#Debriefed: The laws surrounding end-to-end encryption

In the first week of April, WhatsApp’s chat window, displayed the following message to its users : “messages you send to this chat and calls are now secured with end-to-end encryption.”.What this means is that all texts, calls, videos, images and other files sent over WhatsApp can only be viewed by the recipient and no one else..What is end-to-end encryption?.End-to-end encryption (E2EE) is a way of transmitting a message so that it can only be read by the intended recipient, and not intercepted by accessing the servers or the networks via which the message is sent..Rather than being sent as plain text, the message is scrambled as long series of digits that needs a key, one only held by the sender and the recipient, to understand it..On being asked if it’s a good thing, Sunil Abraham from the Centre for Internet and Society told Mid-day,.“Yes, for users. But for law enforcement agencies, it means more payload and extra work.“.Is it legal in India?.So far, yes. .In 2008, the Information Technology Act, 2000 (IT Act) was amended to include Section 84A [pdf] which empowers the Central Government to prescribe the modes and methods for encryption. .In this regard, a Draft National Encryption Policy was issued which required service providers using encryption technology, to register themselves with the Government. However, the draft policy was withdrawn and the modes and methods of encryption are yet to be specifically defined by the Central Government..In India, as of today, broadly two types of services providers are regulated by the Telecom Regulatory Authority of India (TRAI):.Telecom service providers and Internet service providers.Both have to obtain a license from the Department of Telecommunications under Section 4 of the Indian Telegraph Act, 1885 in order to be able to provide such services in India. .Particularly, as per the License Agreement for the Provision of Internet Services [pdf], internet service providers are allowed to use encryption up to 40-bit key length without having to obtain permission. Encryption higher than this requires permission from TRAI and a deposit of the decryption key with the TRAI..Whereas, apps like WhatsApp, Skype and Viber, fall in neither of the two categories. These have been termed as ‘Over-The-Top-Services’ or OTTs and have been defined in the OTT consultation paper issued in 2015 to mean: .“applications and services which are accessible over the internet and ride on operators’ networks offering internet access services eg. social networks, search engines, amateur video aggregation sites etc.”.Till date, TRAI is yet to issue a final set of regulations on the matter. Hence OTTs are currently not regulated and as such, there are no encryption requirements, nor are there any other requirements in the name of security which these have to comply with..So until TRAI comes up with a policy to regulate OTTs, it’s clear that WhatsApp’s 256-bit level of encryption for their data in India is perfectly legal..On Governance.Parminder Jeet Singh, executive director, IT for Change, India, says that the move towards E2EE is a “welcome step”..“I’m pleasantly surprised they did it in the present manner because unlike Facebook and Google, they do not have a clear revenue model. They haven’t really monetised on the intimate data they possess. This way, they have denied themselves access to data which could otherwise be useful to them.“.On being asked how the sector can be regulated, Singh said.“This is an increasingly important sector and thus requires some kind of governance..First thing that needs to be tested is, whether or not the encryption is up to the claimed-standard. For example, Apple claimed that they cannot themselves decrypt their own data, but it was proven that it isn’t unbreakable. .Further, since now this will also give criminals an added advantage, the society has to collectively take part in deciding the rules since there is a trade-off involved. The society must draw the line together.We must also strike a balance between the requirements of the two ends the spectrum i.e. the legitimate needs of law enforcement and consumer privacy. “.The problem?.In India, Section 69 of the IT Act [pdf] empowers the Government to intercept, monitor and decrypt information through any computer source. However, with the introduction of E2EE, it will not be possible for the Government to decrypt information transmitted over WhatsApp. .But in the absence of rules framed under Section 84A, OTTs from abroad may continue to function outside the purview of Section 69 of the IT Act..India is not the only one trying to regulate apps like WhatsApp and Viber. Countries all across the globe are attempting to regulate these services as in some ways, they do pose a serious threat as well..Globally, the security agencies are skeptical about the usage of high level of encryption, which will prohibit them access to information in relation to say-terrorist, smugglers and criminals; broadly anyone who will use this to their advantage to conduct illegal activities..In yet another attempt by the United Kingdom to regulate the encrypted information sent over the internet, the House of Commons in May passed the Investigatory Powers Bill (also known as the “Snoopers’ Charter”) which will force internet and communication companies (such as WhatsApp) to retain customer usage data for up to 12 months. If passed into law, it would give the Government extensive powers to intercept and store communications data..In the United States, the recent battle between Apple and the FBI over access to encrypted data in Syed Farook’s (one of the San Bernadino terrorists) i-phone has created a lot of unrest. .While all the tech giants are firm supporters of encryption, the Government seems to be completely against it. So much so that, earlier this month, Senators Diane Feinstein and Richard Burr introduced the draft text of a bill called the “Compliance with Court Orders Act of 2016”, which empowers the courts to order a ‘covered entity’ to provide technical assistance to the Government i.e. providing unintelligible data in an intelligible format..Following the recent terrorist attacks in France, amendments have been passed by the lower house to the Criminal Procedure Code which will levy penalties against technology companies that do not provide access to encrypted data during terrorism investigations. .Technology giants who do not cooperate with investigations would face a fine of $385,000 and up to five years in jail.Telecoms that do not cooperate with investigations would face smaller fines, and up to two years in jail..To this, Singh added,.“I think this topic requires normative discussions and figuring out where the society wants to draw the line. It shouldn’t be a knee jerk reaction as it is in countries like USA, UK and France.“.Mishi Choudhary, executive director, Software and Freedom Law Centre, adds,.“What WhatsApp has done is making communications secure for everyone- the correct directions in which most services will and should move if they wish to retain the trust of their users.“.While this is certainly a welcome move by the service providers like Viber and WhatsApp, it does problems which should not be ignored.