IT Rules and the Need for an Overarching Encryption Legislation in India

This is a guest blog.

Over the last few months, there has been significant debate and discussion around the IT Rules passed by the Central government. The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021, issued under Section 87(2) of the Information Technology Act, 2000, superseded the earlier Information Technology (Intermediary Guidelines) Rules 2011. The new set of rules have the potential to impact the end-to-end encryption techniques of social messaging applications like WhatsApp, Telegram, Signal, etc. In this context, what is broadly missing from many debates in mainstream media is the need for an overarching legislation for encryption in India.

Why is encryption a cause for concern?

India is in the midst of a digital boom right now, with approximately 53 crore people using WhatsApp, 41 crore using Facebook and 21 crore people using Instagram, as per the Government of India (GoI) data. Most of these platforms use some sort of encryption to protect communication between users.

Simply put, encryption is the process of coding a message being sent from user A to user B with a specific key, such that only sender A or receiver B would be able to view the actual message decoded by that same encryption key. Anyone else, including the platform, intercepting the message during transmission would only get an encrypted or unintelligible ciphered- version of the message. They would not get the actual message. This creates difficulties for law enforcement agencies in tracking exchange of potentially incriminating information between miscreants.

So, what has been India’s stance on encryption?

India does not have an all-encompassing legal framework for encryption, though certain sector-specific encryption mandates have been given by regulators like the RBI, SEBI, etc.

In 2015, the Government tried to bring a draft National Policy on Encryption which had to be withdrawn within two days after concerns were raised by stakeholders about its provisions being vague and ambiguous.

In 2019, the Personal Data Protection (PDP) Bill brought by the Government mentioned the use of encryption and de-identification between data fiduciaries (companies) and data principals (users) as a security safeguard mechanism in Section 24 (1) (a). The Bill has been extensively scrutinised by a Joint Parliamentary Committee over 72 meetings, and the report of the Committee has been laid on the floor of Parliament on 16 December, 2021.

Now, the new IT rules brought in by the GoI, mandate social media intermediaries to provide for identification of users who originated any instigatory message. This is problematic because this provision could potentially disband the existing end-to-end encryption model and infringe upon the privacy of individuals. This is because to identify the source/originator of any message deemed to be ‘problematic’, the company (like a WhatsApp) would have to assign some identifiers to every message sender. However, WhatsApp or nay such company cannot identify the sender in its present end-to-end encrypted model. Thus, the addition of ‘traceability’ would, in the opinion of experts, destroy the end-to-end encrypted model and also have a chilling effect on free speech.

When asked by the GoI to reveal the identity of originators of messages, Whatsapp specifically has, thus far, refused to do so on the grounds of preserving the sanctity of the end-to-end encryption model and customers’ privacy.

The need for a law on encryption

Encryption as a barrier to law enforcement agencies is a concern across the globe, with even the FBI in the United States getting into a legal battle with tech giant Apple over getting access to encrypted data on an accused’s i-phone. Australia already has a law on encryption, called The Assistance and Access Act 2018. The Act has provisions on the State agencies giving technical assistance requests/notices to internet companies, for decryption of data in the interest of national security or law enforcement. The US Senate in 2020 introduced its own encryption law called the Lawful Access to Encrypted Data Act, which is yet to be passed. In Europe too, the need for legislation on encryption is being debated intensely, though no law has been framed as yet.

In India, not only are we not talking about a law on encryption, instead, the Government is potentially dismantling the existing encryption framework through the new IT Rules. The problem with passing executive orders/rules to make such sweeping changes on critical issues is that it completely takes away the oversight powers of the Parliament.

A similar process to that in the case of the Data Protection Bill needs to be followed, which referred the Bill to a Joint Committee ensuring that it could be analysed in depth, clause by clause, and that the concerns and views of all stakeholders could be heard in order to refine the Bill. Such a process makes for stronger legislation and is a healthy democratic practice because all changes are effected through debate, discussion, and stakeholder consultation in front of the Committee. However, any such scrutiny of the IT Rules and their impact on encryption is not possible, because the Parliament has very little scope to debate and discuss the passage of subordinate legislation. Executive orders, rules, regulations, etc are law-making powers conferred by Parliament to the Executive and are collectively called subordinate legislation. These do not need the approval of Parliament before being passed, thus reducing the scope of debate and discussion for even consequential changes such as those brought about by the IT Rules.

Way forward

Firstly, breaking the setup of encryption opens up a whole new set of privacy concerns, with a huge potential for privacy violation of individual users and illegal surveillance of users chats by the State machineries. Secondly, diluting encryption does not necessarily stop the proliferation of instigatory material, it simply leads to proliferation of illegal encryption products or even communication via the Dark Web.

To have a regulatory policy for encryption, the regulator should be independent and sector agnostic, duly created by a law of Parliament, after having detailed stakeholder discussions, including with civil society organisations. In this regard, the PDP Bill already has a provision for a Data Protection Authority (DPA), as an overarching regulatory body to prevent misuse of personal data, ensure compliance with the provisions of the Bill and oversee the overall data protection framework in the country. The regulation of encryption could come under the ambit of the DPA too. However given the broad scope of work of the DPA, having a separate regulator exclusively for overseeing all encryption related issues would seem more effective.

On the question of threat to law and order (encrypted messages used to further terrorism, espionage, etc), the encryption regulator could have the power to make exceptions for a very narrow range of issues like national security, foreign relations etc. when the encryption might be broken to help the authorities identify the originator/perpetrator of the message.

However, this must not become a pass for the State to solicit blanket exemptions, and carry out mass and unwarranted surveillance on any and all users. Thus, the autonomy of the said regulator becomes of paramount importance. In this context, it is worth noting that the framer of the draft PDP Bill, Justice B S Srikrishna, criticised the final version of the Bill introduced by the GoI in Parliament for the alleged dilution of the autonomy of the DPA by reducing the scope of judicial oversight in its appointment.

Alternate methods to identify instigatory/harmful messages, like flagging messages getting forwarded several times or embedding search engine results/fact checks, could be explored to curb fake news. It is also important to understand that information literacy is the key to the solution rather than trying to penalise low-level perpetrators. The State needs to create awareness among the general public, especially among children at the school level, as well as among media professionals and public figures, about information veracity on the internet, reliability of sources, and the harmful effects of believing messages on social media without cross verifying.

Lastly, the Internet in its basic form is meant for free flow of information. Any sort of dilution of encryption only hampers this free flow and, hence, should be avoided. Ultimately, the only way to avoid unnecessary dilution by the State is to have a well-defined law, passed by Parliament after due deliberations, governing the entire framework of encryption.

All views are personal.

About the Authors

Soumyadeep Chatterjee

Soumyadeep Chatterjee is a policy researcher currently working in the Office of the Leader of Opposition in Rajya Sabha. He has been a LAMP Fellow with PRS Legislative Research for the year 2020-21 and before that he worked as a software developer in Cognizant Technology Solutions for two years. He completed his B.Tech in 2017 in Electronics and Communications Engineering. His areas of interest include tech policy, social justice and the broader impact of technological innovations on the marginalised sections of society.