While Indian citizens await setting up of a Constitution bench by the Supreme Court of India to determine if there is fundamental right to privacy under the Constitution of India, a public interest petition has been filed before SC seeking ban on Whatsapp, Telegram, and other messenger services which have end to end encryption. PIL cites national security concern as the reason as the such encryption do not provide the government of India with means of accessing these messages; reported Medianama.
On 5 April 2016, WhatsApp introduced end-to-end encryption for messages, photos, videos, voice messages, documents, and calls on its application. In a release it said:
WhatsApp’s end-to-end encryption ensures only you and the person you’re communicating with can read what is sent, and nobody in between, not even WhatsApp. Your messages are secured with a lock, and only the recipient and you have the special key needed to unlock and read your message.
ISP encryption Regulation
In 2007, Department of Telecommunications, Ministry of Communications & IT, Government of India had issued “Guidelines And General Information For Grant Of Licence For Operating Internet Services”, which provides:
The Licensee shall ensure that Bulk Encryption is not deployed by ISPs connecting to Landing Station. Further, Individuals/Groups/Organizations are permitted to use encryption upto 40 bit key length in the symmetric key algorithms or its equivalent in other algorithms without having to obtain permission from the Licensor. However, if encryption equipments higher than this limit are to be deployed, individuals/groups/organizations shall do so with the prior written permission of the Licensor and deposit the decryption key, split into two parts, with the Licensor.
Grey legal position – OTT regulation
The legal position however is little grey as mobile applications such as WhatsApp, Telegram, Skype etc. do not fall within clear definition of internet service providers or telecom service providers. The services provided by these apps are called ‘Over-The-Top Services’ (OTTs).
Though the Telecom Regulatory Authority of India (TRAI) had issued Consultation Paper on Regulatory Framework for Over-the-top (OTT) services last year and the discussions on the same are closed, TRAI is yet to issue regulations to regulate the OTTs.
In its consultation paper, TRAI had noted:
3.22 In case of messaging, certain players indulge in special encryption, which becomes extremely difficult to intercept as these encryption keys are not made available easily to law enforcing agencies. It was only after prolonged persuasion by the Government of India that BlackBerry agreed to monitor, track and intercept its services including mails, chats and browsing history on BlackBerry devices .
3.27 The security issues (including law and order dimensions) that have surfaced because of the growing popularity of the OTT services need to be addressed. Public safety and privacy issues can no longer be left unattended.
Draft National Encryption Policy
In September 2015, Department of Electronics and Information Technology (Deity), Government of India had released ‘Draft National Encryption Policy’ seeking methods of encryption of data and communications.
The Draft required that “user shall reproduce the same Plain text and encrypted text pairs using the software/hardware used to produce the encrypted text from the given plain text. All information shall be stored by the concerned B/C (business/citizen) entity for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country.”
However the Draft was withdrawn after public backlash. Withdrawing the Draft, DeitY said:
DeitY has noted public sentiments viz-a-viz this draft. It is hereby clarified that the above mentioned draft is not the final view of the Government on the matter.
DeitY has also taken note of the ambiguity in some portions of the draft that may have led to misgivings. Hence, the above mentioned draft has been withdrawn and will be put up for consultation after appropriate revision.
In his interview to Medianama, about the surveillance laws in India, petitioner Yadav said: “My view is that the laws in India are excellent, and if they are implemented correctly, then privacy will be protected…If the government believes that there is a threat to India’s unity and integrity, it should have full access to do whatever it can to protect this.”
TMT lawyer Salman Waris says that “the maximum 40-bit encryption level provided for under the ISP Licence Agreement as per the DOT’s present licensing regime perpetuates an outdated and technologically obsolete approach. This leads to a growing difference between DoT regulations and sector specific legislations enacted by the Government of India. [written in 2013]
Some of the laws cited by the petitioner in his petition are mentioned below:
The Indian Telegraph Act, 1885
Section 5. Power for Government to take possession of licensed telegraphs and to order interception of messages
Indian Telegraph Rules, 1951
Rule 419A, – Rules regarding interception of messages [click for the provision]
Information Technology Act, 2000
Section 69 – Power to issue directions for interception or monitoring or decryption of any information through any computer resource
Information Technology (Directions for Interception or Monitoring or Decryption of Information) Rules, 2009