2 July 2016

End-to-end encryption is safe, for now

29 Jun 2016 

The Supreme Court of India today heard and dismissed a PIL seeking to ban messaging services like Whatsapp and Telegram that provide end-to-end encryption. End-to-end encryption protects communication from being accessed by third parties not only in transit but also when it is stored on a service providers’ servers. The service provider retains no decryption key; even if it may be directed by a court order to do so, cannot access the information. The PIL filed by Sudhir Yadav, an RTI activist, sought to project end-to-end encryption services and platforms that use them as a threat to national security.

Yadav’s concerns that these services would be used by criminals and would stonewall police investigation seem to have found no merit in the apex court who reportedly directed the petitioner to approach the appropriate authorities (which in this case could be the Telecom Regulatory Authority of India) in the matter. If the matter is filed in the Tribunal, then would be the first time that the Indian judicial system has taken cognizance of the data protection and security concerns surrounding encryption.

Over the past year, encryption has polarised policy debates on law enforcement and data protection. The US Federal Bureau of Investigation had, until recently, been involved in a much publicised legal battle against Apple over accessing the iPhone 5C that belonged to Syed Rizwan Farook, the terrorist that killed 14 people in the mass shooting at San Bernardino, California. The phone, locked with a passcode, could only be accessed if Apple developed firmware to bypass it. This claim by the US government met with concerns from privacy activists and the tech industry that the creation of such a backdoor, if leaked, would not only compromise existing devices, but also set a dangerous legal precedent that could be misused by the government for unrestricted surveillance over its citizens.

The FBI’s claim that this case was a one-off request and would not compromise the encryption of other apple phones was also contested. There are currently 13 pending cases where a backdoor to bypass the security of iPhones has been sought from Apple. Compliance with law enforcement demands would, therefore, open the flood gates for such intrusion by the state. This issue was considered by the US District Court of the Eastern District of New York in yet another case involving the Drug Enforcement Agency (DEA) and Apple. The FBI and DEA’s claim, demanding Apple’s assistance in unlocking a phone that was evidence of a drug investigation, had been filed under the All Writs Act (AWA). The AWA is a “filler” statute that allows American courts the power to issue writes in matters that the Congress has not yet legislated on. The DEA’s claim before the New York District Court was, however, rejected.

James Orenstein, the magistrate judge presiding over the case considered not only the significance of the iPhone to that particular investigation but also the precedent setting value of the matter. Under the AWA, a court may issue a writ only if the issuance of the writ is in aid of the issuing court’s jurisdiction; is necessary or proportionate; and agreeable to the usages and principles of law. Orenstein concluded that while the DEA’s claim had met the first two criteria under the AWA it has failed to satisfy the third. The AWA, according to him, cannot be used to authorise an action that is already directed by another statute. It can also not be used to authorise something patently prohibited by another statute. Therefore, the AWA can only be used to issue writs in matters that have not been contemplated in any statute created by the American legislature. The American Communications Assistance for Law Enforcement Act (CALEA) implores service and information providers to assists law enforcement agencies in technology related investigations. The CALEA, however, precludes the government from requiring carriers to build into their encryption services a back door that enables law enforcement access to the information. Orenstein, therefore, concluded that the specific case before him was a matter that the Congress had considered but chosen not to include in the law. This was therefore not a matter where an order could be granted under the AWA.

While American law has no precedential value for Indian courts and the legal system, its development makes for an interesting case study in determining what the Indian approach to encryption will be. The draft encryption policy circulated last year represents the first unsuccessful attempt by policymakers in New Delhi to regulate encryption. The policy that sought to mandate the use of the extremely weak 40-bit encryption and retention of the plain text of encrypted communication for 90 days was met with strong criticism from civil society activists and was later withdrawn. However, if that draft had been enacted, the Supreme Court ironically would have had a legal/policy standard to evaluate the legality of end-to-end encryption. The validity of encryption policies set by private companies is not a settled matter by any means. The Indian judiciary is yet to lay down a clear recognition of the right to privacy as a fundamental right. Should a strong legal standard be ascribed to privacy and data protection in India, end-to-end encryption may be considered as a means to strengthening this right. Cheaper and unsecured smartphones that are ubiquitous in India’s digital economy threaten to peg technical encryption standards to a low benchmark. Should such standards be further diluted by law, it may impede the development of encryption technologies in India. The consequent impact on privacy and the right to free speech and expression would be grave.

No comments: