NASSCOM and DSCI (Data Security Council of India) have proposed that law enforcement agencies should only be allowed to decrypt data on the device that is already with them and not remotely access/decrypt other encrypted information. This will, their new discussion paper argues, form the basis for “formulating a strong legal mechanism that could restrict LEA to access information only in legitimate cases”. The paper believes that this will satisfy the needs of the law enforcement agencies and address concerns of mass surveillance that have been raised by privacy advocates.

A strong encryption policy framework needs to address two concerns, as per the report, “state interception of information, and the citizen’s right to privacy and data protection”. NASSCOM-DSCI are inviting comments and responses to the discussion paper until September 30, 2020 at policy@nasscom.in.

The report has been prepared by NASSCOM and DSCI with research by and inputs from Quantum Hub Consulting.

Questions raised by the report

The paper has asked several important questions related to encryption and the kind of measures that can be taken to check government surveillance:

  • Should a right to deploying encryption be recognised in line with the right to privacy as held by the Supreme Court in the Puttaswamy judgement?
  • Should the Review Committee, that issues interception orders under the Telegraph Act in India, include judiciary members?
  • Should there be any disclosure requirements imposed upon the government in relation to interception, monitoring and decryption orders?
  • How would India’s legal framework need to change to be compatible with bilateral information sharing mechanisms such as US’ CLOUD Act or the EU’s GDPR?
  • Should impossible obligations be placed on intermediaries to trace the originator even when it’s technologically impossible?
  • Should the escrow model be considered to give law enforcement access to encrypted devices? If yes, what checks and balances need to be placed?
  • Should government-aided ethical hacking be considered a legitimate means for law enforcement to access decrypted information in India? If yes, what changes to law would need to be made? How should concerns around disclosure of zero day vulnerabilities then be addressed?
  • Should India have a uniform, sector-agnostic framework to regulate encryption, or should it remain sector-specific, as is the case now?
  • Should there be differential obligations for B2B and B2C deployment of encryption?

The need for the paper

  1. India is working on several legislations/regulations related to privacy, encryption, and government access to encrypted information. These are the Personal Data Protection Bill, 2019, which is currently under the deliberation of Joint Parliamentary Committee, and the Intermediary Guidelines (Amendment) Rules that were to be notified by the IT Ministry in January 2020 but haven’t been yet.
  2. Threat of large-scale cyberattacks from state and non-state actors has increased. Although the Department of Telecommunications (DoT) has contemplated making it mandatory for mobile manufacturers to share their source code, but that proposal has been rejected by companies citing intellectual property and proprietary concerns.
  3. MEITY is looking to amend the Information Technology Act to deal with newer technologies such as social media, e-commerce, artificial intelligence, etc.

MediaNama comment: It is interesting that this discussion paper does not talk about the National Cyber Security Strategy which is also expected to be notified this year. The report mentions the Supreme Court petition by Centre for Accountability and Systemic Change (CASC) that has sought localisation of financial data of WhatsApp as well as appointment of a grievance officer within India. It is not clear how this petition, instead of the WhatsApp traceability case, “renewed interest in the debate surrounding encryption methods deployed by communication and social media platforms, and the feasibility of intercepting, or determining the originator of information, without decryption”.

Regulatory framework for encryption: Status quo in India

There are five types of laws and regulations related to encryption that the paper has identified that deal with:

  1. Lawful interception of private communications: These include the Telegraph Act and the Information Technology Act that specify procedures the government and its agencies have to adopt to intercept private communications.
  2. Data protection and privacy: These include the Personal Data Protection Bill and certain provisions of the IT Act that (in)directly encourage adoption of encryption to preserve privacy. These don’t address questions of access to encrypted information by law enforcement agencies, as per the report, nor do they “prescribe any restrictions or conditions on the deployment of encryption”.
  3. Restrictions/specifications on deployment of encryption: These include sector-specific requirements for telecom sector, financial data, electronic medical records, etc. and specify key sizes or other such elements.
  4. Obligations of intermediaries related to requests for intercepting encrypted information: These include TRAI’s efforts to regulate OTT applications and rules under the IT Act such as the Intermediary Guidelines and the IT (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules 2009.
  5. Obligations related to data storage and localisation: These include restrictions on cross-border transfers of data to enable access for law enforcement agencies to encrypted information. These restrictions have been proposed under the PDP Bill, recommendations of the Expert Committee on Non-Personal Data, and the draft e-commerce policy.

Both GDPR and PDP Bill recognise de-identification and encryption as necessary security safeguards.

Report’s stance on whether traceability is possible

The report concludes that the Interception Rules under the IT Act mean that “there is no obligation [for the intermediary] to provide decryption, unless and until the intermediary itself is the holder of the decryption key”. Since that then inhibits the law enforcement agencies’ ability to get access to the encrypted communications, MEITY proposed the Intermediary Guidelines (Amendment) Rules, 2018 whose Rule 3(5) states:

“When required by lawful order, the intermediary shall, within 72 hours of communication, provide such information or assistance as asked for by any government agency or assistance concerning security of the State or cyber security; or investigation or detection or prosecution or prevention of offence(s); protective or cyber security and matters connected with or incidental thereto. Any such request can be made in writing or through electronic means stating clearly the purpose of seeking such information or any such assistance. The intermediary shall enable tracing out of such originator of information on its platform as may be required by government agencies who are legally authorised.”

As per the report, this means that intermediaries would be required to “enable tracing of originator, and provide any and all assistance sought for by an authorised Government agency”. The report reads it as an obligation for “all intermediaries to enable tracing of originators, irrespective of the intermediary’s ability to enable the same”. This rule has faced significant pushback from companies such as WhatsApp that use end-to-end encryption.

Errata

  • Page 8: “Similar to how the attacks of September 9, 2001 led to the overarching powers of the NSA …”: They probably meant to write September 11, 2001.
  • In reference to the exploitation of the WhatsApp vulnerability to plant NSO Group’s Pegasus spyware, the report states that “software procured by Governments agencies have been recently used towards surveillance, by exploiting a vulnerability in the version of the signal protocol deployed by WhatsApp for providing end-to-end encryption”. However, the vulnerability that was exploited was not in the Signal protocol but in the WhatsApp client/app.

Read more: