The exponential growth in the adoption of digital technology, especially in the face of a global health crisis, has ramped up the security concerns in the digital ecosystem. While the use of e-commerce, e-wallets, and online banking has been extremely helpful, ensuring cybersecurity of such platforms to prevent cybercrimes and safeguard consumer privacy has become even more crucial in the current times.
The pandemic has also unfurled demand and use of technology intervention like never before. Contact tracing, virtual networks, remote data storage and alike tech tools are the new normal in almost all sectors including health, insurance, travel and hospitality, logistics, supply chain, and humanitarian activities.
At the core of such enabling technologies lies encryption. Encryption ensures that the underlying transaction or communication and its constituent personal data sets are secured and not susceptible to cyberattacks. It is not only an enabler of our fundamental right to privacy, anonymity and free speech but also a core facet of our national security.
Enabling a digital rights regime
Simply put, encryption garbles or encodes identifiable or decipherable data into ciphertext (gibberish), which can only be accessed, understood and used by the one possessing the decryption key. There are even more advanced versions of encryption like end-to-end encryption, wherein only the sender and receiver of the message will have access to the decryption key, with exclusion of the hosting or enabling platform (like a ‘Telegram’ or a ‘WhatsApp’) cannot access the chats.
With a catena of landmark judgements, the Supreme Court of India has guaranteed the protection of digital rights of the citizens. The right to informational privacy as an inalienable aspect of the fundamental right to privacy was envisaged in the Puttaswamy-I judgement (2017). This has been further entrenched by Clause 24 of Personal Data Protection Bill, 2019 that encourages data fiduciaries to utilise encryption for ensuring user privacy, safety and data integrity.
In Vinit Kumar v. CBI (2019), the Bombay High Court relied on the principles laid down in Puttaswamy-I and opined that ‘unconstitutionally’ obtained evidence is not admissible in court, and ordered its ‘destruction’. Accordingly, any evidence obtained by law enforcement agencies in violation of the fundamental right to privacy (Article 21) or protection against self-incrimination (Article 20(3)) is inadmissible in courts, unless such evidence has been obtained for rare and exceptional circumstances that permit suspension or abrogation of fundamental rights, such as sovereignty and security. Even in such rare circumstances, due process of law that is substantively and procedurally reasonable must be followed.
The importance of encryption technology further intensifies when analysed in context of vulnerable classes.
Journalists, human rights workers, whistle-blowers, LGBTQ community, and women among others who can be legally, socially, politically and morally prejudiced should be enabled (rather empowered!) to rely on tech-enabled tools (specifically encryption) to live their digital and informational lives with dignity. This is a precursor to exercise of fundamental right to privacy, free speech and right to life for these classes and many more who are susceptible to discrimination and prejudice.
Data fiduciaries owe a duty of care to data principals for ensuring that they have adequate and reasonable technological measures that process data for specified purposes bearing in mind principle of data minimisation.
A necessary corollary for this is to implement access control measures. This cannot be achieved without encryption, and particularly, it becomes extremely critical where the fiduciary is processing sensitive data such as financial, health, and biometric data. Without such measures, it is only a matter of time that an individual’s data is breached or misused for unrelated purposes that could result in significant harm, including manipulation of choices in all walks of life (remember Cambridge Analytica!), discrimination, identity theft, and a public judgment.
Analysing the national security concerns
The other side of the coin is equally pertinent. The encryption used to exercise free speech and safeguard privacy also act as tools for proliferating child pornography, disseminating sexual offence and abuse-related content, spreading fake news, drug trafficking, targeting cyber terrorism, and coordinating extremist activities. And this is true for all technology, which if not deployed rightly, quickly turns into a vice.
The internet has a ‘dark web’ where all sorts of illegal transactions take place, and even a telephone designed for connecting people can be used to ‘blackmail’ or ‘threaten’. It is thus, quite natural to take a stance that state and its agencies have a legitimate interest in viewing encryption technology and its providers as well as users with suspicion.
However, it will be an extreme position should state decide to nip encryption in the bud as a way of regulating it. This is an anomalous position as well because truth be told, the encryption “genie” is out of the bottle, and increasingly used. High-end encryption protocols are available for the public to download for free. Where the government seeks to outlaw encryption, its implementation is likely to be ineffective as there cannot be a fool-proof mechanism to weed out encryption from the ecosystem. Resultantly, there will be a regulatory vacuum that will remain, where per se illegal encryption is widely used, unless caught.
Rather, it is more prudent to not strip the citizens with this gear that protects their privacy. If encryption is broken, then the security architecture of messaging, e-commerce, online banking platforms, virtual rooms, telemedicine, telehealth, and several other critical digital platforms are left susceptible, ready to be compromised, which will ultimately render citizens vulnerable to cybercrimes, espionage and other harms.
Additionally, empowering the law enforcement agencies to read the messages of the citizenry without consent and authorization under the law is an Orwellian idea, that raises concerns of mass surveillance.
Let us consider some real instances to drive home the point. In Minnesota, 62% of police officials were found to utilise the surveillance capabilities of the state to spy on their ex-wives and ex-girlfriends. The American National Security Agency received widespread criticism when a report revealed that the agency conducted mass domestic surveillance and only managed to track wire transfers worth $8,500 in the name of curbing terrorism. In Athens, a vulnerability introduced for lawful interception ended up being exploited by non-state actors for surveilling the political and military elites of the nation.
Mass surveillance does not ensure quality intelligence. Instead, there is a need to overhaul the intelligence ecosystem and ramp up traditional surveillance capabilities. As a matter of fact, mass surveillance is a blatant breach of the Constitution and without due process, devoid of checks and balances and judicial review. Shunning encryption will empower the broken system and further bolster it to immorally and illegally breach an individual’s right.
Often state agencies demand backdoor access through telecom providers and software intermediaries. This tendency has seen an increased preference for technologies such as end-to-end encryption that do not allow backdoor entry by design. In a way, they foster the principle of privacy by design, which is the cornerstone of a progressive and matured data protection regime.
Balancing national security and an individual’s privacy is at the centre of the debate. These interests are pitched against each other.. The question is – which interest should prevail? While there are no clear answers, the discourse is increasingly tilted in striking a fair deal that builds encryption capacities, and at the same time solves “access problem” for law enforcement. Is such a solution possible? As policymakers and encryption advocates mull over the optimal solution, it can be concluded that the necessity, wide prevalence and increasing attractiveness of encryption clearly eliminates an extreme state security viewpoint, and encryption is to stay.
In this environment, the recent decision by the Telecom Regulatory Authority of India (TRAI) to delay taking a hard stance on encryption for OTT platforms is commendable, considering they seem to have adopted an approach of waiting for global standards to develop. Balancing the two sides of this debate will form an important aspect of regulating encryption on a policy level in India, and while taking such policy and legislative decisions, impact on sensitive sectors and evolving data processing regulations must be factored.
However, irrespective of where one side on this particular issue, the importance of encryption as a tool to protect the safety and privacy of individuals, companies, as well as nations cannot be understated. As we move forward, it is clear that the world population is only going to get steadily more integrated into virtual spaces, and choose for those that are safer and trustworthy, not just from cybercriminals, but also from a government that denies Constitutional rights and its safeguards.
Considering how the issue of the safety of data in online spaces continues to grow, it is important to acknowledge the integral role of encryption in helping ensure online safety and focus time and resources on developing its technical and regulatory capacity from a holistic perspective as opposed to an absolutist stand.
Kazim Rizvi and Arya Tripathi
Kazim Rizvi is a founder at The Dialogue and Arya Tripathi is a partner at PSA Legal. The views in this article are their own.