Today (October 21, 2024) is Global Encryption Day. IGP participates in this worldwide event as Saumya Jain and Jyoti Panday examine India’s evolving assaults on private communications.
End-to-end (E2E) encryption ensures that only the sender’s and recipient’s devices have access to the keys needed for encryption and decryption. This setup prevents any third party from intercepting communications between individuals. While this creates a highly secure communication channel, it often clashes with the interests of law enforcement and national security agencies, who want access to private communications to track illegal activity.
Decryption & Interception in India
In India, Section 69 of the Information Technology Act, 2000 (hereafter, IT Act) and Article 19 (2) of the Indian constitution, have been interpreted by the courts to empower the government to order the decryption and interception of any message to gain access to information in the interest of the “sovereignty or integrity of India,” the “security of the State,” “friendly relations with foreign states”, or “public order.” Section 69A of the IT Act also allows the government to block public access to any information in the interest of sovereignty, integrity, national security, friendly relations with foreign states, or public order.
In 2021, the Indian government passed the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (hereafter, IT Rules). Rule 4(2) of the IT Rules introduces a requirement for Indian “significant social media intermediaries” to implement traceability. This measure would empower national security agencies to trace the “originator” of encrypted communications pursuant to an order from a court under Section 69 of the IT Act.
WhatsApp contends that enforcing traceability would essentially mean dismantling E2E encryption, as it would require providers to retain data to enable access to the content of encrypted messages. WhatsApp, represented by its parent company Meta, has challenged the IT Rules in the Delhi High Court contending that the mandate to identify the first originator of information undermines encryption and violates user privacy protections enshrined in the Indian Constitution. Arguing against the provision, WhatsApp’s counsel warned the court, “If we are told to break encryption, then WhatsApp goes.”
There is agreement between civil society, the technical community and industry that the implementation of traceability requires communication platform companies to establish a comprehensive tracking system across all messaging platforms. This poses significant risks as it might compel service providers to compromise E2E encryption or allow the government to monitor the entire lifecycle of communications within E2E encrypted services. Additionally, it’s important to note that individuals with malicious intent may simply migrate to platforms where traceability regulations are either non-existent or unenforceable.
Similar to Section 69 of the IT Act, Section 20 of the Telecommunications Act 2023 (hereafter, the Telecom Act) also permits the interception of messages in case of public emergency, public safety, the interests of the sovereignty and integrity of India, national security, friendly relations with foreign states or public order. The expansive and vague definitions of telecommunications services and messages in the Telecom Act has led to speculation that it covers OTT services. If interpreted expansively, the state has given itself the power to order online messaging apps to decrypt encrypted messages.
Bypassing Fundamental Rights
National security, as defined in the Telecom Act and the IT Act, is alarmingly vague and subject to interpretation. In India, this ambiguity creates significant issues. The lack of precise definitions for national security permits broad interpretations that can erode freedoms and undermine fundamental rights, such as privacy and natural justice (due process). Such laws are intended to expand state control over digital communications, and enable the state to justify sweeping surveillance measures without sufficient safeguards, transparency, or accountability.
In May 2023, the Indian government banned 14 free and open source software (FOSS) messaging apps in Jammu and Kashmir, allegedly for facilitating terrorist activities due to their E2E encrypted features. These apps were banned under Section 69 of the IT Act. Briar, one of the blocked apps, contested the ban, arguing that the ban was executed without prior notice to the apps and that the move violated the principle of natural justice by not allowing apps to challenge the ban. The Delhi High Court ruled against Briar and upheld the government’s decision, citing that principles of natural justice could be bypassed in “national security matters.”
The ban and the ruling of the court raise critical questions about the balance between security and individual privacy. Such moves are emblematic of the state’s concerted effort to expand control over digital communication, particularly targeting E2EE platforms and services designed to protect users’ privacy. The broader implication is the erosion of user privacy and the potential overreach of state power in the digital realm. In both scenarios, the state’s actions reflect a troubling trend of prioritizing control over digital communications at the expense of fundamental privacy rights.
Both the Telecom Act and IT Act effectively nullify the protections offered by E2EE, compromising the integrity and security of user data. Furthermore, such measures could deter the public from using digital communication platforms, fearing unwarranted surveillance. E2E encryption ensures that only the communicating users can read the messages, thereby safeguarding against unauthorized access. By demanding traceability and permitting the decryption of such messages, the state not only breaches the confidentiality of private communications but also sets a dangerous precedent for the erosion of digital privacy rights.
The post Encryption Under Siege in India: National Security & the Erosion of Digital Privacy appeared first on Internet Governance Project.
Source: Internet Governance Forum