The conundrum of Encryption: Emergence of Anti-Encryption Laws

There is a conflict brewing between companies which are seeking to offer more privacy to their users and government law enforcement agencies which are vehemently arguing that these measures prevent them from ensuring the security of the nation and doing their job.

Encryption is defined as the process of converting information or data into a code, especially to prevent unauthorized access. End-to-end encryption is a process which ensures that only the sender and recipient have the decryption key and no third party can access the communication in question.

End-to-end encryption in particular has recently come under attack from law enforcement agencies, as it ostensibly prevents them from investigating crimes and unearthing terror plots.

On the June 23, a Bill was introduced in the United States of America by Graham, Cotton, and Blackburn in the Senate titled 'The Lawful Access to Encrypted Data Act’ against warrant proof encryption because of the same enabling criminals and terrorists. The introduction letter, in fact, gives instances of terror acts to argue that break-proof encryption should be done away within the USA.

Thus, while on the one hand data protection laws are calling on companies to provide greater security to the data of persons, on the other hand, laws requiring building backdoor entry into systems or ways to access this data are also coming into existence or are on the horizon. Therefore, in the 21^st century, there is a constant tussle between privacy and security and balancing the two is of utmost importance.

This article seeks to examine some provisions of the proposed US law against encryption, examine the framework prevailing in India, and offer a comparative analysis on the providing of security of data versus the security of the State.

The US Lawful Access to Encrypted Data Bill

The Bill states that its purpose is to "improve the ability of law enforcement agencies to access data and for other purposes."

Section 101 (3119) deals with when data is at rest. Section 101(a) is the definition clause and defines a consumer electronic device, device manager, and operating system provider:

• A ‘consumer electronic device’ is one which can be purchased by a member of the general public and store 1 gigabyte of data or more.

• A ‘device manufacturer’ is one that designs, fabricates or assembles a finished consumer electronic device.

• An ‘operating system provider’ is one who designs, markets or sells software that controls the operation of the consumer electronic device, and directs the processing of programs on the consumer electronic device.

Section 101(b) provides for situations where a court may issue an order for assistance. Some of the noteworthy ingredients of this proposed provision are as follows:

• A device manufacturer, operating system provider, or operator of a remote system can be ordered to furnish all facilities and assistance necessary to access information.

• Assistance includes isolating the information authorized to be searched or decrypting or decoding information that is authorized to be searched or otherwise providing the information in an intelligible format unless the independent action of an unaffiliated entity makes it impossible to do so; providing technical support as necessary to ensure effective execution of the warrant for the electronic devices prescribed by the warrant.

• Device manufacturers, operating system providers, providers of remote computing service, or other persons furnishing information will be compensated for reasonable expenses incurred by them. These reasonable expenses will not exceed $300$.

• Complying with such order will not entail civil liability.

Section 101 also specifies the need for the device manufacturer, operating system providers, or provider of the remote capability to have the capability to assist. Section 101(e) applies to device manufacturers who sell more than 1 million units of a consumer electronic device and requires them to ensure that they are in a position to comply with a directive which may be issued to them.

Section 201 (21584) is titled as ‘data in motion’ and requires the provider of a wire or electronic communication service which had more than 1 million active users in the United States in January 2016 or any month thereafter, or has received an assistance capability directive to ensure that it has the ability to provide the information, facilities and technical assistance which has been described in the request.

Section 301 (2542) pertains to assistance capability directives. Section 3513 authorizes the Attorney General to direct the person to create or maintain any of the assistance capabilities. The directive must be in writing, and the entity must report to the Attorney General within 30 days on what technical capabilities it knows or expects to be necessary to implement or comply with an anticipated court order or other lawful authorization. They must also inform him of the timelines for developing and deploying these technical capabilities. Importantly, a directive cannot specify the technical means by which a person is required to implement the required capabilities.

Section 601 pertains to prize competitions and contains detailed findings of Congress against warrant proof encryption or end-to-end encryption and seeks to incentivize finding ways around it. It states that criminal anonymity due to end-to-end encryption poses a serious risk to the public. The provision seeks to incentivize finding ways to enable law enforcement agencies to gain access within different levels of encryption to ensure that criminals cannot take advantage of such platforms.

The Information Technology Act, 2000

This is perhaps one of the occasions where Indian law was ahead. Law is undoubtedly a reflection of the necessities of the time and need felt by society. Due to several terrorist acts being committed, India felt the need to enact the Information Technology (Procedure and Safeguards for the Interception, Monitoring, and Decryption of Information) Rules, 2009.

Rule 2 is the definition clause. Some of the important definitions are reproduced below:

• ‘Decryption’ means the process of conversion of information in a non-intelligible form to an intelligible form via a mathematical formula, code, password or algorithm or combination thereof.

• ‘Decryption assistance’ means any assistance to allow access, to the extent possible, to encrypted information, or facilitate conversion or encrypted information into an intelligible form.

• ‘Decryption direction’ means a direction issued under Rule 3 in which a decryption key-holder is directed to disclose a decryption key, or provide decryption assistance in respect of encrypted communication.

• ‘Decryption key-holder’ means any person who deploys the decryption mechanism and who is in possession of a decryption key for the purposes of subsequent decryption of encrypted information related to direct or indirect communications.

• ‘Intermediary’ with respect to any particular electronic records means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online auction sites, online market places, and cyber cafes.

Rule 3 pertains to directions for interception or monitoring or decryption of any information. The Rule makes it mandatory for the competent authority to issue an order. Only then can a person carry out interception or monitoring or decryption of any information generated, transmitted, received, or stored in any computer resource under Section 69(2) of the Act.

The Rule provides for the following exceptions:

1. An order can be issued below the rank of the Joint Secretary to the Government of India in unavoidable circumstances. This officer will have to be duly authorized by the competent authority.

2. In case of emergency, in remote areas where prior directions; or

3. For operational reasons, where obtaining prior directions is not feasible, the interception or monitoring or decryption of information may be carried out with the prior approval of the head or the second senior-most officer of the security or law enforcement agency.

4. The officer who approves the same will inform in writing the competent authority about the emergency and of such interception or monitoring or decryption within three working days and obtain the approval of the competent authority within the period of seven working days failing which the acts will cease.

Rule 8 requires the competent authority to consider alternative means in acquiring the information. Intermediaries are required to provide technical assistance and equipment, including hardware, software, firmware, storage, interface, and access to the equipment wherever the agency requires and ensure that their employees act responsibly while handling such matters of interception, monitoring or decrypting data.

Rule 17 requires the decryption key holder to disclose the key or provide decryption assistance, as is specified in the decryption direction.

Analysis and Conclusion

Both the proposed law in the USA and the current law in India make it mandatory to provide law enforcement agencies with the necessary assistance and information while dealing with decrypting data etc. The proposed US law is stricter than the Indian law both in terms of its requirements and its safeguards insofar as it requires the entities to ensure that they are able to decrypt the information and provide the authorities with all the required assistance on receiving a direction from the competent court.

The proposed law also authorizes the Attorney General to issue directions to companies, asking them to inform him on what steps it thinks the company will have to take to implement and comply with a possible directive and how long making these changes is likely to take.

The Indian law does not require a competent court to issue directions; the competent authority is the Secretary in the MHA or Secretary in charge of the home department in the case of a state or union territory. In case of emergencies, the second senior-most officer in the State can issue directions, but this would have to be ultimately confirmed by the competent authority.

Another difference worth noting is that while the proposed US law is focused against device manufacturers, operating system providers and operators of remote systems, the Indian law is wider in its ambit and the definition of an intermediary is inclusive and not exhaustive, thus not limiting whom the law applies to. Anybody who is handling data can come within the ambit of the definition and be required to provide the agencies assistance.

The proposed US law also wishes to offer prizes for finding workarounds against end-to-end encryption and other encryption, as it states that criminals are managing to use it to evade the law. While there is a mandatory requirement to provide the data requested, the means of providing the data or figuring out how to provide the data have been left to the device manufacturers or operating system providers like Apple and Google.

In India, the requirement does not seem to demand compliance with impossibilities and currently does not provide for banning the use of end-to-end encryption. Companies will have to provide whatever assistance they can as long as it is technologically feasible.

If this law is passed in the USA, it will have global ramifications, as the affected parties have global operations. Any requirement to do away with end-to-end encryption or build backdoors into devices will affect users all around the world unless devices and operating systems are configured differently for different regions, depending on the laws prevailing in that particular region. The weaker security will make the job of hackers or bad actors easier, as currently, our phones and communication services are encrypted and therefore protected.

The Rules in the IT Act of 2000 currently do not make any special mention against end-to-end encryption; all they require is for the holder of the decryption key to provide the information if a direction is issued to them and for intermediaries to extend all cooperation to the competent authority or agencies. In the case of end-to-end encryption, we as users, would be the decryption key holders.

In conclusion, governments are feeling increasingly uneasy at not being able to snoop into citizens’ conversations and are making attempts to introduce or modify laws that weaken privacy and weaken the security of our communications and data. The irony of the situation is the fact that while data protection laws are harping on increasing the security of communications, the State is trying to weaken these systems.

This development in this area of law calls for concern, and governments must not be allowed to handicap laudable technologies which allow for uninhibited communications between individuals.

The author is a Delhi-based lawyer.