Encryption is the new challenge facing law enforcement not just in India but around the world. Social media apps such as Whatsapp and Viber have gone ahead and provided end-to-end encryption (E2EE) communications to users. Law enforcement officials have said that this makes it impossible for them to engage in legitimate monitoring of communications by terrorists and criminals.
Encryption is not a new technology and forms the backbone of secure communications and data transmissions over the Internet. Without encryption, financial transactions and secure data transmission would be impossible. Efforts by social media companies to encrypt their data is a more recent phenomenon and is a direct fall-out of the mid-2013 Snowden revelations. Apps like Telegram were created offering end-to-end encryption following the revelations and existing apps like Whatsapp followed suit, partly to retain market share, and partly so that they would not have to respond to requests for data and information from law enforcement agencies. When WhatsApp started, the messages that one user sent would be saved in plain text without encryption in the servers which made it possible for a third party to intercept the communication. Ever since 2013, WhatsApp has been encrypting data for its communications now culminating in a strong end-to-end encryption.1
In social media apps, using E2EE encryption means that only the sender and receiver can read the encrypted data because the key to decrypt the data lies only with the end user. No other entities including the service provider has the capacity to decrypt the data even though the data travels through their servers.
Not all social media platforms use end-2-end encryption. There are some apps like Facebook Messenger where encryption applies only to the data in transit.2 Other apps encrypt the data but store the decryption keys thereby creating the possibility for inspection by law enforcement agencies. Apps like Snapchat encrypt only data in transit but the messages are deleted from the server once the recipient reads it.
Technicalities of Encryption
In general, there are two kinds of encryption. In Symmetric Encryption or Secret Key encryption, the same key called the secret key is used to encrypt and decrypt the data or message. It is a very simple method of encryption but the challenge is to preserve the secret key from unintended recipients. If A wants to send a message to B, A encrypts the data using a secret key and shares the key with B to decrypt and read the message.
In Asymmetric Encryption or Public Key Encryption, different keys are used to encrypt and decrypt the data or message. It is a complex but efficient method of encryption. A public key known to all is used to encrypt the message and a private key, only available with the recipient, is used to decrypt the message. Public key is like finding a telephone number in a directory where each person has his own public key. If A wants to send a message to B, A encrypts the message with B’s public key which is available in the public domain. The recipient of the message, B, uses his/her private key to decrypt the message. In a similar way, B uses A’s public key to encrypt and send a message to A. A decrypts that by using his/her private key. In this case, A and B have different public and private keys.
What it means for India
Section 84A of the IT Act 2008 calls for encryption to keep the electronic medium secure, and also mentions that the Central Government would prescribe the methods of encryption. The telecom sector is limited to the encryption of 40 bits.4 Section 69 of IT Act 2008 gives power to both Central and State Governments to intercept data taking into account the security of the State. The agency facilitating the transfer of data could also be mandated to decrypt the data.
WhatsApp, which is one of the Over The Top (OTT) messaging and calling service, uses encryption that is far more sophisticated than that of the telecom sector. There is also no clarity on whether WhatsApp could be requested to decrypt data according to law. Now, after the transition to E2EE, there is no way for WhatsApp to provide decrypted information even when legally bound to do so.
In a recent move, the Ministry of Home Affairs asked companies like WhatsApp, Facebook, and Google to maintain servers in India.5 With companies moving to E2EE, locating servers in India would not serve the cause. The 2015 draft encryption policy recommended the use of 256 bit key for encryption and promoting the use of digital signatures thereby envisioning a secure cyberspace. However, certain contradictions in the provisions regulating encryption that mandated users and companies to preserve the plain text and companies providing encryption to enter into an agreement with the Government were harshly criticized and led to the withdrawal of the policy.6
Therein lies the crux of the issue. On the one hand, a strong policy of regulation would hamper innovation in encryption technology, and, on the other, unregulated encryption would favour miscreants to use the technology for their activities. The need of the moment is a policy that does not come in the way of innovation but at the same time reduces undue opportunities for criminal and terrorist activities.
Views expressed are of the author and do not necessarily reflect the views of the IDSA or of the Government of India.