The Indian Supreme Court on 29 June 2016 refused to entertain a petition that sought a ban on WhatsApp and other similar applications that use strong end to end encryption technologies to safeguard the communications on their services. The petition stated that employment of such stringent encryption standards rendered a national security hazard as it would be impossible for law enforcement agencies to uncover communications of/amongst parties that pose a threat to the safety and security of the country. With WhatsApp, a widely used messaging application enabling a default 256 bit encryption recently in April, 2016, there has been a lot of talk surrounding the legal position of encryption under the current Indian framework. We created an FAQ to help understand the status of encryption, and services that use encryption in India. This FAQ was originally published on 29 June 2016. It was last updated on 11 November 2017.
1. Do we have a comprehensive law regulating encryption?
No, India does not have a dedicated law on encryption. Although, a number of sectoral regulations including in the banking, finance and telecommunication industries carry stipulations such as the minimum standards of encryption to be used in securing transactions. A draft National Policy on Encryption under Section 84A of the Information Technology Act, 2000 was published on 21st September, 2015 and invited comments from the public, but was withdrawn on 23rd September, 2015. Section 84A permits the Central Government to prescribe encryption standards and methods to secure electronic communications, and promote e-governance & e-commerce.
2. How did the draft National Encryption Policy seek to regulate the use of encryption?
The draft Policy applied to use of encryption technologies for storage and communication of information held with the government, businesses, and citizens. The Central Government was delegated the power to specify and notify the encryption protocols and technologies that can be used in this regard. This policy was withdrawn due to certain problematic provisions in the policy that caused upheaval not only in the IT sector, but also with the users. A proposed addendum to the draft encryption policy was issued by DeitY soon after the release of the draft policy. The proposed addendum exempted the following from the purview of the draft national encryption policy:
- The mass use encryption products, which are currently being used in web applications, social media sites, and social media applications such as Whatsapp, Facebook, Twitter etc.
- SSL/TLS encryption products being used in Internet-banking and payment gateways as directed by the Reserve Bank of India.
- SSL/TLS encryption products being used for e-commerce and password based transactions.
3. Why was this draft Policy withdrawn?
The draft National Policy on Encryption was withdrawn within two days of its release due to its unfeasible and unclear provisions with respect to the usage of encryption technologies. Mr. Ravi Shankar Prasad, Union Minister of Communications and Information Technology said that India is lacking any sort of encryption policy, and the original draft will be refined for this purpose. The draft Policy received a large amount of criticism from the businesses, IT sector, users and civil society advocacy groups. The following were a few major points of criticism leveled against the policy:
- The provision that mandated the retaining of plain text copies of encrypted communications for 90 days by users and businesses.
- Registration for foreign service providers before they make their services available to the Indian population.
- The security concerns associated with retaining plain text copies for 90 days.
- The Government specifying the key length, and algorithm to be used in encryption technologies for all users and businesses entailed that the Government could restrict the maximum standard of encryption that could be used, without leaving any room for discretion for a user to subscribe to stricter security standards.
- The provision that put the primary responsibility on users of foreign services for retaining and handing plain text copies of communications when sought by a law enforcement agency.
4. Was there a second draft of the National Policy on Encryption?
According to media reports, in mid-2016 the Ministry of Information and Technology (MeitY) wrote a letter seeking comments from Cellular Operators Association of India (COAI), Association of Unified Telecom Service Providers of India (AUSPI), and Internet Service Providers Association of India (ISPAI), among other industry leaders, in order to come up with a second draft National Policy on Encryption. This second draft was never released.
5. Are there other laws and/or recommendations pertaining to the use or regulation of encryption and other such technologies in India?
The Information Technology Act, 2000 that regulates the electronic and wireless modes of communication is silent on any substantive provision or policy on encryption apart from Section 84A that delegates the Central Government the authority to frame any rules on the use and regulation of encryption. Till date, no such rules have been framed by the Central Government under this section. Besides that, the following are few sectors where the use of encryption technology and products have been regulated and mandated by specific conditions and terms:
Department of Telecommunication (DoT) License with Internet Service Providers (ISPs)
The terms and conditions of the license agreement between the DoT & the ISPs permit use of encryption technologies only up to 40 bits with RSA algorithms or its equivalent without any prior approval from the DoT. A higher encryption standard can only be employed with a permission and submission of the decryption key split in two parts to the DoT. Moreover, there is a complete prohibition on using bulk encryption by ISPs under these license terms (Clause 2.2 (vii) of the License Agreement between DoT & ISP, January 2010). However, it is important to note that although the terms of the Unified Service License Agreement also explicitly prohibit bulk encryption (Clause 37.1), they do not prescribe to a 40 bit standard. Rather, they state that the permissible encryption standard under this Agreement will be governed by the policies made under Information Technology Act, 2000(Clause 37.5). But, as stated earlier, no rules have yet been drafted that prescribe or regulate the usage of encryption technologies in India under the IT Act.
Securities and Exchange Board of India (SEBI) Guidelines on Internet based Trading and Services
As per the Report on Internet Trading by the SEBI Committee on Internet based Trading & Services, 2000, a 64/128 bit encryption standard is advisable to secure transactions and online tradings. It strongly recommended that “128 bit encryption should be allowed to be freely used”. However, it is qualified with a condition that the DoT prescribed policy and regulation will be adhered to with respect to encryption. In paragraph 30 of the cyber security and cyber resilience framework of Stock Exchanges, Clearance Corporations and Depositories, and for Registrars to an Issue / Share Transfer Agent with a portfolio of over two crore, SEBI requires that “Data in motion and data at rest should be in encrypted form by using strong encryption methods such as Advanced Encryption Standard (AES), RSA, SHA-2, etc.”
Reserve Bank of India (RBI)
In paragraph 6.4.5 of the Report on Internet Banking released in 2001, RBI mandated a minimum security standard of using of SSL for server authentication and the use of client side certificates, the use of 128-bit SSL encryption for communication between browsers and the server, and encryption of sensitive data like passwords in transit within the enterprise itself.
Information Technology (Certifying Authorities) Rules, 2000
These Rules specify the manner in which digital signatures are to be authenticated. Under Rule 3, a digital signature authentication is mandated to be undertaken via a public key encryption method. Rule 6 of these Certifying Authorities Rules provide the requisite standards for public keys that can be used for this purpose, such as PKCS#1 RSA Encryption Standard (512, 1024, 2048 bit), PKCS#5 Password Based Encryption Standard or PKCS#7 Cryptographic Message Syntax Standard. Most of the standards listed under this rule resort to an encryption strength higher than 40 bits, which is the maximum permitted standard under the license terms of an agreement between an ISP and DoT.
Data Security Council of India’s (DSCI) recommendation
The DSCI & NASSCOM with other industry inputs submitted recommendations to the Department of Information Technology in 2009 regarding an Encryption Policy for India. One of the recommendations made therewith is the departure from a 40 bit standard as enshrined in the DoT license to ISPs, and to upgrade to a 256 bit encryption standard with AES algorithm or other equivalents for e-commerce platforms, along with SSL for end to end authentication.
6. Is there a restriction/prohibition on using encryption technologies?
The license agreement between the ISP & DoT carries a stipulation to the effect that users are not permitted to use encryption standards higher than 40 bits with symmetric key algorithms or equivalent algorithms without prior approval and deposition of decryption keys. As mentioned above, there are various other regulations & guidelines that employ a higher standard of encryption than 40 bits for certain specific sectors. Also, in the absence of a comprehensive encryption policy /regulation, or any procedures detailed under the Information Technology Act, 2000, the service providers under the terms of Unified Service License Agreement don’t have any limitation on encryption strength. Therefore, the restriction of 40 bits effectively applies only to the individuals, organizations, or groups using the platform of ISPs that function under the license agreement between DoT & ISP.
7. What is the legal status of services like WhatsApp that enable end to end encryption?
In April 2016, WhatsApp, a messaging application enabled end to end encryption for all its users at 256 bits. This service is owned by Facebook Inc. and is not an individual, group, or organization as is covered under the license terms between the DoT & ISP. Applications like WhatsApp are termed as ‘Over The Top’ (OTT) services and in the absence of any specific regulation pertaining to them, are governed by the provisions of the IT Act and/or other legislations applicable to their services. An application that is only making its service available to consumers is not bound by any license agreement that restricts encryption usage. The onus in this regard falls on the ISPs who have a license agreement with the DoT that only permits encryption up till 40 bits without prior permission. However, the extremely low threshold of 40 bits is a practice that needs to be upgraded. Therefore, due to the absence of stipulated encryption standards under the IT Act, or a comprehensive encryption policy, OTTs, such as WhatsApp that use higher encryption standards are currently operating in a grey area with no legal precedent or rules to deny or allow its use of a 256 bit, end to end encryption for the communications made on its service.
Content courtesy of the Software Freedom Law Center, India