The opening statement on the ‘About page’ of the Global Encryption Coalition (‘GEC’), which consists of 180 members from among civil society organisations, companies and individuals, captures the essence of encryption: “Encryption safeguards the personal security of billions of people and the national security of countries around the world.”
Once considered a wartime necessity, encryption has steadily become the technological backbone for secure online communications, digital privacy and protection of national critical information infrastructure (‘CII’).
Indeed, it is crucial to protect data at a time when data breaches are only increasing. For instance, the Indian Computer Emergency Response Team (‘CERT-In’), a nodal executive agency which monitors cyber security incidents in India, has reported a steady increase in data breaches since 2017, in a response to a question in the Rajya Sabha.
Section 70 of the Information Technology Act, 2000 (‘IT Act’) defines CII as a “computer resource, the incapacitation or destruction of which shall have debilitating impact on national security, economy, public health or safety”.
Previously, the Union government notified the Unique Identification Authority of India-related facilities, assets and infrastructure as CII. Once declared as ‘protected system’ under section 70, any unauthorised persons accessing these resources may be jailed for up to 10 years, and fined.
Nonetheless, vulnerabilities are often exploited by malicious actors. For instance, in June 2021, a personal data breach of millions of public distribution system (‘PDS’) beneficiaries in Tamil Nadu, including Aadhaar details, was reported, after an online vendor claimed access to nearly 2 terabytes of PDS data on a hacker’s platform and demanded a payment of $1,950 in cryptocurrency for handing over the decryption code.
Governments and law enforcement agencies (‘LEAs’) are also increasingly undermining encryption to tackle crimes and criminal communications.
This includes tracing the first originator of messages on instant messaging freeware service WhatsApp. Since there is no way of knowing who may be subject to investigations, companies are required to store all communications in order to ascertain who said what, when they are required to do so.
However, broad surveillance adversely impacts anonymity on the internet, access to strong encryption, the issue of traceability, and laws on identifying the first originator of a message.
In 2018, Australia enacted the Assistance and Access Act, to allow LEAs access to messages on platforms like WhatsApp and Facebook. It enforced conditions on tech companies and service providers to build surveillance capabilities, such as through push notifications that download malware to a target’s computer or phone.
It was modelled after the U.K.’s Investigatory Powers Act 2016 (‘UK Act’), called the “Snoopers Charter” by its critics. The UK Act contains mandatory, broad and secret decryption obligations for service providers.
It allows for the U.K. government to order telecommunication providers to remove any electronic protection measure. Thanks to a series of cases by civil society organisations Liberty and Privacy International, the U.K. High Court of Justice found that it is unlawful for British security services like the Security Service, the Secret Intelligence Service and the Government Communications Headquarters, to obtain an individual’s communications data from telecom providers without prior independent authorisation, while carrying out criminal investigations.
However, it still allows indiscriminate snooping on people irrespective of whether they are suspected of crimes, although this is being appealed. That the Australian law followed the footsteps of the UK Act is hardly unique. A similar trajectory is noticeable with other countries.
In India, on January 25, 2020, a Rajya Sabha Ad-hoc Committee “to study the alarming issue of pornography on social media and its effects on children and society as a whole”, had submitted that the Information Technology (Intermediaries guidelines) Rules, 2011 should be modified to enable tracing of the originator of child sexual abuse-related messages shared on end-to-end encryption platforms.
Mandatory traceability requirements, often introduced through legislation, undermines encryption. It requires communication and social media apps to always be able to identify the first originator of any message, just in case law enforcement requires it in the future.
In May 2021, in the matter of WhatsApp LLC versus Union of India (2021), WhatsApp moved the Delhi High Court against the Union government to halt the implementation of rules that mandate traceability, arguing that the requirements violated constitutionally guaranteed privacy protections. Notably, the government relied on similar moves by the governments of U.K., U.S., Australia, New Zealand, Canada and Brazil to justify its position.
According to WhatsApp: “In order to trace even one message, services would have to trace every message…That’s because there is no way to predict which message a government would want to investigate in the future. In doing so, a government that chooses to mandate traceability is effectively mandating a new form of mass surveillance. To comply, messaging services would have to keep giant databases of every message you send, or add a permanent identity stamp — like a fingerprint — to private messages with friends, family, colleagues, doctors, and businesses.”
Consequently, India’s latest Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (‘IT Rules’) require large social media platforms to identify and disclose the “first originator” of a message pertaining to an “offence related to the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, or public order, or of incitement to an offence relating to the above or in relation with rape, sexually explicit material or child sexual abuse material”.
These terms are overboard, and the same arguments have been used to deny the rights of vulnerable communities. For instance, national security is an ambiguous term that is often used by the Union government to repel courts from hearing human rights cases.
This includes the prolonged suspension of internet in Jammu and Kashmir that impacted religious minorities (which came up in the Supreme Court matters of Anuradha Bhasin versus Union of India (2020) and Foundation for Media Professionals versus Union Territory of Jammu (2020)); and again the Pegasus spyware case, wherein the government allegedly used foreign mass surveillance technologies to infiltrate the phones of human rights defenders and political dissidents (which came up before the Supreme Court in Manohar Lal Sharma versus Union of India).
The latest attempt at introducing broad surveillance powers in the name of national security comes in the form of the Indian Telecommunication Bill, 2022 (‘the Bill’) which was released for public consultation by the Department of Telecommunications, Union Ministry of Communications in July. Stakeholder comments are invited till October 20.
The Bill seeks to provide a comprehensive telecommunications legal framework by replacing the existing Indian Telegraph Act, 1885, the Wireless Telegraphy Act, 1933 and the Telegraph Wires (Unlawful Possession) Act, 1950.
The Union government has broad discretion under the Bill, which allows for interception and tracking during public safety and public emergency situations, and for national security, which may lead to an unfettered exercise of power, threatening the creation or a surveillance State.
Similar stipulations have threatened virtual private networks (‘VPN’). In April, CERT-In issued directions that mandate cloud service providers and cryptocurrency exchanges to log user data for five years, including user names, addresses, contact numbers, period of subscription, email and Internet Protocol addresses, and the purpose of using their services. The provisions are not applicable to corporate and enterprise VPNs.
With 63 per cent of all people in the world being online following lockdowns related to COVID-19, according to the International Telecommunication Union, and nearly half of India’s population going digital, as per a report by the Internet and Mobile Association of India, the total number of people who may be surveilled through legislation is unprecedented.
Hasty legislation that rubber stamp government snooping en masse harken a new era of surveillance. While judicial intervention and opposition by civil society have helped curtail some surveillance activities, strong laws that protect encryption and curtail overbroad powers of LEAs are the need of the hour.
Until then, much like how LEAs are armed to collect more information than strictly necessary, it is important for human rights defenders and ordinary citizens alike, to arm themselves with the knowledge of the extent of online surveillance.