On Tuesday, June 1, 2021, The Dialogue, a Delhi-based technology policy think tank, released its Expert Stakeholder Consultation Report on the Indian Encryption Debate. This report is based on the three expert stakeholder consultations hosted by The Dialogue from October 2019 to February 2021, held in partnership with NULLCON, Asia’s leading information security conference.
The recommendations are as follows:
- A mandate for backdoors to encryption or originator traceability does not fulfill the Puttaswamy test in the Right to Privacy judgement and should be revisited.
- The originator traceability mandate would result in practical complications for the industry, become an obstacle to small businesses and innovation, and the consequent product will be difficult to sell in the international market. It also undermines privacy of Indians.
- Increased awareness is needed on the importance of cybersecurity and the role of encryption within the same.
- Increased investment in technology will encourage R&D and indigenise the technology.
- Clarity in policies dealing with cybersecurity is essential to adhere to principles of transparency and accountability.
- High end encryption is only the first step in tackling cyber-crime and therefore, the discussion cannot be limited and must go further.
- The timelines for implementation of the IT Rules, 2021 should be extended and technical experts should be consulted to address the challenges involved and recommend the way forward.
The consultations hosted a wide array of experts from academia, civil society, law enforcement, law, and technology.
Dr. Gulshan Rai, the Former National Cyber Security Coordinator, who wrote the foreword of the report noted,
“There exists a legitimate state interest in seeking access to data for law enforcement purposes. The balance between privacy and national security is not bereft of technological or operational solutions. While aiming to achieve them it is crucial that none of the key stakeholders take an extremist position where we end up compromising security and privacy of Indians.”
Among veterans from law enforcement agencies who participated, Mr. Yashovardhan Azad, who served as the Special Director at the Intelligence Bureau and Secretary (Security), Government of India explained,
“The State may have reasons in the legitimate interest of national security to seek access to information. A blanket measure to seek access which renders the entire platform susceptible to attacks by hostile actors must not be relied on. Implementing such a measure will not only compromise user privacy but also national security. The State must assess the technical feasibility of the measures it directs the platforms to implement to effectuate exceptional access while also ensuring that the measure does not fail on the anvil of the Puttaswamy test.”
Describing end-to-end encryption as a non-negotiable Dr. Aruna Sharma, Former Secretary of the Ministry of Communications and Information Technology pointed out,
“There is technical dichotomy between end to end encryption and that of tracing the originator for a message as the new rule states as a mandatory requirement.”
Explaining the challenges around overarching mandates like backdoor access to encrypted chats for the exceptional use by the law enforcement agencies, Cyber Security Professional Mr. Anand Venkatnarayanan explained,
“Most hacks and attacks are done by disabling the encryption or working around the same. In today’s time, hackers understand that fooling people is far more easier than breaking encryption so they workaround the same through fake OTPs and other parallel systems to gain access to encrypted devices. If the objective of the Government is to stop these attacks, it is possible through targeted attacks and interceptions and there is no real need for a blanket policy of a backdoor that affects everyone instead of just the offender. A policy cannot be about making 99% of the population safe from the 1% by making all 100% of them unsafe”
The report based on the expert stakeholder consultations seeks to shed light on the crucial aspects of the Indian encryption debate. This is even more relevant given the promulgation of the IT Rules of 2021 which may end up undermining end-to-end encryption owing to its originator traceability mandate. The experts had agreed that the way forward must be consultative keeping the privacy and security of the users in mind.