Published: April 2019
As India forays into a digital revolution that – even in its formative years – has triggered massive transformative changes across the country in areas such as communications, financial inclusion, e-commerce and e-governance, the need for protecting our citizens’ right to privacy and freedom of expression is more pertinent than ever before. Encryption, as a crucial enabler of these rights and liberties, has therefore gained much recognition across public and private domains as the foremost tool for information security. At the same time, the rapid advancement in the use of technology for malicious purposes (such as acts of terror, incitement of crimes, fake news, and sharing of indecent content) has blurred the lines between consumer privacy and national security, and has brought the question of regulating encryption to the forefront of our fast evolving cyber policy.
In this study, we have attempted to envision a framework for the regulation of encryption technologies in India – one that acknowledges the importance of consumer privacy and technological innovation, while not diminishing the role of the government in protecting national security. Through a critical evaluation of the encryption ecosystem, we have presented a rationale for state intervention for the purpose of correcting detrimental market failures. Thereafter, we have undertaken an in-depth analysis of regulatory frameworks across the globe, so as to study best practices in encryption regulation adopted by various countries, and to evaluate their application in the Indian context.
Keeping in mind the unique ‘double-edged’ nature of encryption, we have sought to balance the interests of public as well as private stakeholders. Through an analysis of the non-negotiables that must be borne in mind by any policy that hopes to oversee encryption, we have arrived at a set of recommendations that are bucketed into two categories – (1) the use of encryption for improving data protection, especially sensitive information; and (2) interception of encrypted information for law enforcement.
To strengthen data protection, we recommend bolstering pecuniary damages in case of data breaches and building a publicly available repository of such breaches. We also suggest instituting preventive measures by establishing a voluntary third-party accreditation system of data protection certification/seals.
With respect to interception, and to alleviate the challenges that encryption creates for law enforcement, we recommend that service providers and the government work together to develop mechanisms and modify technology, as required, to allow for lawful interception requests to be serviced. We also recommend improving checks and balances in the use of hacking by law enforcement agencies as well as extending legislative support to ‘ethical’ hacking.
These recommendations would not only assist our policymakers in protecting the rights and freedoms of Indian citizens’, but would also help them build trust among the various encryption intermediaries in order to achieve better public-private cooperation for the country’s national security efforts.