NASSCOM-DSCI Discussion Paper: The Road Ahead for Encryption in India
Blog: NASSCOM Official Blog
NASSCOM and DSCI are pleased to release their latest Discussion Paper on the Road Ahead for Encryption in India. Using the premise of recent developments relating to personal data protection, cyber-security and prevention of online harms, the Discussion Paper explores possible paths towards a well-balanced regulatory framework for encryption in India – one which balances the needs of individual privacy and State access to communications information.
We trust the industry will find the Discussion Paper to be timely, given that a number of important and concurrent developments have taken place over the past year, materially impacting the manner in which companies use and deploy encryption products. These developments include the increasing threat of large-scale cyber-attacks from both State and non-State actors and consequent scrutiny of Over-the-Top (OTT) applications by the Government, the introduction of the PDP Bill before the Parliament of India, and the ongoing review of the Information Technology Act, 2000 and the proposed amendments to the Information Technology (Intermediaries Guidelines) Rules, 2011. All of these provide both the urgency and opportunity, to engage and shape the future of encryption and privacy in India.
We request you to kindly share your inputs with email@example.com before 30 September 2020. We will be organising an Online Policy Round-Table Discussion to discuss the issues raised in the Discussion Paper in September, 2020. Details of the meeting will be shared with members once the dates are finalised.
Lastly, NASSCOM and DSCI would like to thank the Quantum Hub Consulting, (TQH) for their research support and inputs towards this Discussion Paper.
Recognising the importance of encryption in data protection and cybersecurity applications, the Government passed the Information Technology (Amendment) Act, 2008 (IT Amendment Act) which among other significant amendments, inserted s.84A, empowering the Government to prescribe modes and methods for encryption, to ensure the secure use and promotion of e-governance and e-commerce.
This paved the way for the government release a draft National Encryption Policy in 2015. However, this draft was soon withdrawn owing to significant opposition from cyber security experts and privacy advocacy groups.
Accordingly, the need for a harmonised and over-arching framework for regulating the deployment and use of encryption, as well as the State’s ability to decrypt private communications online, remained unaddressed.
While various subordinate legislation and executive agreements, enforce sector specific norms for the deployment of encryption (for instance, the Reserve Bank of India (RBI) prescribes encryption standards for financial sector data, and the Unified License (UL) prescribes standards of encryption for licensed telecommunications service providers (TSPs)), there is no uniform sector-agnostic framework for the regulation of encryption.
As a result, the extant regulatory framework for encryption and decryption in India, can largely be found under the Indian Telegraph Act, 1885 (Telegraph Act) and the Information Technology Act, 2000 (IT Act). The provisions contained therein continue to be the primary avenue of information access by law enforcement agencies (LEA) in India, and issues relating to process safeguards in the process for LEA access to decrypted data, remain. Moreover, with the advent of new communications and social media platforms, and the ubiquity of cloud, LEAs are increasingly facing technological and jurisdictional issues, while seeking access to decrypted information – causing the government to inter alia consider:
- proposals of data localisation,
- tracing of information originator,
- mandatory sharing of decryption keys, and
- local incorporation,
in order to secure access to decrypted information. However, some of these proposals might actually go against the State’s competing regulatory objective to protect citizen’s data privacy. Accordingly, any eventual framework would have to carefully balance the competing concerns of privacy and national security.
Internationally, there is no one strategy that has been adopted by jurisdictions towards finding this balance. Jurisdictions such as USA, UK and Australia have passed, or are considering the passage of legislation enabling wide-ranging access to encrypted data to LEAs – including obligations to mandatorily develop capabilities to decrypt information even in situations where encryption keys are not available.
On the other hand, jurisdictions such as France and Germany, have adopted a more pro-encryption stance, by inter alia recognizing a general right to encryption, enabling State enabled ethical hacking to enable decryption in certain instances, and considering the introduction of a Vulnerabilities Equities Process.
This, against a backdrop of stronger personal data protection laws being enacted all over the world, including the European Union’s General Data Protection Regulation (GDPR), and the Personal Data Protection Bill, 2019 (PDP Bill) in India, which promote the usage of encryption as a security safeguard towards protecting data subjects’/principals’ privacy.
Given these developments, and recent statements from the Ministry of Electronics and Information Technology (MeitY) indicating an upcoming review of the IT Act, there exists both the urgency, and opportunity to move the debate on encryption forward.
The Discussion Paper provides a brief overview of the legal framework in India, assesses the various approaches that have been adopted or are being contemplated by other jurisdictions, and seeks answers to:
- Gaps in current regulatory design: Identification of gaps in the mechanism related to interception, monitoring and decryption including disclosure norms upon the government, and measures to strengthen the review committee;
- Appropriate rights and obligations for the industry: Framing risk-based obligations, scope of obligations upon service providers and intermediaries to cooperate with government, suitability of imposing obligations on intermediaries to enable tracing of originator of information;
- Appropriate rights and obligations for the government: Scope of information access by government, suitable mechanisms to deal with encrypted data; case for requiring capability to decrypt data; role of ethical hacking.
- Appropriate regulatory framework: Desirability of a sector agnostic regulatory framework, possible changes to the sectoral framework and the IT Act, implications of prescriptive norms and rights around deployment of encryption;