“Encryption safeguards the personal security of billions of people and the national security of countries around the world.” The opening statement on the About page of the Global Encryption Coalition (GEC), which consists of 180 members from civil society organisations, companies, and individuals, captures the essence of encryption. Once considered a wartime necessity, encryption has steadily become the technological backbone for secure online communications, digital privacy, and protection of nationally critical information infrastructure (CII). Indeed, it is crucial to protect data at a time when data breaches are only increasing. For instance, the Indian Computer Emergency Response Team (CERT-In), a nodal executive agency that monitors cyber security incidents in India, has reported a steady increase in data breaches since 2017, in a response to a question in the Rajya Sabha. Section 70 of the Information Technology Act, 2000 (IT Act) defines CII as a “computer resource, the incapacitation or destruction of which shall have a debilitating impact on national security, economy, public health or safety”.
Previously, the Union Government has notified the Unique Identification Authority of India-related facilities, assets, and infrastructure as CII. Once declared as a ‘protected system’ under section 70, any unauthorised persons accessing these resources may be jailed for up to 10 years, and fined. Nonetheless, vulnerabilities are often exploited by malicious actors. For instance, in June 2021, a personal data breach of millions of public distribution system (PDS) beneficiaries in Tamil Nadu, including Aadhaar details, was reported, after an online vendor claimed access to nearly 2 terabytes of PDS data on a hacker’s platform and demanded a payment of USD 1,950 in cryptocurrency for handing over the decryption code. Governments and law enforcement agencies (LEAs) are also increasingly undermining encryption to tackle crimes and criminal communications. This includes the ‘going dark’ challenge wherein, with strong encryption protecting all kinds of data, criminals use online communications channels to hide their plans and activities. In such cases, LEAs struggle to read investigation-related information and actively oppose encryption.
Further, since 2019, India is part of an international working group to deal with criminals online which states: “According to the participants, encryption is designed with no means of lawful access; it allows terrorists, drug dealers, child molesters, fraudsters, and other criminals to hide incriminating evidence.” Governments are trying to undermine encryption due to this issue through legislation, such as by introducing stipulations that erode strong end-to-end encryption deployed by many tech companies to protect consumer privacy and the integrity of personal communications. This includes tracing the first originator of messages on the instant messaging freeware service Whatsapp. Since there is no way of knowing who may be subject to investigations, companies are required to store all communications to ascertain who said what, and when they are required to do so. In India, on January 25, 2020, a Rajya Sabha Ad-hoc Committee “to study the alarming issue of pornography on social media and its effects on children and society as a whole”, had submitted that the Information Technology (Intermediaries guidelines) Rules, 2011 should be modified to enable tracing of the originator of child sexual abuse-related messages shared on end-to-end encryption platforms. Hasty legislation that rubber stamp government snooping en masse harken to a new era of surveillance. While judicial intervention and opposition by civil society have helped curtail some surveillance activities, strong laws that protect encryption and curtail the overbroad powers of LEAs are the need of the hour.
Related Posts:
