Recognising the need to bring all stakeholders to the table, Observer Research Foundation organised a series of roundtables to discuss the various facets of a future encryption law in India.
On 17 December 2016, in collaboration with The Centre for Internet & Society (CIS) and Takshashila Institution, ORF convened the second multistakeholder consultation on encryption in Bengaluru. The first discussion was held in Delhi on 12 August 2016. The roundtable was held in Bengaluru to engage the city's technical community, comprising government, members from the IT sector, representatives from Internet companies and academia.
The debate around law enforcement access to encrypted data which has gathered steam over the past year across jurisdictions is largely portrayed as a false binary. It is either "privacy versus national security" or "technology companies versus LEAs." Ever since strong default encryption has become the norm over communication applications and devices, law enforcement agencies have struggled to obtain data even when due process is followed. The sides are thus neatly drawn — if one supports LEAs' need to obtain data when they have lawful authority, one would stand for weakening of encryption standards both over data in motion and data at rest.
As the Indian government rushes to meet the challenge of communications and information "going dark", any response that is not an outcome of careful, scientific discussion will be a costly one, socially and economically.
Draft rules on digital payments
The Indian government's response in dealing with the encryption problem has been proactive. MeitY (Ministry of Electronics and Information Technology) attracted a lot of criticism following the publication of the draft national encryption policy (NEP) in 2015, however, the Ministry was quick to withdraw the regulations and was open to inputs from various stakeholders. It is evident that the Indian government is serious about cybersecurity concerns and the role of encryption in preserving it from the recent draft rules on security of prepaid payment instruments (PPI). The draft rules stipulate that every PPI issuer
(think Paytm) will have to deploy end-to-end encryption over their applications to safeguard data exchanged which could include personal, financial and authentication data.
The draft rules stipulate that every PPI issuer (think Paytm) will have to deploy end-to-end encryption over their applications to safeguard data exchanged which could include personal, financial and authentication data.
The encryption provision in the draft rules on PPI is the first instance of MeitY publicly recommending end-to-end encryption. MeitY is acknowledging the importance of protecting integrity of data and the requirement of strongest encryption standards in securing user information. One can remain optimistic that the ministry in future would want to walk the talk with other intermediaries like internet service providers and messaging applications. The crucial distinction however with communication platforms and service providers is the apparent usefulness of content over these applications in furthering criminal investigations.
India's obstacles
Apart from the difficulty of fulfilling privacy and security needs of various stakeholders, India's path to solving the encryption problem is unique for two reasons.
First, the lack of or inadequate laws governing data protection and retention in India renders an encryption policy potentially premature. The strength of the encryption employed by an intermediary determines the control that it has over its users' data, what it can retain and in turn what LEAs can access.
Encryption further secures identity and information or data online which forms the backbone of the Internet economy.
Several pertinent policies are uncertain with MeitY setting up a committee to draft data retention rules and the Minister of Electronics and IT, Ravi Shankar Prasad, even calling for an overhaul of the Information Technology Act. The DOT (Department of Telecommunications) is also said to look at enforcing encryption standards for M2M/IoT technologies, as stated in the National Telecom M2M Roadmap released in 2015. Stakeholders at the Bangalore discussion agreed that these parallel policymaking processes urgently need to be reconciled and that the encryption debate cannot continue to be viewed as an isolated one, lacking in foresight.
The second obstacle that India faces as a significant user of US applications and services is in implementing an encryption policy that adequately addresses the complexity of regulating foreign companies. Stakeholders pointed out that when existing mechanisms of governments retrieving data from foreign intermediaries are broken — they cannot be fixed through an encryption policy — no less.
Apparent during the stakeholder discussion at Bengaluru was the need to build trust and transparency between government, technology companies and the public. Discussants demanded more clarity on government acquisition of security exploits. Some also raised the the issue of the perceived utility of metadata as a replacement for encrypted content during investigations and as evidence before a court of law. They agreed that the government mustn't hastily draft a law on encryption when concerns and capabilities of all stakeholders are not fully understood and parallel policies are yet to be formulated.
Key takeaways
Government needs to clarify the policy objective behind drafting an encryption law.
Stakeholders at the Bengaluru roundtable expressed concern about the purpose that the government is seeking to achieve through the implementation of a future national encryption policy. With decryption mandates already set out in the IT Act of 2008, discussants pointed out that the government needs to clarify its objective behind drafting an encryption law. It is unclear whether interception provisions as currently provided in the IT Act would be revisited or not.
Participants at the discussion were quick to point out that an NEP would serve as an unsuccessful tool for the government to regulate the Dark Web. Stakeholders agreed that mandating licensing of encryption service providers and setting key lengths under the NEP would be fruitless as easy alternatives such as the Dark Web would continue to exist in the market. Discussants could not help but conclude that the purpose behind the NEP could likely be that of regulating only those applications that enjoy large user bases.
Mandating licensing of encryption service providers and setting key lengths under the NEP would be fruitless as easy alternatives such as the Dark Web would continue to exist in the market.
Another concern brought out during the Bengaluru consultation was the need to harmonise existing regulations when drafting a new encryption law. Stakeholders agreed that the ban on bulk encryption, as found in the Unified License currently needs to be revisited.
Parallel policy-making processes complementary to encryption need to be reconciled.
Stakeholders shared the concern that a law regulating encryption in India may be premature. The draft NEP in 2015 imposed obligations on intermediaries addressing data disclosure, data retention and decryption mandates. Existing regulations under the IT Act already regulate these practices of intermediaries in some manner. Further, all these regulations that are complementary to an encryption policy in India are subject to be reviewed by the government. In 2016, the MeitY set up a committee to draft data retention rules and the Minister of Electronics and IT, Ravi Shankar Prasad, had called for an overhaul of the IT Act. The stakeholders were of overwhelming consensus that an encryption policy cannot be addressed independent of other regulations and that all these parallel policy-making processes will need to be reconciled.
Additionally stakeholders were of the view that while drafting the NEP, the government must consider the requirements for encryption for M2M/IoT technologies. For instance, experts are currently of the view that deploying high encryption over IoT devices may be a challenge. To ensure that the NEP does not lack in foresight, it is crucial that the impact of impending technologies are taken into account.
Mandating licensing of encryption service providers impractical and costly for innovation.
There was consensus amongst stakeholders that mandating licensing of encryption service providers will add to compliance costs for companies. This would be costly for innovation as startups are likely to find mandatory licensing an expensive process. Participants pointed out that licensing does little to assuage government's concerns as long as alternatives are available in the market. A voluntary registration mechanism was suggested as an alternative though details of the same were not discussed.
Imposing encryption standards on all communications not necessary to serve national security interests.
Stakeholders agreed on the significance of encryption in maintaining security of the digital ecosystem. It was not disputed that high encryption standards are vital to the security of digital ecosystems in India. In particular, participants pointed out that government agencies must be mandated to deploy high encryption standards over their communications. To that extent, all discussants agreed that a future NEP must necessarily impose appropriate encryption measures or minimum key lengths for G2G communications to safeguard data in motion and in rest.
In addition to G2G communications, participants observed that minimum key lengths should also be imposed on sectors identified as Critical Information Infrastructure (CII). Many stakeholders were of the view that citizen to citizen communications (C2C) should not be regulated by the government through the prescription of either maximum or minimum key lengths. They were of the opinion that service providers must be able to test and adopt encryption standards as they please, as different industries have varying requirements. Some participants suggested that a self-regulatory mechanism for encryption standards can be established for providers involved in C2C communications though details of how this mechanism would look were left unaddressed.
Steps ahead
A study needs to be carried out, some participants argued, to understand whether metadata is a fitting alternative to encrypted content during investigations and in court.
Other concerns raised included the demand for a separate policy dealing with government and intelligence agencies' acquisition of exploits and a timeline for the drafting of NEP. A study needs to be carried out, some participants argued, to understand whether metadata is a fitting alternative to encrypted content during investigations and in court. Further, some wondered if "targeted hacking" as a substitute to building backdoors could be examined.
Endnotes
Under S. 2(n) of the draft rules, "pre-paid payment instrument" has been defined as:
"
ayment instrument that facilitates purchase of goods and services, including funds transfer, against the value stored on such instruments. The value stored on such instruments represents the value paid for by the holders by cash, by debit to a bank account, or by credit card. The pre-paid instruments can be issued as smart cards, magnetic stripe cards, internet accounts, internet wallets, mobile accounts, mobile wallets, paper vouchers and any such instrument which can be used to access the pre-paid amount."
"Issuer” has been defined as:
" person operating a payment system issuing pre-paid payment instruments to individuals/organisations under authorisation from the RBI under the Payment and Settlement Systems Act 2007."
S.11 of the draft rules states:
"Every e-PPI issuer shall ensure that end-to-end encryption is applied to safeguard the data exchanged, in accordance with the standards as may be prescribed by the Central Government under Rule 17."
The author is a fellow at ORF.
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.