SUMMARY
Encryption empowers us on a daily basis, be it to secure our privacy, for education, for entertainment and even our National Security
States have manifested their interest to break encryption to catch criminals and CSAM proliferators.
Breaking encryption is not a solution but a problem in itself
Our lives today are dependent on technology. We need a Google to search, a WhatsApp to talk, an Amazon to buy and we are moving ahead swiftly with a Siri to joke, a Tinder to date and the list is endless. There is an app for everything we need and many of us depend on it, be it for entertainment, business, medicare or education.
While using these apps and websites we exhume a lot of personal and non-personal data about ourselves and those around us. So what do we do about it? How do we secure such crucial information about us? What’s the role of state, corporations and the users here?
Encryption & How It Empowers Us
What started with a technology to protect state secrets is now utilised by every citizen to protect their privacy. Encryption is a technology that empowers us at every level on a daily basis. Here’s a snapshot for you:
- Privacy: Be it with our life or business partner, our chats on a WhatsApp or a Signal is secure because of encryption.
- Online Banking & E-Commerce: Sharing sensitive financial data on online platforms would be a nightmare without encryption. In India, we have photos of credit cards on our phones and share OTPs over WhatsApp, what would happen if it was not encrypted?
- Anonymity: Journalists, whistle-blowers and human rights workers rely on encryption enabled anonymity to protect their life.
- Free Speech: Women and other marginalised groups too rely on encryption enabled anonymity to exercise counter speech against trolls without the fear of offline, physical, repercussions of their online actions.
- Medicare: Wonder what would happen if the Aarogya Setu App data was not secured with encryption? Same goes for all our health data maintained by hospitals and soon by the State via the Health Stack.
- Apps & Websites: Apps and websites which collect user data if not stored securely could lead to data leaks.
- Education: The UGC has mandated that during Covid-19 if Universities are using Learner Management Systems (LMS) then they must secure student data with encryption.
- National Security: All state secrets are guarded with high-end encryption. The Indian Army recently launched the SAI App for messaging which utilises end-to-end encryption. The Government emphasised on how the Aadhar database is secure with the help of high-end encryption.
This list is endless. Encryption is like water, we need it but we also need food. Encryption is a necessary layer of security, beyond that we also need other cybersecurity measures like anonymisation to keep us secure.
Global Push For Breaking Encryption – A Recipe For Disaster
Like every technology, encryption too can be misused by hostile actors. Criminals may use it for hatching a conspiracy or sharing child sexual abuse material (CSAM). Law Enforcement Agencies (LEAs) are unable to find who planted ‘fake news’ on encrypted platforms.
This is why some states like the Five Eyes along with India and Japan have manifested their intention to seek ‘traceability’, which is an antithesis of encryption.
It is not an exaggeration to say that creating ‘backdoors’ in an encrypted platform for the ‘exceptional access’ of Law Enforcement is like opening Pandora’s box. Because a backdoor can never be just for law enforcement only. Hostile actors can also find their way into it and then the security of the entire citizenry will go for a toss. Savvy criminals will anyway shift to other encrypted platforms or just develop their own platform- they have done that in the past.
So what’s even the point of breaking a secure ecosystem and rendering the entire citizenry susceptible to cyberattacks.
While there is no evidence to establish that breaking encryption will decisively stop CSAM proliferation, because proliferators can simply shift to another encrypted platform, but it will surely compromise the privacy of children.
The UNICEF Report explicates why breaking encryption would be a disaster for the privacy of children and concluded that creating backdoors is not a sustainable solution. The Telecom Regulatory Authority of India in its recommendations opined against breaking encryption too.
Why backdoors are flawed was explained at length by experts at the Global Encryption Coalition in their new technical report in response to the Communiqué released by the Five Eyes to break encryption.
Similarly, a group of Global Crypto Experts have previously explained why ‘backdoors’ are not a solution but a problem in itself. This list too is endless.
A Promising Future
While challenges with breaking encryption are very real, there is no denying the fact that the State has a legitimate interest in accessing data to ensure territorial integrity and security of its citizens.
What then is the solution? The Dialogue conducted stakeholder consultations inviting LEAs, Human Rights workers, Big Tech, Crypto Experts, Engineers among other key stakeholders to better understand this challenge and its possible solution. We arrived at the conclusion that breaking encryption is definitely not the way forward.
The answer lies in sharing limited meta-data, and not content-data, with law enforcement agencies. This entails that while the messaging platform is unable to share the content of the chat, they can at-least share that when was the user last active on their platform, how often they use it, user registration data, profile photo and statuses over the years etc.
All of this data can help the law enforcement in their investigation and this does not require breaking encryption. This being said, all such data requests must be carried out after the presentation of a legal warrant.
These data sharing requests must be guided by the three-pronged test of necessity, proportionality and legality as prescribed in the Puttaswamy Judgement (2017, Supreme Court).
At the same time, platforms must not be asked to collect too much metadata as that would run contrary to the principle of data minimization which is a core tenet of privacy and a principle revered in the Puttaswamy judgement itself. Here is a tricky balance which must be achieved.
For successfully achieving this balance, it will be crucial for the LEAs, the Big Tech, the Civil Society, the Academia and the Industry bodies to collaborate and together build the capacity of LEAs.
The EUROPOL report explicates that it is not access to encrypted chats but the tedious procedure of data requests that is the biggest stepping stone in their cyber investigation.
Streamlining the data sharing processes and enhancing the meta-data analysis capabilities of the LEAs must be the top two priorities of the State to tackle this challenge without creating another one.
The article was co-authored by Kazim Rizvi and Pranav Bhaskar Tiwari, programme manager at The Dialogue.
