tech-security

by SFLC.in

The Indian Supreme Court on 29th June, 2016 refused to entertain a petition that sought a ban on WhatsApp and other similar applications that use strong end to end encryption technologies to safeguard the communications on their services. The petition stated that employment of such stringent encryption standards rendered a national security hazard as it would be impossible for law enforcement agencies to uncover communications of/amongst parties that pose a threat to the safety and security of the country. With WhatsApp, a widely used messaging application enabling a default 256 bit encryption recently in April, 2016, there has been a lot of talk surrounding the legal position of encryption under the current Indian framework. We created an FAQ to help understand the status of encryption, and services that use encryption in India.

1. Do we have a comprehensive law regulating encryption?
No, India does not have a dedicated law on encryption. Although, a number of sectoral regulations including in the banking, finance and telecommunication industries carry stipulations such as the minimum standards of encryption to be used in securing transactions. Further, a draft National Policy on Encryption under Section 84A of the Information Technology Act, 2000 was published on 21st September, 2015 and invited comments from the public, but was withdrawn on 23rd September, 2015. Section 84A permits the Central Government to prescribe encryption standards and methods to secure electronic communications, and promote e-governance & e-commerce.

2. How did the draft National Encryption Policy seek to regulate the use of encryption?
The draft Policy applied to use of encryption technologies for storage and communication of information held with the government, businesses, and citizens. The Central Government was delegated the power to specify and notify the encryption protocols and technologies that can be used in this regard. However, this policy was withdrawn due to certain problematic provisions in the policy that caused upheaval not only in the IT sector, but also with the users.

3. Why was this draft Policy withdrawn?
The draft National Policy on Encryption was withdrawn within two days of its release due to its unfeasible and unclear provisions with respect to the usage of encryption technologies. Mr. Ravi Shankar Prasad, Union Minister of Communications and Information Technology said that India is lacking any sort of encryption policy, and the original draft will be refined for this purpose. The draft Policy received a large amount of criticism from the businesses, IT sector, users and civil society advocacy groups. The following were a few major points of criticism leveled against the policy:

The provision that mandated the retaining of plain text copies of encrypted communications for 90 days by users and businesses.
Registration for foreign service providers before they make their services available to the Indian population.
The security concerns associated with retaining plain text copies for 90 days.

The Government specifying the key length, and algorithm to be used in encryption technologies for all users and businesses entailed that the Government could restrict the maximum standard of encryption that could be used, without leaving any room for discretion for a user to subscribe to stricter security standards.

The provision that put the primary responsibility on users of foreign services for retaining and handing plain text copies of communications when sought by a law enforcement agency.
sflc

4. Are there other laws and/or recommendations pertaining to the use or regulation of encryption and other such technologies in India?

The Information Technology Act, 2000 that regulates the electronic and wireless modes of communication is silent on any substantive provision or policy on encryption apart from Section 84A that delegates the Central Government the authority to frame any rules on the use and regulation of encryption. Till date, no such rules have been framed by the Central Government under this section. Besides that, the following are few sectors where the use of encryption technology and products have been regulated and mandated by specific conditions and terms:

  • Department of Telecommunication (DoT) License with Internet Service Providers (ISPs)
    The terms and conditions of the license agreement between the DoT & the ISPs permit use of encryption technologies only up to 40 bits with RSA algorithms or its equivalent without any prior approval from the DoT. A higher encryption standard can only be employed with a permission and submission of the decryption key split in two parts to the DoT. Moreover, there is a complete prohibition on using bulk encryption by ISPs under these license terms (Clause 2.2 (vii) of the License Agreement between DoT & ISP, January 2010). However, it is important to note that although the terms of the Unified Service License Agreement also explicitly prohibit bulk encryption (Clause 37.1), they do not prescribe to a 40 bit standard. Rather, they state that the permissible encryption standard under this Agreement will be governed by the policies made under Information Technology Act, 2000(Clause 37.5). But, as stated earlier, no rules have yet been drafted that prescribe or regulate the usage of encryption technologies in India under the IT Act.
  • Securities and Exchange Board of India (SEBI) Guidelines on Internet based Trading and Services
    As per the Report on Internet Trading by the SEBI Committee on Internet based Trading & Services, 2000, a 64/128 bit encryption standard is advisable to secure transactions and online tradings. However, it is qualified with a condition that the DoT prescribed policy and regulation will be adhered to with respect to encryption. It is also worth mentioning that a proposed framework for wireless trading recommends end to end encryption for safeguarding the trading process.
  • Reserve Bank of India (RBI)
    As a part of the Report on Internet Banking released by RBI in 2001, a minimum security standard of SSL or 128 bit encryption has been mandated for conducting all online transactions, securing passwords, and ensuring a secure connection between web browser to servers.
  • Information Technology (Certifying Authorities) Rules, 2000
    These Rules specify the manner in which digital signatures are to be authenticated. Under Rule 3, a digital signature authentication is mandated to be undertaken via a public key encryption method. Rule 6 of these Certifying Authorities Rules provide the requisite standards for public keys that can be used for this purpose, such as PKCS#1 RSA Encryption Standard (512, 1024, 2048 bit), PKCS#5 Password Based Encryption Standard or PKCS#7 Cryptographic Message Syntax Standard. Most of the standards listed under this rule resort to an encryption strength higher than 40 bits, which is the maximum permitted standard under the license terms of an agreement between an ISP and DoT.
  • Data Security Council of India’s (DSCI) recommendation
    The DSCI & NASSCOM with other industry inputs submitted recommendations to the Department of Information Technology in 2009 regarding an Encryption Policy for India. One of the recommendations made therewith is the departure from a 40 bit standard as enshrined in the DoT license to ISPs, and to upgrade to a 256 bit encryption standard with AES algorithm or other equivalents for e-commerce platforms, along with SSL for end to end authentication.

5. Is there a restriction/prohibition on using encryption technologies?

The license agreement between the ISP & DoT carries a stipulation to the effect that users are not permitted to use encryption standards higher than 40 bits with symmetric key algorithms or equivalent algorithms without prior approval and deposition of decryption keys. As mentioned above, there are various other regulations & guidelines that employ a higher standard of encryption than 40 bits for certain specific sectors. Also, in the absence of a comprehensive encryption policy /regulation, or any procedures detailed under the Information Technology Act, 2000, the service providers under the terms of Unified Service License Agreement don’t have any limitation on encryption strength. Therefore, the restriction of 40 bits effectively applies only to the individuals, organizations, or groups using the platform of ISPs that function under the license agreement between DoT & ISP.

6. What is the legal status of services like WhatsApp that enable end to end encryption?

In April 2016, WhatsApp, a messaging application enabled end to end encryption for all its users at 256 bits. This service is owned by Facebook Inc. and is not an individual, group, or organization as is covered under the license terms between the DoT & ISP. Applications like WhatsApp are termed as ‘Over The Top’ (OTT) services and in the absence of any specific regulation pertaining to them, are governed by the provisions of the IT Act and/or other legislations applicable to their services. An application that is only making its service available to consumers is not bound by any license agreement that restricts encryption usage. The onus in this regard falls on the ISPs who have a license agreement with the DoT that only permits encryption up till 40 bits without prior permission. However, the extremely low threshold of 40 bits is a practice that needs to be upgraded. Therefore, due to the absence of stipulated encryption standards under the IT Act, or a comprehensive encryption policy, OTTs, such as WhatsApp that use higher encryption standards are currently operating in a grey area with no legal precedent or rules to deny or allow its use of a 256 bit, end to end encryption for the communications made on its service.

Also read: Is there a fundamental right to privacy in the digital age? Notes from the SFLC.in debate
*

Crossposted with permission from SFLC.in