Introduction
From the Snowden leaks in 2013 to the more contemporary revelations of the use of Pegasus Spyware by nation-states globally, there now exist well-justified suspicions and concerns of privacy invasions by governments across the world. The fact that these very same governments herald encryption as a great hindrance against Law Enforcement Agencies (“LEAs”), and advance arguments for sacrificing encryption on the altar of national security does not help. This sacrifice comes at the all too steep price of weakening the common man’s right to privacy, as encryption in the digital age is synonymous with privacy and security. Without it, data is open to attack and is virtually defenseless in the face of malicious actors, both state and non-state. Moreover, the effectiveness of this sacrifice has yet to be proved, causing the debate between “privacy vs. security” to rage on. Hence, this article delves into encryption’s significance and its relationship with privacy. Further, the possibility of a constitutional right to encryption in India will be examined, in the context of the right to privacy and the landmark judgment of Justice K.S. Puttaswamy (Retd.) v. Union of India (“Puttaswamy”). This article also touches upon the ongoing (in)famous End-To-End encryption (“E2EE”) dispute and goes to its root by covering the “privacy/going dark vs. security/golden age for surveillance” debate. Finally, the article calls for exigently reforming Indian encryption laws by the way of a National Encryption Policy, and for stronger encryption in light of protecting the privacy and for the sake of installing safeguards against surveillance.
Encryption: Rise, Significance and Dynamics with Privacy
While initially encryption was mostly employed in the 1970s by security and government agencies, it started becoming commonplace with the advent of computer technology by the 1990s. The rise in electronic communications led to the need of ensuring that the same was secure and free from the influence of external forces. This need was fulfilled by the way of encryption.
Encryption can be defined as the process of transforming plaintext data into an unintelligible form (ciphertext) such that the original data cannot be recovered without using an inverse decryption process (two-way encryption). It essentially refers to using codes as a means of disguising messages, in a way that only the intended receiver can decipher them, leading to integrity (ensures no tampering of data), confidentiality (ensures data is only accessible to participants of the conversation), authenticity (verifies that the source of data is trustworthy), privacy and security. Further, it also facilitates online privacy features such as sender and recipient anonymity, participation anonymity, and unlikability.
Encryption usage has only increased in the digital age, and it now possesses a ubiquitous presence in our life. It is integral for safeguarding the privacy of an individual and allows them to control and protect their data. Some common examples of its application include online communications, ATMs, online transactions, web browsing, social media, etc. Even the United Nations Human Rights Council (UNHRC) noted that encryption provides for a “zone of privacy”, as it creates a domain of freedom and security.
While there have been significant developments in encryption-related matters since the 1990s in India, such as the Kargil War (1999), the RIM Blackberry Dispute (2008 – 2012), the National Encryption Policy (2015), the most significant is undoubtedly the landmark judgment of Puttaswamy in 2017. Not only was the judgment a watershed moment for privacy in India, it also had significant effects on India’s encryption legal scenario, which shall be the focus of the next section.
Encryption & Privacy in India: A Constitutional Right to Encryption?
In 2017, a nine-judge bench of the Supreme Court in the judgment of Puttaswamy (Retd.) v. Union of India unanimously ruled that the right to privacy is available to all citizens under Article 21 of the Indian Constitution. The question which may come to one’s mind in relation to encryption is whether Puttaswamy also laid a general constitutional right to encryption. The answer to this question is not straightforward. While no such right was explicitly laid down, the same may be reasonably inferred upon a close reading of the judgment, especially while noting the context and manner via which the right to privacy was framed.
Puttaswamy relied upon the Supreme Court of the USA’s concept of “reasonable expectation of privacy,” while relying on the landmark case of Katz v. the United States. In consonance with the notion that every citizen who uses services that deploy encryption possesses a certain reasonable expectation of privacy, which is to be maintained. Hence, the user reasonably expects that their data is inaccessible to both state and non-state actors, without their consent (keeping aside legislations that specifically facilitate data sharing such as the Personal Data Protection Bill,2021 2019). The above can also be seen in Justice Chandrachud’s view in the Puttaswamy case wherein he stated that “the sphere of privacy stretches at one end to those intimate matters to which a reasonable expectation of privacy may attach”. Further supplementing this argument, it must be noted that Article 17 of the International Covenant on Civil and Political Rights has also been favorably cited, which mandates privacy in terms of communications. The Covenant can be considered to behold some legal validity in India, as India is a signatory to it. According to the Vienna Convention, signing a treaty creates an obligation on the signatory, in good faith to refrain from acts that would defeat the purposes of the treaty. Corresponding to the same, Article 51 of the Indian Constitution puts an obligation on the State to endeavor to respect international law and treaty obligations. Justice Chandrachud also delved into the fundamental aspects of the right to privacy, which consisted of both informational and communicational privacy, both of which are deeply interrelated with encryption. Encryption was discussed in a context that allows a citizen to control access to communications or perhaps have the ability to control the information usage which has been conveyed to third parties. The same displays an active interest in not only protecting private information but also restricting access to it.
The Puttaswamy judgment imposes a negative obligation on violating individual privacy along with imposing a positive obligation on the state to protect its citizen’s privacy, by taking all required and necessary steps. This essentially means that the State must refrain from acting in any ways which violate individual privacy, and must further take steps to protect the privacy of the citizens. Moreover, the judgment recognized the conduct of both state and non-state actors as potential threats to citizens’ privacy. The judgment in its conclusion also noted that it is not exhaustive in terms of entitlements and interests under the right to privacy, leaving scope for the inclusion of the right to encryption.
To answer our initial question, while the right to encryption has not been explicitly noted in the Puttaswamy judgment, the same may be reasonably inferred from it. Privacy and encryption rights can be considered to be different faces of the same coin. A citizen’s right to privacy is essentially only applicable to the extent of a country’s legal capacity to indulge in surveillance i.e. if the state’s surveillance powers are too vast and are also legally sanctioned, then the citizen’s right to privacy may be at risk. Hence, weakening of encryption might lead to a violation of the right to privacy, and would have to meet the three-pronged test of Legality; Legitimate State Aim; and Proportionality which was laid down in the Puttaswamy judgment. The three-pronged test is used to determine whether there is an encroachment on right to life or personal liberty. The same test will also be applicable on any invasion on right to privacy, by the virtue of it being a subset of the right to life.
Thus, it is only constitutionally correct that the three-pronged test is used to determine the validity of the contentious traceability provision in the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“IT Rules”), which has led to the End-to-End encryption dispute and is a classic example of the infamous “going dark vs. golden age of surveillance” debate.
E2EE & the “Going Dark vs. Golden Age for Surveillance” Debate
As established in the previous sections, encryption is a necessity for the existence of privacy. However, in February 2021, Indian lawmakers via Rule 4(2) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 Rules, introduced a traceability provision, which requires the tracing of the first originator of a message. This indirectly requires the breaking of E2EE, an encryption technique deployed by numerous major entities. WhatsApp is one of these entities, and hence it has challenged the traceability provision in the Delhi High Court on the grounds of failing Puttaswamy’s three-pronged test.
E2EE must be broken for enforcing the traceability mandate due to its unique aspect of only allowing the sender and receiver to have access to the encrypted message. It even hides the content of the messages from the company that has applied it to its platform, automatically eliminating any scope for a 3rd party (state/non-state) to access the message. However, it is precisely this virtue of E2EE and encryption in general which makes it a huge obstacle for law enforcement agencies (LEA).
Popularly known as “going dark”, it refers to LEA’s dilemma of losing the technological capacity to exercise surveillance and conduct investigations. According to them, the use of strong encryption by modern technologies inhibits their ability to prevent and conduct investigations on crimes such as terrorism, child pornography, etc. In fact, it is on this very basis that an Ad Hoc Committee of the Rajya Sabha recommended breaking E2EE in India. Hence, while on one hand encryption leads to the strengthening of citizens’ privacy; on the other hand, it also leads to obstructing LEA’s investigations. It is due to these conflicting contradictory effects that encryption is often called a “double-edged” sword. Going dark aims to create a compelling image, which is intended to make believe that LEAs are blind, which would be detrimental to society as a whole. However, on the other side of the spectrum, there exists a contrary view, in the form of the “golden age for surveillance” argument.
It is argued that instead of living in a state of darkness, we live in a golden age of surveillance. This chain of thought is supported by the fact that we live in an era where digital access is higher than ever. With 1.18 billion mobile connections, 700 million internet users, and 600 million mobile phones, which are rising by 25 million every quarter just in India, we are consuming and producing data more than ever. The digital trail left by each data can be utilized by LEAs via data analytics for combating crime, which is in contrast with the LEA’s claims of lacking the technological capacity to conduct surveillance and investigations. Moreover, E2EE is mostly employed by commercial service providers, which is something the targets of LEAs i.e. terrorists rarely rely upon due to general distrust of them. They usually possess far more sophisticated technology. Even if LEAs manage to break encryption, criminals would just switch to other services, making them even more difficult to track and trace.
There also exist several “workarounds” around encryption, which are often applied. In fact, it is via one of these workarounds (targeting the end device) that Pegasus, the infamous spyware functions. It must be noted that the existence of “workarounds” might signal the failure of the proportionality standard in Puttaswamy, as the infringement of privacy must be “through the least restrictive alternative”. Breaking E2EE would not count as this, and hence fail the proportionality test. Further supporting the needlessness of weakening encryption, even the United Nations in a report on the promotion and protection of the right to freedom of opinion and expression had aptly noted that governments have failed to prove that criminal use of encryption is “an insuperable barrier to law enforcement objectives”. Hence, it is more logical and constitutional to allow the existence of E2EE in WhatsApp’s services and other similar messaging applications. The matter is currently under trial in the Delhi High Court and seems to be far from concluding, as the current arguments are still on the maintainability of the petition i.e., on procedure instead of substance.
The “going dark vs. golden age of surveillance” debate echoes the “privacy vs. security” debate, and both share glaring similarities. It can be safely concluded that breaking of E2EE would not only fail to help LEA i.e. not help “security,” but will also further weaken the privacy and security of citizens i.e. endanger “privacy”. Hence, the same must not be done, and Rule 4(2) of the IT Rules should be struck down, as privacy should not be sacrificed in the larger context of the altered national security.
Conclusion & the Way Forward
The entire WhatsApp row serves as another reminder of the exigent need for a national encryption policy in India. Regulation of encryption is currently sector-specific, with some sectors, such as the telecommunications sector’s encryption laws being extremely weak or obscure. There existed a 40-bit encryption ceiling until 2013 under the Internet Service Provider License. While the same was later dropped with Unified License’s introduction, there continues to exist ambiguity surrounding encryption limits in the telecommunications sector. On the other hand, some sectors enjoy stronger encryption, such as that of RBI, which mandates banks to deploy a minimum encryption bit of 128, for the sake of ensuring the security of financial transactions. The difference in encryption strength leads to the overall weakening of encryption in India (encryption in a connected system is only as strong as its weakest link), and adversely affects privacy. The importance of stronger encryption lengths cannot be overemphasized. Scientists as far back as 1996 noted that a 40-bit encryption system (India’s encryption ceiling till 2013) could be cracked in merely five hours, at the measly cost of $400. Breaking the same in 2022 is a child’s play, and can be even done by just relying on a modern computer. On the other hand, breaking 128-bit encryption would even take a supercomputer around “one billion billion years”, making it the international government and commercial standard.
Hence, India’s encryption inequality and diversification must be addressed, and encryption needs to be unified and strong for ensuring security and privacy for all. The government in 2015 did release the draft of the National Encryption Policy, 2015; however, due to being extremely controversial, it was withdrawn within 2 days. Furthermore, a Committee headed by Justice Srikrishna on the initial draft of the Personal Data Protection Bill, 2018 also noted that the current low encryption standards pose a threat to the privacy and data of citizens. Keeping in mind the learning’s from the past, the above evidence, and the arguments posed earlier, India must adopt a pro-encryption view for the future. It is only this way that privacy in the digital era can be securely maintained, and protection against surveillance is guaranteed to an extent. It would not be an overstatement to refer to encryption as the common man’s best friend in protecting his privacy in the new digital surveillance age.
This article has been authored by Kabir Singh, Student at O. P. Jindal Global University, Sonipat. This blog is a part of RSRR’s Blog Series on the Right to Privacy and the Legality of Surveillance, in collaboration with the Centre for Internet & Society.