India’s Traceability Question

Authors: Rohit Kumar & Renjini Rajagopalan
Published: November 12, 2019 on Firstpost

At the recently concluded India Mobile Congress 2019, Union Minister Ravi Shankar Prasad spoke about India generating the largest amount of data in the world. Our tryst with technology has led us to being one of the foremost internet using countries in the world. However, the same has not been without consequences.

As with all mediums, the internet too is open to abuse. Social media platforms, with their ever-growing number of patrons, are particularly susceptible. Over the last few years, India has had to battle the spread of doctored images and falsified news which has fueled mob violence across the country, often resulting in the death of innocent people in a number of instances.

The Indian government had sought to crack down on perpetrators by seeking co-operation from dominant social media platforms such as Facebook and Twitter, who in-turn introduced numerous measures including employing fact-checkers to battle fake news. However, with Law Enforcement Agencies (LEAs) struggling to pinpoint the origin of such messages and effect convictions, the government has sought increased accountability from social media platforms, including having them trace senders of the original messages.

This has been strongly protested by platforms who cite encryption technologies (including end-to-end encryption) backing their messaging services, customer privacy, and likely reputational damage, in the event of allowing interception. Therefore in late 2018, the government attempted to compel them into doing so via amendments to intermediary guidelines which govern digital platforms. This had significant ramifications for tech companies since it had the potential to impact their operations, including the tech and encryption algorithms they deploy. While other issues had put these amendments temporarily on hold, a recent Supreme Court order that asked the government to curb social media misuse, has once again thrust the issue of encryption and government interception into national discourse.

Global models for governing the interception of encrypted information

Countries across the globe resort to different ways to intercept encrypted information. Some seek to limit those who use encryption by way of a license, while others might resort to using court warrants. Some might even seek backdoor access i.e. asking for ways or methods to bypass encryption.

Countries such as Russia and China have put in place laws that govern or limit the use of encryption by private companies, thereby allowing the state to maintain supervisory access over all information collected and processed by the companies. Australia’s recently enacted Assistance and Access Act too falls within this bucket. It not only empowers LEA’s to seek (and enforce co-operation) from technology entities to access specific users’ encrypted messages and data, but where companies can’t offer such access due to end-to-end encryption, it authorises them to demand that they build tools to do so.

The sheer variety of such interception models speaks to the unresolved nature of the issue. Even countries such as the US and the UK, while trying to be mindful of privacy concerns, are seeking increased compliance from intermediaries/social media platforms in the interest of national security.

Providing a balanced perspective

Technological innovations guarantee that security solutions like encryption stay a step ahead of any legal framework seeking to regulate it. But having to constantly play catch-up deprives LEAs of a robust and effective mechanism to investigate online offences (particularly urgent ones). Thus, even as we hold privacy and security sacrosanct, it is important to acknowledge the challenges faced by the security apparatus when they are obstructed in the path of a legitimate investigation.

While providing the government with backdoor access poses the risk of government surveillance, there is a case for service providers and LEAs to work together to develop mechanisms and modify technology, as required, to allow for lawful interception requests to be serviced on a case-by-case basis, while building strong safeguards to prevent misuse of this power to intercept.

Currently, interception requests under Indian law can be made to service providers under either the Telegraph Act (Section 5(2) or Rule 419(a)), the IT Act (Section 69), or the CrPC (Section 91), all of which require service providers to comply or suffer punitive measures, including fines and imprisonment. These laws only allow for communication to be intercepted on a set of pre-identified grounds. The chain of command with respect to overseeing interception requests runs the length of the senior law enforcement cadre, before reaching the Home Secretaries.

As another check, the laws also call for the creation of a Review Committee (both at the central and state level) which is required to meet once every two months to analyse, post-facto, every interception order for legitimacy on a number of criteria, including the specific grounds under which the request was raised, the protocol followed for interception, as well as the outcome of the same.

Both the processes followed in an interception — before an interception request is approved and the post-facto review by the Committee — draw flak from civil liberty organisations who cite lack of adequate checks and balances in what is essentially an executive driven process.

To create more safeguards, judicial oversight is often proposed as a solution. However, when it comes to interception, it must be noted that in many instances what is required is an urgent decision to avert a potential threat like a terror attack. In such instances, judicial oversight not only adds another layer to the process, it’s likely to make little difference since the judiciary may be reluctant to object in the light of grave concerns. As for the process followed by the Review Committee, while there is merit in placing yet another judicial member if only to build public faith, it is unlikely to be practically effective unless at least half of the committee is judiciary-based.

In such a scenario, a more effective solution could be channelising all requests for interception through a single platform/interface that is suitably audited at regular intervals to build accountability and transparency in the process. This should be accompanied by the codification of practices and principles of the Review Committee.

Our stakeholder interactions reveal that in each meeting, the Review Committee is tasked with evaluating thousands of cases and often picks a sample of a few hundred cases for deep-dive. To ensure a robust selection of cases for review, the specifics of the entire process should be codified in law. Not only will this bring transparency regarding proceedings it might also prevent arbitrariness in vetting-procedures in the future.

Government interception rests upon an uneasy truce between the government/LEA, private companies and civil society activists, and given our overwhelming reliance on data, it is important to achieve a proper balance between privacy and national security. A robust and more transparent interception system might be the solution to this conundrum.