11. Understanding the Encryption Debate in India
- Author:
- Anirudh Burman and Prateek Jha
- Publication Date:
- 09-2021
- Content Type:
- Working Paper
- Institution:
- Carnegie Endowment for International Peace
- Abstract:
- Encryption has become a contentious instrument for protecting the security and confidentiality of online communication. Rapid digitalization in the past decade has led to the proliferation of domestic and foreign online communication services that use encryption and, consequently, pose challenges to national security bodies and law enforcement agencies (LEAs). To address these challenges, the Indian government introduced new regulations in February 2021. These regulations require large social media platforms to enable traceability, or the ability to provide information concerning the originator of online communications. Technology companies and privacy activists have opposed such a move on the grounds that traceability would require the breaking of the end-to-end encryption used by many online communication platforms like WhatsApp and therefore would compromise the security of online communications on such platforms. This traceability requirement, however, is only the latest development in a drawn-out, contentious debate over the use of encryption. The contestation between maintaining higher degrees of online security and issuing new rules to grant technological exceptions for security agencies and LEAs is not specific to India. One of the first serious discussions on the issue took place in the United States in the 1990s, when public opposition warded off an early government attempt to sidestep encryption protections with a court order. In the past decade, the use of encryption has only grown more pronounced. The revelations that the United States’ National Security Agency was collecting vast amounts of communications data led to the introduction and increased adoption of end-to-end encryption for online communications. End-to-end encryption is now used widely by online communication platforms like WhatsApp, Signal, and Threema. Its use presents law enforcement and national security agencies with new challenges. Even though these agencies today have greater and easier access to more information than ever before, the absolute confidentiality provided by encrypted online communication platforms makes it harder for these agencies to engage in real-time surveillance to investigate crimes and identity wrongdoers. While some policymakers from India and other countries argue that encryption must only be weakened to solve specific problems, most experts agree that, as of today, there is no technological solution that would weaken encryption for specific law enforcement and national security purposes, while managing to maintain preexisting levels of security and confidentiality for general use. The introduction of any mechanism for specific access would, it is claimed, introduce both known and unknown vulnerabilities into these communications platforms. Such a mechanism would have a systemic effect on all online communication dependent on encryption for ensuring security and confidentiality. In India, these developments create challenges in specific ways. For example, India reports the highest number of child pornography cases worldwide, and encrypted communications makes it difficult to identify culpable parties. Similarly, as India has digitized rapidly, there has been a surfeit of fake and offensive online news that has, in some cases, led to mob lynchings. In addition, terrorist networks have been found to be using encrypted communication channels while planning and carrying out terrorist attacks in India. Over the years, the Indian government’s approach to encryption has responded to these concerns in a variety of ways. Indian financial regulators mandated the use of encryption for banking and financial services as they realized the security of such transactions was best protected through encryption. At the same time, the Indian government prohibited telecom operators from implementing bulk or mass encryption in telecommunication services. Starting in 2015, the government introduced different regulatory proposals requiring that messaging platforms and other communication service providers provide plaintext copies of communications to Indian government agencies on request. These proposals, however, faced significant opposition and were withdrawn. Earlier in 2021, the Indian government’s new rules requiring traceability have been officially notified. The mechanisms through which they will be implemented are not yet clear. It is also unclear if these rules are the last demands the Indian government will make to weaken encryption, or whether further demands will arise in the future. To weigh the relative benefits and drawbacks of the Indian government’s proposal, analysts should consider relevant factors such as (but not limited to) whether such changes will offer law enforcement officials the access they desire, how the security of encrypted communications will be affected, and how citizens’ civil liberties will be impacted, among others.
- Topic:
- Security, National Security, Science and Technology, Law Enforcement, Digitalization, and Encryption
- Political Geography:
- South Asia and India