Regulation of Encrypted Technology by the State for National Security

Encryption keeps sensitive user data safe, but it can be problematic when it hampers law enforcement

It was recently reported that the Jaish-e-Mohammed (JeM) terror group, which is suspected to be behind the Pulwama terror attacks used peer-to-peer software service YSMS to coordinate the attack.

Image: Reuters

The answer to fighting encryption related problems may lie in the technology itself. Image: Reuters

This brings into focus the recent debate surrounding State regulation of encryption products/services and whether laws should mandate access to encrypted communication on grounds of national security.

Incidents involving the use of encryption by terrorists

Encryption, being a secure method of communication, is used for a number of purposes ranging from securing financial transactions online, storage of sensitive personal data such as Aadhaar and in online messaging apps like Whatsapp and Telegram.

Terrorists are increasingly relying on communication services which use encryption to avoid detection by law enforcement bodies and intelligence agencies. For instance, in the 26/11 terror attacks in Mumbai, attackers used Blackberry phones to communicate with their handlers. During an investigation, the Indian intelligence agencies asked Research in Motion (RIM) (the then developer of BlackBerry phones) to break the encryption of the BlackBerry devices used by terrorists. While RIM was initially reluctant to concede to the government’s demands, RIM allowed the government partial access to encrypted information, in the face of a prospective ban on BlackBerry in India.

In the 2017 London Bridge terror attack in the UK, the perpetrators used Whatsapp, which features end-to-end encryption, to communicate securely; this led the British government to consider a ban on encryption and compel State access to encrypted communication.

Similarly, in 2015 the FBI recovered an iPhone belonging to Syed Rizwan Farook, the suspect in the San Bernardino terror attacks. The iPhone was locked using a combination of encryption software and hardware; this led to a legal dispute between the FBI and Apple to access the iPhone data.

In the Pulwama terror attacks, the JeM group communicated through YSMS messages, which uses an ultra-high radio frequency model for sending encrypted messages. Unlike popular messaging apps like Whatsapp and Telegram which also use encryption, very little is known about YSMS other than the fact that it involves discrete hardware (radios) and an Android app. In fact, the app is said to be available only through the Dark Web.

Encryption may be both hardware or software-based. Today, one of the most popular methods of encrypted communication between terrorists includes the use of messaging apps like Whatsapp and Telegram. The use of encryption by terrorists has resulted in governments wanting access to any encrypted information; this may require companies to deposit the decryption key with the government or deliberately build ‘weaker’ encryption products, giving the governments a ‘backdoor’ into the encryption system.

National security vs privacy and innovation

Any attempt by the State to regulate encryption is often met with opposition by civilians and companies which offer encrypted products/services. Internet users fear that if governments frame laws allowing the State access to encrypted messages, it would adversely affect the citizens’ right to privacy. ‘Government snooping’ and State surveillance received worldwide attention after former Central Intelligence Agency (CIA) employee, Edward Snowden, leaked information that the US and the UK governments were carrying out wide-scale internet and phone surveillance.

Internet companies are reluctant to give States access to the encrypted data of their users, or incorporate ‘weaker’ encryption in their products, as this would make their products less appealing to their consumers, namely, internet users. From a security point of view too, companies argue that building products with weak encryption would result in their products/services being more vulnerable to attacks by malicious hackers.

Historically, States have sought to regulate the export of encrypted technology due to national security concerns through an international agreement known as the Wassenaar Arrangement (WA). The WA restricts inter alia the export of weapons and technologies which are dual-use in purpose and on the agreed list of the WA; this includes certain cryptography products. One of the goals of the WA is to prevent the acquisition of controlled goods by terrorists. In December 2017, India became the 42nd Member of the WA. In the 1990s, the US witnessed “crypto-wars” when the National Security Agency (NSA) tried to introduce the Clipper Chip (an encryption device to be incorporated by telecommunications companies for voice and data messages which contained a built-in backdoor). This move was successfully opposed by civil society activists and companies on grounds of violation of privacy and fear that it would make US encryption products in foreign markets less competitive.

Encryption laws in India

India does not have a law dedicated to governing encryption. The RBI and SEBI have laid down encryption standards for online banking and securities trading over a mobile phone and a wireless application platform respectively. Similarly, telecom licences also contain provisions on encryption.

Section 69 of the Information Technology (IT) Act, 2000 applies inter alia to over-the-top (OTT) communication services like Whatsapp and other messaging apps. Under section 69, a government agency has the power to intercept any information transmitted through any computer resource on the grounds of “sovereignty or integrity of India, the security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence”. Upon the government’s request under section 69, a person in charge of a “computer resource” (including data) will have to “extend all facilities and technical assistance” to decrypt information. Section 69 is implemented through the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

Under section 84A of the IT Act, the Central Government may prescribe the modes/methods of encryption for security of the electronic medium and the promotion of e-governance and e-commerce.

The draft Information Technology [Intermediaries Guidelines (Amendment) Rules] 2018 (draft intermediary guidelines) were released by MeitY recently to tackle fake news incidents in India. Under Rule 3(5) of the draft intermediary guidelines, a government agency can require an intermediary to enable tracing out of the originator of content on its platform; the grounds for a government order under Rule 3(5) are State security, cyber security or investigation/detection/prosecution/prevention of offence(s). The traceability clause has been decried by certain companies and civil rights organisations as it may require companies like Whatsapp and Signal to break their encryption, which hampers a user’s privacy.

In 2015, the government released a draft encryption policy, which was withdrawn shortly after concerns that the draft policy was too totalitarian.

Approach towards regulating encrypted apps in other jurisdictions

While others countries have surveillance programmes in place to ensure State security, it appears that only Australia has formally passed laws compelling internet companies to build features into their products which lets the government access encrypted communication; companies are exempt from this requirement if the features risk causing “systemic weaknesses”.

It was reported in 2016 that the US government and Whatsapp were involved in a legal case to allow the US government to read/eavesdrop on conversations on Whatsapp. While this was not a terrorism case, the case highlights the technical difficulty which governments face in accessing encrypted information even with a judicial order allowing “wire-tapping”; encryption by communication apps makes it nearly impossible for the government to read encrypted information as even companies do not have the means to decrypt that information.

Need to dig deeper

While encryption by internet companies is desirable as it keeps sensitive user data (financial information, medical health records, etc.) safe, encryption can be problematic when it hampers law enforcement. On the other hand, users are wary that weak information security will not only result in a data breach but can also lead to the misuse of their personal data for political reasons.

A deeper concern is that even in cases where State access to encrypted information is allowed, companies claim that they themselves have no means of decrypting that information. However, some argue that this is not true, and Whatsapp (which uses end to end encryption) can, in fact, access its users’ chats.

Some suggest that a viable solution is for the government to engage in hacking (also known as, “equipment interference”) to break encryption. To address concerns that State-sanctioned hacking is an attack on users’ privacy, the government should engage only in ‘targeted hacking’ and only after obtaining a warrant. For this, the government can develop an in-house team of cryptographers and hackers to decrypt communications in cases of terrorism.

The answer to fighting encryption related problems may lie in the technology itself. Quantum computers, which are expected to become commercially viable in a few years, are considered to be capable of breaking encryption instantly. It may be worthwhile for the government to invest in such technologies to remove any hurdles in law enforcement efforts when deciphering encrypted information.

At the same time, States should be mindful of the alternative ways in which terrorists communicate, for instance, through online gaming platforms (which are not primarily communication platforms).

Any approach to regulating encryption, including through State-sanctioned hacking or the use of quantum computing, should be taken only after an extensive study of the underlying issues involved; this is because encryption is an esoteric subject and there is a need for greater clarity on the technical aspects of encryption. This will ensure that any measure to regulate encryption is, in fact, effective in countering threats to national security.

The author is a Policy Analyst at Nasscom. The views expressed in the article are personal and should not be attributed in any way to Nasscom or any of its members.

Find latest and upcoming tech gadgets online on Tech2 Gadgets. Get technology news, gadgets reviews & ratings. Popular gadgets including laptop, tablet and mobile specifications, features, prices, comparison.