text for 90 days, mandatory registration of foreign vendors and insistence on Indian users to use only these registered products led to a strong public criticism of the policy. As a result, the policy was withdrawn and a new policy is now awaited that will hopefully cover the concerns in the initial draft.
So is WhatsApp operating illegally in India?
Due to the absence of a defined law that explicitly states the standard of encryption that can be used by different applications, WhatsApp is legal as of now. Should the Government or any of its agencies come up with requirements of a higher standard than the one used now by WhatsApp or if it mandates that a copy of all keys should be submitted to an agency appointed for this, then it would cause serious issues for these messaging applications. While the court dismissed his petition stating that there are agencies in the country that will take care of the national security aspects, the petitioner plans to take up the issue with the Department of Telecom and the Ministry of Information and Technology as well as present his case to the Telecom Dispute Settlement and Appellate Tribunal (TDSAT) to push for OTT messaging applications to submit keys to government agencies.
The encryption debate in India will only get stronger from here on. As more and more applications implement end to end encryption technologies to appeal to end users, law enforcement and security agencies will press harder for back-doors to be created for them to such access data under the need to maintain public order and national security.
This article was first published on The Dialogue.
The Old Wonk 