Update: NASSCOM-DSCI Discussion Paper on Road Ahead for Encryption in India (Version 1.1)
Blog: NASSCOM Official Blog
Earlier in September 2020, NASSCOM and DSCI released a Discussion Paper on the Road Ahead for Encryption in India. Based on feedback received, we have revised selected portions of the Discussion Paper, and are pleased to release Version 1.1 of the Discussion Paper. The new version, includes corrigenda, and includes information on recent developments such as the issuance of a Joint International Statement by the Governments of United States of America, United Kingdom, Australia, New Zealand, Canada, Japan and India, on “End-to-end Encryption and Public Safety.” The Statement which urges the private sector to work closely with Governments to work towards ways of protecting privacy through encryption, while enabling law enforcement to act swiftly against public safety threats.
While, the Statement leaves room for more clarity, it clearly establishes the Governments’ rejection of the assertion that public safety cannot be protected without compromising privacy or cyber security. To this end, the Statement makes meaningful industry engagement towards mutually agreeable solutions, an absolute imperative.
We look forward to receiving your feedback on the latest version of the Discussion Paper. We request you to kindly share your inputs with email@example.com .
Recognising the importance of encryption in data protection and cyber-security applications, the Government passed the Information Technology (Amendment) Act, 2008 (IT Amendment Act) which among other significant amendments, inserted s.84A, empowering the Government to prescribe modes and methods for encryption, to ensure the secure use and promotion of e-governance and e-commerce.
This paved the way for the government release a draft National Encryption Policy in 2015. However, this draft was soon withdrawn owing to significant opposition from cyber security experts and privacy advocacy groups.
Accordingly, the need for a harmonised and over-arching framework for regulating the deployment and use of encryption, as well as the State’s ability to decrypt private communications online, remained unaddressed.
While various subordinate legislation and executive agreements, enforce sector specific norms for the deployment of encryption (for instance, the Reserve Bank of India (RBI) prescribes encryption standards for financial sector data, and the Unified License (UL) prescribes standards of encryption for licensed telecommunications service providers (TSPs)), there is no uniform sector-agnostic framework for the regulation of encryption.
As a result, the extant regulatory framework for encryption and decryption in India, can largely be found under the Indian Telegraph Act, 1885 (Telegraph Act) and the Information Technology Act, 2000 (IT Act). The provisions contained therein continue to be the primary avenue of information access by law enforcement agencies (LEA) in India, and issues relating to process safeguards in the process for LEA access to decrypted data, remain. Moreover, with the advent of new communications and social media platforms, and the ubiquity of cloud, LEAs are increasingly facing technological and jurisdictional issues, while seeking access to decrypted information – causing the government to inter alia consider:
- proposals of data localisation,
- tracing of information originator,
- mandatory sharing of decryption keys, and
- local incorporation,
in order to secure access to decrypted information. However, some of these proposals might actually go against the State’s competing regulatory objective to protect citizen’s data privacy. Accordingly, any eventual framework would have to carefully balance the competing concerns of privacy and national security.
Internationally, there is no one strategy that has been adopted by jurisdictions towards finding this balance. Jurisdictions such as USA, UK and Australia have passed, or are considering the passage of legislation enabling wide-ranging access to encrypted data to LEAs – including obligations to mandatorily develop capabilities to decrypt information even in situations where encryption keys are not available.
On the other hand, jurisdictions such as France and Germany, have adopted a more pro-encryption stance, by inter alia recognising a general right to encryption, enabling State enabled ethical hacking to enable decryption in certain instances, and considering the introduction of a Vulnerabilities Equities Process.
This, against a backdrop of stronger personal data protection laws being enacted all over the world, including the European Union’s General Data Protection Regulation (GDPR), and the Personal Data Protection Bill, 2019 (PDP Bill) in India, which promote the usage of encryption as a security safeguard towards protecting data subjects’/principals’ privacy.
Given these developments, and recent statements from the Ministry of Electronics and Information Technology (MeitY) indicating an upcoming review of the IT Act, there exists both the urgency, and opportunity to move the debate on encryption forward.
The Discussion Paper provides a brief overview of the legal framework in India, assesses the various approaches that have been adopted or are being contemplated by other jurisdictions, and seeks answers to:
- Gaps in current regulatory design: Identification of gaps in the mechanism related to interception, monitoring and decryption including disclosure norms upon the government, and measures to strengthen the review committee;
- Appropriate rights and obligations for the industry: Framing risk-based obligations, scope of obligations upon service providers and intermediaries to cooperate with government, suitability of imposing obligations on intermediaries to enable tracing of originator of information;
- Appropriate rights and obligations for the government: Scope of information access by government, suitable mechanisms to deal with encrypted data; case for requiring capability to decrypt data; role of ethical hacking.
- Appropriate regulatory framework: Desirability of a sector agnostic regulatory framework, possible changes to the sectoral framework and the IT Act, implications of prescriptive norms and rights around deployment of encryption;