Encryption

India Debates Going Dark

By Arun M. Sukumar
Thursday, December 17, 2015, 10:30 AM

The on-going debate on encryption and exceptional access for law enforcement agencies to encrypted communication—which recent attacks in Paris and California have only intensified—is also being closely studied in India. How India regulates encryption will be crucial for two reasons. First, India is among the fastest growing digital economies in the world, and its encryption policy could offer a template for other developing countries. What’s more, technology continues to flow from the West to the East but information is now firmly moving in the other direction. If Western companies today are indispensable to the creation of cyber norms around Internet governance and critical Internet resources, it is because they are custodians of data of more than a billion users from the Asia-Pacific. Encryption policies in India could decisively facilitate or disrupt this seamless transfer of information, and with it, re-orient the locus of the emerging cyber-order.

Second, the rapidly growing constituency of Internet users in India exerts pressure on domestic law enforcement agencies to monitor cyberspace to prevent physical and virtual attacks. Consider the following: As 2015 concludes, India’s Internet user base will reach 400 million. While that figure is six times the population of France, it does not represent even half of Indian citizens. As European and American authorities struggle to calibrate encryption policies in response to terror threats, the job of Indian authorities is doubly complicated by having to work across jurisdictions. If Indian authorities respond to demographic or political realities by mandating “backdoors” into encrypted technology, these vulnerabilities might significantly affect financial technology and off-shore data processing – two sectors in which developed economies have major stakes.

Calls for greater online surveillance in the wake of the Paris attacks have led to mixed responses. American authorities fear encryption creates a “dark space for terrorist groups,” and the Obama administration is reassessing how “law enforcement and intelligence agencies can adapt to a world where encryption is common.” Meanwhile, the Snowden revelations continue to animate the discourse in European countries, nudging governments and courts towards stronger data protection and localization regimes. For example, a recent proposal by French Interior Ministry’s to ban Tor was rejected by the government.

Unlike Europe, the Indian government has previously pushed for data localization—notably at the 2014 ITU Plenipotentiary Conference in Busan—with a view towards intercepting Internet traffic. In 2013, law enforcement agencies in India sought access to encrypted communications over Blackberry Messenger. Following protracted negotiations and much controversy, Research in Motion, Blackberry’s manufacturer, not only set up a server in India but also created backdoor access for 8 Indian intelligence agencies to its messaging service. This September, India’s Department of Electronics and Information Technology released a draft encryption policy, only to roll it back within days following public outcry. The draft policy had sought a licensing regime that required encryption suppliers—much like the Clinton administration’s encryption policy of the 90s—deposit digital keys in escrow. Given the centralized nature of government data storage in India, this database would be a likely target of cyber attacks, rendering encrypted data vulnerable.

Although there is limited political appetite for another iteration of this policy, Indian authorities continue to contemplate solutions for lawful interception of encrypted data. Two factors will be crucial to their decision-making. The first factor is internal. India’s Supreme Court is currently hearing arguments over the legality of the government’s Unique Identification Authority programme, which collects biometrically verified data from Indian residents. The Court is likely to rule on the constitutionality of the UID initiative while commenting on the right to privacy in India. Any pronouncement from the Supreme Court on the government’s powers to collect or intercept data will decisively shape the contours of India’s encryption policy.   

The second factor is external. The export controls imposed on dual-use technologies by the Wassenaar Arrangement could also influence India’s encryption policies. Indian intelligence agencies, like their counterparts in the US and Europe, purchase zero-day vulnerabilities. The Wikileaks dump of the Italian company Hacking Team’s emails revealed extensive correspondence with the Indian government advertising the company’s surveillance capabilities. The Wassenaar Arrangement serves the important purpose of limiting the sale of intrusion software to authoritarian regimes. However, it also impedes democracies like India from developing cybersecurity capabilities. Just as the Indian government relies on zero-day exploits, foreign companies are deterred from research and development investment in India’s massive digital market. For India to harmonise its encryption policy with global standards, the Wassenaar regime should be made more inclusive and responsive to concerns of developing economies.

The attacks in Paris have created a heightened sense of urgency among law enforcement officials in India. Still, the majority of law enforcement resources are directed at combating localised cyber-crime rather than coordinated transnational terror threats. Factors as immutable as the time difference between Delhi and Silicon Valley create significant difficulties in requiring US data giants to comply in a timely manner with interception requests. Indian agencies view backdoors as a quick fix. The only way to uncouple the encryption debate from these issues—so it can be conducted on its own merits—is to streamline information-sharing channels between India and the United States and the MLAT process in particular.

Legislators and courts are expected to codify India’s privacy norms by next year and they appear unlikely to mirror Europe’s strict data protection laws. This means the US encryption policy will be all the more important. As the Obama administration's draft memo on encryption notes, “any US-proposed solution will [likely] be adopted by other countries.” This is true of India, whose markets are easily accessible to US Internet companies. But as India looks to US policies, the rest of the developing world will look to India.

***

Arun Mohan Sukumar heads the Cyber Initiative at the Observer Research Foundation, New Delhi.