Tuesday, April 26, 2016

The Encryption Debate in India

This is a bit late, but I thought it would be nice to wade into the currently simmering liberty v. security debate centred about the proliferation of encrypted online communication. I'd written about encryption myself a while back at a time when it wasn't in the eye of the storm. Most of what I have to say in this post is probably already the subject of various comments/editorials in India and the USA, so I apologise for the inescapable repetition. I will address two questions (1) is encrypting private communications illegal in any form, and (2) can the government compel you to give up your encrypted communications. I am purposely keeping out of the liberty v. security debate.

Is WhatsApp Really Illegal Now?
I came across a provocatively titled article today - 'WhatsApp is now Technically Illegal and a National Security Threat in India'. The click-bait worked and I read through the piece and several others [useful links here, here, here and here]. What emerged was a bleak scenario. 

To answer the question first, WhatsApp is technically not illegal - an Internet Service Provider (ISP) running WhatsApp without seeking government permission for the new encryption level is what's illegal. This is because the Department of Telecommunications (DoT) operates through License Agreements between the Government (Licensor) and the ISP (Licensee). Clause 2.1(vii) of this Agreement places a limit of 40-bits for encryption that can be placed by individuals/organisations on the ISP without government permission. For anything more, the ISP needs permission from the Licensor, i.e. the Government. 

What is 40-bit encryption? The kind that people in the 1990s used. The Government doesn't really disagree - a 2002 Note by the DoT stated that 40-bit was needed to ensure security operations aren't hampered. Strangely, despite development of technology the Government stuck to this standard in 2007, incorporating it in the License Agreements mentioned above. In 2009, the Information Technology (Amendment) Act of 2009 was notified, which inserted Section 84-A: "the Central Government may, for the secure use of the electronic medium and for promotion of e-governance and e-commerce, prescribe the modes or methods for encryption." No such prescription has yet come through. The Government has not changed the 2007 policy, although several public sector institutions mandate a higher level of encryption than the 40-bit standard. The RBI mandates 128 bit encryption. This is because 40-bit encryption is rather insecure, to put it lightly. 

So, you don't need to worry about using WhatsApp yourself (well, given the new encryption, of course you don't). The ISPs offering you WhatsApp for use are the ones who will be bothered. That too for contractual violations and not for committing a crime, since this amounts to breaching the License Agreement. Notification of an encryption policy, or a change in the existing agreement, has been sought for many years. Maybe this wakes up the slumbering leviathan that is the Government. 

Can you/WhatsApp be Compelled to Reveal Information?
Section 69 of the Information Technology Act, 2000 is key to this. It authorises  any agency of the Central Government to "intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information generated, transmitted, received or stored in any computer resource." This requires a written order under Section 69(1), and for it there must be satisfaction that "it [the interception, monitoring or decryption] is necessary of expedient to do in the interest of the sovereignty or integrity of india, defence of india, security of the state, friendly relations with foreign states or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence". Note how lofty goals of requiring decryption for the security of the state, come down to normal things such as investigating any offence. 

The Government may prescribe rules governing this process and attendant safeguards under Section 69(2), and these have been created in the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009. It places a requirement of cooperation on the subscriber (end-user, like you and I) or intermediary (like the ISP) under Section 69(3), and a failure to cooperate attracts a fine, and imprisonment which may extend to seven years under Section 69(4). This legal compulsion to cooperate with the threat of prosecution is what brings us to the fundamental right guaranteed to all persons (not citizens) in India under Article 20(3) of its Constitution: "No person accused of any offence shall be compelled to be a witness against himself." 

There are three questions that must be answered while determining any Article 20(3) question: (1) is there compulsion, (2) is the person compelled accused of any offence and (3) is the material sought from compulsion unique to the personal knowledge of that accused or not (blood samples are not unique to personal knowledge in this classification, for instance). Section 69(1) clearly reveals an element of compulsion - a potential seven-year jail term for not cooperating - so condition (1) is met. Its conditions (2) and (3) that are interesting.

I've recently written a lot about condition (2) and how it has contributed to a steady decay of the protection under Article 20(3) in the sphere of the so-called socio-economic offences [see previous posts here, here and here]. This requirement of being accused requires a 'formal accusation' against a person. Section 69(2) sends us to the 2009 Rules to see whether or not such a 'formal accusation' is made against a person who is subjected to an order under Section 69(1). The one Rule directly addressing the 'Decryption Key Holder' (WhatsApp in our case) is Rule 17, which doesn't really make any accusation of the kinds required. The terms of Section 69(1) make it abundantly clear that a need for interception, monitoring or decryption is not limited to crime-solving, but extends to crime-controls and prevention. This makes it harder to argue that a person is accused of any offence at the time when the decryption order warrants cooperation at the threat of prosecution.

We then come to condition (3). Is an encryption code/decryption key 'personal information' or is it akin to blood-samples? This question has been considered in the US and the UK; both countries follow similar distinctions and restrict their self-incrimination protections to something akin to our 'personal knowledge' idea. The last time I read up on this, England had the Court of Appeal decision in R v. S & A and the US had In re Boucher (district court and appeals court) and USA v. John Doe (11th Cir. App. Court). The English Court held the decryption key could be demanded without violating self-incrimination protections under the European Convention on Human Rights. It found the digital key akin to a physical one, and relied on this analogy for its decision. The American Courts held otherwise in both cases. And found that compelling such passwords violated the self-incrimination clause of the Fifth Amendment. Both sets of courts debunked the physical key analogy.

How would/should India hold? Back then, I'd argued that it made sense to agree with the American approach, primarily because of the 'foregone conclusion' doctrine they adopt. Basically, the idea is that self-incrimination questions don't enter the fray if existence of the information ultimately sought is a 'foregone conclusion': its existence can be concluded without needing the decryption. I stand by that claim, but understand that it will mostly not be seen being used by Indian courts any time soon. Which brings us to the settled question on the nature of the testimony. Is the decryption key really part of 'personal knowledge'? If you were to compel me to reveal my computer password, that demand is very different from demanding a firm to divulge its decryption key which is used to code a software. The former is quite certainly a part of my 'personal knowledge' - evidenced best by how often I forget the darn thing. The latter doesn't fit this idea - the decryption key is usually part of the software and not 'personal knowledge' of any person. Unless, we extend self-incrimination to corporations and label decryption keys as part of the corporation's 'personal knowledge'. 

I think this shows how no blanket answer can be given for whether these scenarios result in violating the guarantee of Article 20(3). Both sets of issues - the accused person requirement and the personal knowledge test - show exciting possibilities of development in this field. It would be interesting to see how a High Court treats them.

No comments:

Post a Comment