Chances are that you usually send secret messages to a trusted person, and you don’t want any other person to read that message. And Signal has got you covered! (well, we are not endorsing WhatsApp anymore) But what is the thing that has got Signal covered? (or any other encrypted messaging services for that matter) We call it encryption. (not just us, of course!) It is the process of converting any text or information into some gibberish that nobody understands. But, the intended receiver can decrypt the information and read it. So what’s the legal mandate on this? Let’s dive into the encryption laws in India.
But before we begin, this article has been co-authored with Rohit Ranjan Praveer.
How does Encryption Work?
Let’s take a simple example.
You send an email to your company’s CEO, and the email includes some confidential information. More specifically, ‘product launch going on as expected, on 25th February, 2021’. As it turns out, one competitor of your company has planted an imposter in your office. He works as a network admin. So, he can read your email! He pulls out the email and what?? It reads ‘dEfghI12398jklmn5op8qRstUvw’. Utter gibberish.
You were smart! You encrypted the email. And when your CEO received your email, he used the encryption key (which you guys had already shared using a different medium of communication), he reads ‘product launch going on as expected, on 25th February, 2021’. So, encryption helped you maintain the confidentiality of information.
This concept has been around for more than a thousand years. 1900 BC to be precise. Ancient Egyptian, Hebrew, Greek, Chinese, Roman, and Arabic civilizations used various sorts of encryption to send private messages and secure trade secrets, among other things.
Getting into the Details
Now let’s understand what happened in the above example. In cryptography (the process of encryption and a few other things), encryption converts the original representation of the information, known as plaintext, into an alternative form known as the cipher text. Ideally, only authorized parties can decrypt a cipher text back to plaintext and read/ access the original information. A cryptographic key allows them to decipher the information into its original form. Sounds simple enough.
But there’s a problem. In today’s age, how do you send the information? The internet, of course. Messaging applications use the internet and let you send the message to your friend. And that’s pretty safe. Or is it? If you think a little bit harder- you will have to send the cypher text, and the key too! If the person facilitating the transfer of messages gets hold of the key, he could decrypt the information and read it. And you can’t do without sending the key- how would your friend decrypt the information otherwise?
That’s where End-to-end encryption steps in. It ensures that only the sender and recipient have the cryptographic key and no third party has it. Thus, the third party can’t access the communication in question, even though it travels through their computer network. In case of messaging applications, they exchange keys first, create a secure communication channel, and then you can securely text!
Under the encryption laws in India, Schedule V of the Information Technology (Certifying Authorities) Rules, 2000, defines encryption as-
The process of transforming plaintext data into an unintelligible form (cipher text) such that the original data either can’t be recovered (one-way encryption) or can’t be recovered without using an inverse decryption process (two-way encryption).”
Symmetric and Asymmetric Encryption
Now this is the most important part- in the context of this article. Especially so since you are here to know about the legal aspect of encryption.
A symmetric-key encryption uses the same key to encrypt as well as decrypt the information. But this method is not ideal. Why? Because you, and your friend, both have the same secret key. In case you lose the key, you also lose the confidentiality of your information. Also, this requires a safe method to transfer the key from one party to another (as in our CEO example earlier).
Our search for the ideal solution stops at asymmetric encryption which uses what’s we call a ‘public key infrastructure’. Here are two different keys- one to encrypt the plaintext, and the other one to decrypt the cypher text. Depending upon the requirement and use, the key pairs can be distributed.
An example. If you need a one-way communication channel, suppose in a spy world, you would share your public key with your spies. When your spies encrypt the information and send them to you, you can decrypt and read them all using the private key! Even if a spy is compromised and loses the public key, that is of no use.
The Indian Law on Encryption
The Information Technology Act, 2000, and the Information Technology Rules framed by the Government of India primarily throw light on the issue. There was a Draft National Encryption Policy (2015) framed, but it was never implemented. (it was a huge controversy, but more on that some other day)
A ‘Secure Electronic Record’
The Information Technology Act, 2000, recognizes digital signatures, which are based on asymmetric encryption. Most importantly, Section 14 read with Section 16 of the Act, talks about a ‘secure electronic record’. This leads us to the Information Technology (Security Procedure) Rules, 2004.
Rule 3 of these rules explicitly says that an electronic record shall be considered to be a ‘secure electronic record’, only if it is authenticated using a ‘secure digital signature’ (which uses an asymmetric key pair for encryption). More details on what is a secure digital signature are contained in Rule 4.
Some other Notable Provisions in the Indian law on Encryption
- Section 84A of the Information Technology Act, 2000- It was inserted by the Information Technology (Amendment) Act, 2008, and empowers the Central Government to prescribe the bit level of encryption. It states that the Central Government, may, for secure use of the electronic medium and for promotion of e-governance, prescribe the modes or methods for encryption.
- Rule 5.2(6) of the Information Technology (Certifying Authorities) Rules, 2000- It says that transmission systems used for sensitive information are to be equipped with suitable encryption software. Similarly, Rule 5.3(1) of those Rules provides that any sensitive information or data should be in an encrypted format to avoid compromise by unauthorized persons.
- Specific encryption policies laid down by RBI, SEBI and Dept. of Telecommunications (“DoT”)- As per RBI, for all banking transactions, a minimum of 128-bit SSL (Secure Socket Layers) encryption is to be used. SEBI prescribes a 64-bit/128-bit encryption for normal network security and mandates the utilization of encryption technology for security, reliability and confidentiality of knowledge.
- Section 69 read with Rule 3 of Information Technology (Procedure and Safeguards for the Interception, Monitoring, and Decryption of Information) Rules, 2009- It pertains to directions for interception or monitoring or decryption of any information. The Rule makes it mandatory for the competent authority to issue an order for decryption under certain circumstances. Upon the postulation of any order, an agency of the appropriate Government may perform interception or monitoring or decryption of any information generated, transmitted, received, or stored in any computer resource under Section 69(2) of the Act.
- Information Technology (Certifying Authorities) Rules, 2000- It requires ‘internationally proven encryption techniques’ to be used for storing passwords. In addition, thereto there’s an entire prohibition on using bulk encryption by ISPs under these license terms (Clause 2.2 (vii) of the License Agreement between DoT & ISP, January 2010).
That’s all about the encryption laws in India folks! Do subscribe to our Telegram channel for more resources and discussions on tech-law. To receive weekly updates, and a massive monthly roundup, don’t forget to subscribe to our Newsletter.