1. Introduction Encryption technology has popularly been used for varied purposes including secure communication. This allows for individuals to communicate amongst each other without anyone else being able to monitor the content of such conversations. This, thus, keeps such conversations even outside the purview of Law Enforcement Agencies ('LEAs'). This preserves the privacy...
1. Introduction
Encryption technology has popularly been used for varied purposes including secure communication. This allows for individuals to communicate amongst each other without anyone else being able to monitor the content of such conversations. This, thus, keeps such conversations even outside the purview of Law Enforcement Agencies ('LEAs'). This preserves the privacy of the users and allows them to safely communicate without any threats of surveillance. However, this aspect of encryption technologies has also led to States, including India, seeking the introduction of 'backdoors' to this technology, particularly citing concerns of misinformation, child pornography, and national security. In the year 2020 itself, encryption has faced multiple challenges across the globe. They include the proposal of an Act to mandate encryption backdoors in the United States, opposition to the proposal from Facebook to introduce encryption in its Messenger service, and blocking of ProtonMail in Russia owing to concerns of misinformation. In India specifically, an ad hoc Rajya Sabha committee recommended undermining of encryption to fight child pornography, and the Indian government jointly signed a statement with six other States arguing safety risks of end-to-end encryption.
In this debate, a particularly interesting feature that has influenced the discussions on encryption in India is the proposal to mandate traceability of messages sent on social media platforms. It is this proposal that we seek to analyze in this paper in the context of the right to privacy that has been recently accorded the status of a fundamental right in India. Accordingly, in the second section, we lay down the contours of the right to privacy and the test laid down by the Supreme Court in the Puttaswamy decision to determine its infringement. Then in the third section, we look at the encryption debate as it has developed in the Indian context. In the fourth section, we carry out the substantive analysis of the traceability proposal on the Puttaswamy test and argue that it does not satisfy the same. Finally, in conclusion, we briefly touch upon some of the alternatives to encryption backdoors that are currently in practice.
2. Privacy as a Fundamental Right: The Puttaswamy Test
The question of whether privacy is a fundamental right first arose in 2015 before a three-judge bench of the Supreme Court. The Court was assessing the constitutional validity of the Aadhar ecosystem. Therein the learned Attorney General had argued that Part III of the Indian Constitution does not accord the right to privacy the status of a fundamental right despite case law to that effect, as larger benches of the Apex Court in M P Sharma 1954 SCR 1077 (8 judge bench) and Kharak Singh 1964 SCR 332 (6 judge bench) have ruled otherwise. Thereafter, the three-judge bench referred the matter to a five-judge bench to ensure "institutional integrity and judicial discipline". Ultimately, the five-judge bench referred the constitutional question to an even larger bench of nine judges to pronounce authoritatively on the status of the right to privacy. This culminated in the decision in Justice K.S. Puttaswamy (Retd.) v. Union of India (2017) 10 SCC 1.
The operative part of the judgment in Puttaswamy over-ruled the decisions in M P Sharma and Kharak Singh to the extent that they held the right to privacy was not protected by the Constitution. The nine-judge bench ruled that 'right to privacy' is an intrinsic part of right to life. Accordingly, it further held that the body of case law that developed subsequent to Kharak Singh, recognizing the right to privacy, enunciated the correct position of law.
As the Puttaswamy decision rooted the right to privacy in Article 21 of the Constitution it can only be taken away through procedure established by law. The Supreme Court has already clarified in the Maneka Gandhi v. Union of India (1978) 1 SCC 248 decision that this procedure has to be just, fair and reasonable. How does 'due procedure' among other standards of 'judicial review' will operate in cases where the state restricts the fundamental right to privacy, has also been explained in the Puttaswamy case through a four-fold test created on the basis of the observations made by Justices Chandrachud and Kaul. The four elements of the test are as follows:
(i). Legitimate Aim stage: The court is required to check if there's a legitimate aim to infringe upon the right to privacy.
(ii). Suitability or rational nexus stage: This requires the court to examine if there is a rational connection between the infringement of the right and the purpose of the restriction. In other words, it has to be seen whether the measure is suitable for achieving the purpose of the restriction.
(iii). Necessity stage: This is to test if there is a less restrictive or equally effective alternative means of achieving the goal in terms of restrictions on the right.
(iv). Balancing stage: Herein, the benefit that the State gains by restricting the right has to be balanced with the impact of loss of the right.
If any restriction fails to satisfy the above four-pronged test, then it would amount to a violation of Article 21.
3. The Indian Encryption Debate
The Indian encryption debate has been moulded on the anvil of the Indian Telegraph Act. Section 5 of the Indian Telegraph Act empowers the government to lawfully intercept and monitor communication. Additionally, Section 84A of the Information Technology Act, 2000, ("IT Act, 2000") was introduced through an amendment in 2008. It allowed the government to prescribe modes and methods for encryption to ensure secure use of the electronic medium and promote e-governance and e-commerce. Following a more prescriptive mandate of regulation, Section 69 of the IT Act, 2000, allowed the Central and State governments to monitor and collect information through any computer resource for cybersecurity. This is supplemented with the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009. Its Rule 9 provides that an order for decryption could relate to any information sent to or from a 'person or class of persons' or relate to 'any subject matter'.
With the growing challenge of the proliferation of Child Sexual Abuse Material ('CSAM') online, several countries including India have been growing apprehensive about the increase in encryption technology making it difficult to trace pornographic content and catch CSAM criminals. It was in this atmosphere that the National Encryption Policy was formulated in 2015. Critics opined that it was more of a 'decryption' policy because it only allowed platforms to function if they complied with the mandatory regulatory mechanism. The policy was said to simply secure government access to encrypted data, rather than securing user data. The Draft Intermediary Guidelines of 2018 further rekindled this debate by proposing to mandate intermediaries to introduce traceability on their platforms.
The new IT rules were finally notified by the Government on 25th February 2021 by notifying the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 ("IT Rules, 2021") . In a bid to enforce traceability Rule 4(2) of the IT Rules 2021 lists out all the exceptions mentioned in Article 19 (2) of the Constitution. This is despite the extant criticism of the similar provision in the Draft IT Rules of 2018 from stakeholders across the ecosystem.
The proposal to mandate traceability seeks to ensure that platforms introduce technological updates to ensure that the original sender of a particular message could be traced. While some argue that this could be carried out without undermining the end-to-end encryption that WhatsApp provides, the common opinion is that it is not technologically possible to introduce traceability without undermining encryption. Admittedly, the Supreme Court in the Puttaswamy judgment explained that the Government's access to personal data for legitimate national security concerns is a reasonable restriction on right to privacy. However, the Apex Court also reiterated that such exceptions must be narrowly tailored and must meet the four-fold test prescribed in the decision, as discussed earlier. Accordingly, in the next section we shall analyze whether the traceability requirement satisfies this four-pronged test.
4. Examining Traceability on the Touchstone of Puttaswamy
- Legitimate Aim of the State in a Democratic Society
With specific reference to backdoors on encryption, and legitimizing it based on the concerns of terrorism and prevention of crimes, the UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression has stated that governments have not demonstrated that criminal or terrorist use of encryption serves as an insuperable barrier to law enforcement objectives.
Moreover, it has been noted by the UN Special Rapporteur on Freedom of Expression, Frank LaRue that it is a matter of concern that vague and unspecified notions of national security, have been unduly used to justify interception and access to communications. The use of an amorphous concept of national security to justify invasive limitations on the enjoyment of human rights is of serious concern enjoyment. It is broadly defined and is thus vulnerable to manipulation by the State as a means of justifying actions that target vulnerable groups such as human rights defenders, activists, whistle blowers etc.
Accordingly, in Canada and the US, the tests of "pressing and substantial objective" and "compelling government interest" respectively have been disregarded as they are insufficiently rigorous.
In Klass and Ors v. Germany (1979) 2 EHRR 214, the European Court of Human Rights took note of the development of sophisticated forms of espionage and terrorism and ruled national security concerns are justified, only under exceptional circumstances. Given that undermining encryption is not possible on a case-to -case basis but is done en masse, the legitimacy of this action is in question.
- Suitability of the measure or rational nexus between the infringement of the right and the purpose for the restriction
The purpose of introducing traceability as given by LEAs is that it would enable them to catch cyber criminals. However, the suitability of this measure to achieve the said objective is contestable given that studies suggest that creating backdoors does not stop criminals from using encryption. In fact, it makes it more difficult for the police to catch them. Encryption is a tool which is available online for anyone to download and use even if the government bans it. The knowledge required for building encrypted platforms is readily available in the public domain. Criminals already know how to write their own encryption codes. If a vulnerability or backdoor is created on popular encrypted platforms for the LEAs to use to track perpetrators then the savvy criminals will simply shift to another platform, possibly their own platform which is well encrypted.
Websites like GitHub are a storehouse of open source software for creating encrypted platforms which can be used by non-state actors to develop their own encrypted platforms, the moment they get concerned about backdoors being introduced in popular messaging platforms. The Signal protocol which has one of the most enhanced end-to-end encrypted protocols with no known backdoors is also available on GitHub. Moreover, a software known as Mujahideen Secrets was developed by al-Qaeda way back in 2007 to encrypt their online communications. Likewise, following the Snowden leaks in 2013 on NSA surveillance, three different terrorist organisations including GIMF, The Al-Fajr Technical Committee, and ISIL, created their own unique encryption tools.
Recently, The Global Encryption Coalition released a non-technical paper explaining why undermining encryption is in fact not at all a solution to terrorism or CSAM proliferation in the cyberspace, and how undermining encryption would create more problems than it seeks to resolve. It is equally noteworthy that if encryption is broken then users will have no guarantees of their data being safe due to the lack of a robust data protection regime in India. In order to emphasize the need for such a regime, the case study of the Minnesota Database queries is important. In Minnesota, more than 62% police officials were reported to use the surveillance capabilities of the State to surveil over their ex-wives and ex-girlfriends is an apt example of this threat.
Hence, undermining encryption will only mean that the police, at best, will be able to catch the gullible and less technically adept criminals, while the smarter ones who are more dangerous perpetrators of the online vices will easily get away. Further, without adequate safeguards for data, it will indeed be a concerning issue for the citizens to trust institutions that collect and store their data.
- Necessity Stage:
In order to satisfy this test, the government will have to prove that there is no other less restrictive way for the government to get the data for tracking CSAM and catching its proliferators than to break end-to-end encryption. Some might argue that because there is no other way to get the information about who the originator of the content was, traceability may just meet the proportionality test. However, there are a plethora of studies which establish that in most cases access to 'content data' is not required and the availability of metadata is sufficient. Moreover, as the Europol's SIRIUS Digital Evidence Report explains, the tedious process of obtaining digital evidence via the Mutual Legal Assistance mechanism and the lack of standardization in company policies make it almost impossible to successfully process content data obtained from undermining encryption to achieve the desired result of tracking criminals. In any case, the justification and proof that the demand for traceability is indeed the least restrictive means available have to come from the State. This burden is something which the State has failed to meet till now.
On the other hand, UNICEF has recently released a report explaining how encryption is crucial to ensure online child safety. Even the TRAI after two years of extensive consultation with leading stakeholders in the ecosystem, analysis of international jurisprudence and the discussions at the International Telecommunications Union opined that the encryption technology should not be tinkered with. It was observed in its report that if the encryption technology is broken then the platforms will not be able to provide the same level of security to the users who will be rendered vulnerable to cyberattacks and surveillance.
- Balancing Stage
To meet this requirement, it needs to be proven that the balance between the right to privacy of the citizens and the government's argument of national security to introduce traceability lies in the latter's favour, allowing for the infringement of privacy. It is difficult to satisfy this test as privacy of the citizens is the foundational block of national security. The exercise to create this balance is rendered even more difficult in light of the fact that the argument of national security on the basis of which the LEAs try to justify the demand of backdoors is itself compromised due to weakened encryption. The Greek Watergate Scandal, popularly known as the "Athens Affair", where the political and military elites of Athens were spied using a vulnerability introduced for lawful interception, is a perfect evidence of this fact. Accordingly, the introduction of traceability will make the platforms vulnerable to foreign surveillance and attacks by savvy criminals which will in turn threaten user safety and the privacy, eventually leading to a national security crisis in itself rather than solving the existing one.
Compromising with encryption has ramifications for not just privacy of the citizens but also for the digital economy and critical information infrastructure of the nation. Online banking and e-commerce services can be rendered vulnerable due to weakened encryption leading to loss of consumer trust and harm to the competitiveness of the companies in the global market. High-end encryption technology protects not just users and businesses, but also Critical Information Infrastructures of the government like those of Aadhar and Aarogya Setu among others. In addition to these, undermining encryption will also have adverse effects for cross border data flow. Hence, the government's demand for traceability to combat online challenges can certainly not be balanced against the ramifications of backdoors on a country's socio-economic health in addition to its impact on the security and the fundamental right to privacy of the citizens.
- Summing Up
In light of the above arguments, it is difficult to justify the demand to introduce traceability on encrypted platforms on the threshold of the four-fold test proposed in the Puttaswamy judgment. The Puttaswamy case also requires a case-by-case analysis to determine whether the intrusion is valid. However, undermining encryption would render the whole population susceptible to cyber-vulnerabilities. Thus, a blanket creation of a backdoor, i.e., an exploit within a secure platform, that compromises the privacy of all would be worrisome, and is certain to fail the test of Puttaswamy.
This implies that there is a need to look at possible alternatives to remedy the problems that traceability seeks to resolve. A primary measure to this end should be strengthening LEA capabilities in metadata analysis which, as mentioned earlier, would enable them to carry out effective investigations. For misinformation in specific, a recent alternative that has been used is that of content moderation and the addition of filters regarding the veracity of the information by social media platforms such as Twitter. This solution, however, has also left a lot to be desired in implementing it on scale or tackling the existing COVID-19 pandemic that has impacted the already limited availability of content moderatorsViews are Personal