“It is neither fanciful nor an exaggeration to say that, without encryption tools, lives may be endangered.”
— Zeid Ra’ad Al Hussein, United Nations High Commissioner for Human Rights
Be it surfing online or enjoying e-commerce, neither is possible without encryption today. Yet, while encryption technology has multiple uses in many aspects of our daily lives and governance, it also subtly serves a much more important purpose—it is a crucial tool to empower citizens with. In an ecosystem replete with extreme speech, trolling, hacking, espionage, and blackmailing, ensuring a safe virtual space with strong encryption measures in place is the first line of defence when protecting users’ human rights across the globe.
High-end encryption technology doesn’t just protect users and businesses, but also Critical Information Infrastructures of the government, like those of Aadhar and Aarogya Setu among others. So, with ‘user-data’ rendering the user a product in itself, if government structures are protected, so are our personal information, security, and privacy.
But first, what is encryption and how exactly does it empower us?
Encryption converts a piece of information into an unreadable code that can only be accessed using a particular passphrase, or key. Analogous to our house locks, the person with the key can open the main door; or in this case, can access and read the original piece of information.
End-to-end encryption technology—which is what you see labelled at the top of your WhatsApp chats—further empowers users by ensuring that only the sender and the recipient of the information have access to the decryption keys. That’s like sending a letter to someone with a code-lock on the envelope, where the code with which to unlock it is only known to the sender and the recipient.
And so, end-to-end encryption can ensure total privacy for the users in question, even in an open network such as the internet. Because of this, even service providers like WhatsApp and Telegram can not read the information shared on their platforms between users. This is relevant when using the Internet, which is as political and politicised a space as the ‘offline world’.
For example, in a recent controversy, it was found that the information stored with Zoom’s video conferencing app was not protected via high-end encryption, resulting in severe criticism of the platform’s security infrastructure. Reports further noted that some of these poorly protected Zoom calls made by non-Chinese users were routed through Chinese servers. This is concerning given that Article 7 of China’s National Intelligence Law requires organizations and citizens to “support, assist and cooperate with the state intelligence work.”
Such an obligation raises serious concerns about such companies being compelled to share personal data—whether Indian or otherwise—with Chinese authorities. These concerns were also a major reason behind the banning of over 100 Chinese Apps in India, including TikTok. These Apps—which were allegedly gathering vast amounts of user data—were found to be a threat to national security by the Ministry of Electronics and Information Technology.
In response to similar criticisms globally, Zoom recently rolled out end-to-end encryption both to free and paid users. After the Chinese app bans led by the Indian and US governments, China also released an eight-part framework to set global standards on cybersecurity. Beijing would no longer ask Chinese tech companies to hand over the data of users in violation of the laws of other countries. However, needless to say, there exists a trust deficit with Chinese law enforcement: and so, it is crucial that the apps that we use deploy high-end encryption, to protect users from foreign surveillance and cyber attacks.
All of these issues link back to protecting user privacy, a human right guaranteed to us all in Article 12 of the Universal Declaration of Human Rights. The American Supreme Court in Riley v. California (2014) and the Indian Supreme Court in Justice K.S. Puttaswamy v. Union of India (2017) have also both ruled in domestic capacities that the right to privacy protects both the secrecy and anonymity of personal communications.
However, this could have been avoided not only if India itself had robust data protection laws in place to protect users with (instead of such one-off bans), but more importantly, if the platforms used end-to-end encryption to protect user data.
This level of protection is what makes you feel comfortable sharing personal photographs, opinions or banking details through your WhatsApp or Email accounts, without fear of being censored. In a democracy—or indeed any kind of state—this absence of censorship is particularly important for human rights workers and whistleblowers, whose data and communications have the potential of putting them and those they work with at significant risk.
Encryption is also valuable for maintaining data integrity. Individuals benefit from this because they can be confident that the communication that they have received is exactly what the sender had originally despatched. So, a human rights defender receiving information about a human rights violation can be certain that the information they have received is exactly what their source had intended to send, without any tampering from a third party.
So, how do the benefits of encryption unfold in our states and societies then?
The benefits of encryption aren’t hypothetical. In a UNESCO study on the impact of encryption on human rights, anonymity and encryption have been reported to be inalienable for the meaningful exercise of freedom of expression and the realisation of sexual rights. Further, David Kaye, the UN Special Rapporteur on the freedom of opinion and expression, in a report to the UN Human Rights Council, noted that in the absence of encryption, surveillance takes place. This can result in the harassment of members of vulnerable groups, and a wide variety of repercussions, including detention, physical attacks, and even killings of individuals for ambiguously defined ‘crimes’ online.
WhatsApp is fighting hard. In its court filing accessed by @BuzzFeedNews, it said the app’s encryption was essential for India’s citizens, journalists, religious minorities, and activists to function “without fear of surveillance or retaliation.” pic.twitter.com/n6m3xr6yft
— ¯\_(ツ)_/¯ (@PranavDixit) August 6, 2019
Encryption is extremely important for protecting the rights of journalists, for example, who play a crucial role in upholding the values of democracy and the rule of law. In 2019, Saroj Giri, a journalist and lecturer at Delhi University received a WhatsApp message warning him that someone had tried to hack his WhatsApp to spy on him remotely. Ironically, this happened as Giri, a public critic of Indian politics, was preparing class material on Panopticon. This is one of the many instances of targeted attacks on journalists worldwide, highlighting the importance of using robust cybersecurity tools to ensure their safety and security as they navigate the virtual world for facts, leads, and quotes.
On a similar note, the protests in Hong Kong and Belarus provide valuable insights on the crucial role of encryption technologies in safeguarding the democratic rights of the people. In defence of their fundamental rights, millions of citizens have marched on the streets of these two cities. Platforms like Telegram and Signal were used popularly by the protestors for communication, as their strong end-to-end encryption features shielded them from surveillance and information tampering by any third parties, and ensured their safety and security while organising.
But, can encrypted platforms be breached? What happens then?
Given the rise in the proliferation of Child Sexually Abusive Material (CSAM), disinformation, hate speech, the narcotics trade, and terrorist activities across many messaging, social media, and gaming platforms, law enforcement agencies have been increasingly demanding backdoor access to encrypted platforms in order to track the perpetrators of these crimes.
Such decisions although well-intentioned on the face of it, are likely to do more harm than good for multiple reasons.
Firstly, as Rianna Pfefferkorn of Stanford’s Center for Internet and Society explains, the banning or breaking of encryption protocols via backdoors in the “public interest” will not stop criminals from using encrypted platforms, but will only make it difficult for the law enforcement agencies to catch them. Why? Because encryption tools cannot be effectively banned, they are available online for anyone to download and use—including criminals. If a vulnerability or backdoor is created on a popular encrypted platform for law enforcement agencies to track perpetrators with, then tech-savvy criminals will simply shift to another platform, possibly one of their own, which is securely encrypted. These sophisticated criminals, who are the more dangerous perpetrators of criminal activity online, can easily get away scot-free.
DOJ’s Latest Child Porn Site Takedown Shows Encryption Isn’t Really Stopping The Feds From Fighting Child Porn https://t.co/kJUpGt2EaU
— techdirt (@techdirt) October 21, 2019
Secondly, it is an established fact that the creation of backdoors for the ‘exceptional access’ of law enforcement agencies will render platforms vulnerable to surveillance and cyberattacks by both foreign governments and non-state actors alike. This can seriously compromise users’ security and can lead to a national security crisis as well. In what is known as the Greek Watergate Scandal, the phones of the political and military elite were tapped by unknown actors through a legal backdoor created for the exceptional access of law enforcement agencies. It is because of reasons like these that companies like Apple and Telegram have been praised internationally for refusing requests from the American and Russian governments respectively to provide exceptional access to the encrypted information. After all, ensuring the privacy and collective security of the citizens is also a key facet of national security.
This brings us to the third point, namely that the creation of backdoors will compromise the fundamental right to privacy of millions of citizens whose personal data is now susceptible to surveillance. Pfefferkorn, who analysed this situation in the American context, has previously explained that in effect, such interventions enable better privacy protection for the criminals, who shift to unregulated encrypted platforms. On the other hand, law-abiding citizens end up subjected to enhanced surveillance, in stark violation of their right to privacy.
The seminal security reportKeys Under Doormats puts it best: “demands for exceptional access to private communications and data shows that such access will open doors through which criminals and malicious nation-states can attack the very individuals law enforcement seeks to defend.”
Lastly, law enforcement anyway has access to advanced forensic and surveillance technologies. They also have access to metadata of the perpetrators—such as timestamps and registration details among others—through the platforms. What is required is to build the technical capacity and efficiency of law enforcement agencies’ investigations online by collaborating with tech companies, not by disrupting the encryption protocols. After all, if criminals shift to unregulated encrypted platforms, then agencies simultaneously lose the assistance they received from the platforms in the form of criminals’ metadata, making catching them all the more difficult.
So, where do we go from here?
We live in an imperfect world full of inequities. And so, with the dawn of the Industrial Revolution 4.0, we need to rapidly adapt technologies to make room for rights to life, privacy, and freedom of speech and expression for all.
It is for this reason that international bodies like the Organisation for Economic Cooperation and Development (OECD) and UNESCO have opined that encryption should lie at the core of policies in nations that respect the human rights of their citizens. Sectoral regulators such as the Reserve Bank of India and the Securities and Exchange Board of India have also mandated minimum encryption standards for the entities they regulate, acknowledging the key role played by encryption in enabling trust and security amongst consumers.
Even more promising developments are brewing in India. Keeping the rights of the users at the centre of the debate, the Telecom Regulatory Authority of India (TRAI), in its recent recommendations opined that platforms’ encryption technologies should not be tinkered with, so as to protect users from cyberattacks and surveillance. The recommendations—a result of five years of extensive consultations with leading stakeholders in the ecosystem, analyses of international jurisprudence, and discussions at the International Telecommunications Union—have set an example for the regulators and policymakers to follow domestically and globally.
Encryption is vital to protecting both the citizen and the sovereign. A collaborative approach by roping in tech companies to tackle online vices is the key to a secured online space.
The Bastion is happy to announce a new Technology vertical, where we’ll be covering how the future intersections of tech, policy, and society will affect India’s development journey. To read more of our technology coverage, click here. Interested in writing for us? Click here to read our submissions guidelines.
Featured image: “Protesters brave heavy rain as they march against the 2019 Hong Kong extradition bill on Sunday, August 18, 2019.” Courtesy of Studio Incendo (CC BY 2.0). | Views expressed are personal.