The Debate on Encryption: Are we heading in the right direction?
Last week we saw a nationwide debate on "Draft National Encryption Policy" which was put out for public consultation. The purpose of the draft was to create rules under section 84A & 69 of the IT Act of 2000 which is reproduced as under.
“84A. Modes or methods of encryption— The Central Government, may, for secure use of the electronic medium and for promotion of e-governance, prescribe the modes or methods for encryption.”
"69. Power to issue directions for interception or monitoring or decryption of any information through any computer resource. -........"
Public outcry led to the withdrawal of the draft within 24 hours. Also, it was later clarified that the draft was NOT intended to regulate applications of mass use, like Whatsapp, Facebook, Twitter, E-commerce etc.
What was the objective?
The objective was to create a common framework for various directives issued by government agencies from time to time and to regularize the existing services which are clearly in violation or are operating under insufficient rules. For example, the ISP license agreement allows usage of 40 bits encryption without any permission, but the same agreement allows use of encryption of higher strength with prior approval of the government and after handing over the encryption keys. RBI/SEBI mandates usage of SSL/128 bit encryption. The section 37.1 of the UL (unified license agreement) makes the telecom licensee responsible for ensuring protection of privacy of all communication and to prevent unauthorized interception of messages. Also, the clause 37.5 of the UL mentions that the use of encryption by the subscriber shall be governed by the Government Policy/rules made under the Information Technology Act, 2000.
What is the contradiction?
It is clear that though the purpose of the draft was to lay out a strong framework of a secure "encrypted system" but government also wants access to encrypted data as and when needed in the "national interest" - as the draft called for all vendors of encryption products (local/foreign) to register their products with the designated agency of the Government, and submit working copies of the encryption software / hardware to the Government for inspection along with the encryption keys. Also, the users of these encrypted services were mandated to store the messages generated and received through the encrypted systems for a period of 90 days and keep them ready to produce them before law agencies on demand.
Most of the pubic uproar was centered around the need to store information for a period of 90 days. However, what got missed out was the fact that on one hand the widely used social applications were kept out of the ambit of the policy but on the other hand the makers of encryption products (not clear which ones) have to register their products with the government and also hand over the encryption keys. Even the original draft (under clause V.1, even before the follow-up addendum was issued) had the following language in there - "Mass use products like SSL / TLS are exempted from registration".
Is the process of exclusion of a large class of applications from the ambit of the law, not a contradiction? Who would decide what will get included and what will not? Also, what makes us believe that the social medium and "products of mass use" using SSL/TLS (proposed to be kept out of the policy) will not be misused by terrorists and anti-social elements? It is however interesting to note the recent testimony by FBI Director James Comey and Deputy Attorney General Sally Yates, the No. 2 official at the Justice Department, which was a part of an ongoing debate between the Obama administration and world's most influential technology companies. The issue in hand is the encryption technology in smartphones, that provides customers invaluable security in their communications and protection from hackers and corporate spies, is harder to monitor and intercept (messages between criminal suspects) even with a warrant (smartphone companies have enhanced the security of the mobile phone systems after the "Edward Snowden" incident).
Will the proposed rules serve the purpose?
If the objective is to have the capability to intercept messages of criminals and terrorists using digital medium, then how would it help if a large segment of the application systems (which constitute the bulk of the internet today) is kept out of the ambit of these rules? Even if these applications get included in the ambit of the policy, how would one ensure monitoring them when even the US govt is finding it hard to intercept these applications? (see apple's privacy rules). What makes us think that hardcore criminals will not come out with their own customized applications, with even stronger encrypted systems (most of these are freely available from the internet to download and are unbreakable)? Is it practically possible to block consumers from accessing all such systems with ever changing IP addresses? Also, what is the guarantee that the keys handed over by the vendors to the government (as a part of the registration process), will not get compromised by nonstate actors, thereby defeating the very purpose of this activity - which is to ensure secure and robust system for the benefit of the end consumer?
What is the Solution?
Security strategies need to revisited with the ever changing advancement in technologies. Gone are the days when tapping conversation in the telephone exchange would have been sufficient (when almost 100% of telecom system fell under the ambit of practical legal interception). The changing face of technologies has made the process (legal interception) not only difficult but most of the time impossible to implement. Mandating a framework of legal monitoring (through backdoor) will make the system weak and prone to hacking, thereby resulting in more criminal activities. Innovation in technologies needs to be tackled with innovative security strategies that too without compromising the robustness of the already well-functioning systems.
One effective solution could be to have a strong system of "identification of users" using the digital system. The International Mobile Station Equipment Identity (IMEI) numbers coupled with Aaadhar (UIDAI) can be used to identify genuine users using the system. IMEI numbers are assigned by GSMA and uniquely identifies a physical handset from all others. The problem with the current system is that it allows handsets with cloned IMEI numbers to function side by side with genuine devices. This is a huge security threat, as it prevents the security agencies to identify criminals who keep changing their mobile numbers and even have the capability to physically override the IMEI numbers of the same handsets (without having to procure a different one). Implementing a robust clone detecting system, which prevents unauthorised access of unverified users, or blocks a verified user from accessing the system with a handset with cloned IMEI number, will be much easier to implement and can be a huge step in the direction of meeting the objective of securing the overall system. Many countries in the world have either implemented the "cloned detection system", or are in the process of doing so.
Conclusion
While the government has the duty of not only protecting the interest of the people by enabling robust and secure internet but also is responsible for identifying and eliminating criminals and anti-social elements. No one will feel safe if criminals are fully empowered to misuse these technologies to promote crimes. Keeping the option of "backdoor access" into these encrypted systems by forcing the submission of encryption keys makes the system further vulnerable to misuse. The focus should not be on having the capability to intercept the system, but in identifying and preventing its access by criminals anonymously. Implementation of a UIDAI linked clone detection system will help significantly enhancing the security of the overall system, and in controlling criminal activities. The public demand for protecting individual privacy, and the need to enable a secure system, will surely promote a balanced and holistic encryption policy which will take into account all practical aspects of user behavior and the advancements in communication technologies.
(Views expressed are of my own and does not reflect that of my employer)
Dear MR. P K Basak, All that I understand, what will you do about applications which have been designed such that there is no way to provide any keys. Mind you these are popular applications. There is no way to intercept data in the current form these applications are designed. See apple's publicly stated privacy laws. Even the US government is finding it impossible to decrypt even with a warrant. Will you throw these companies out of india? In that case we have to learn to live without communication, and unwind ourselves to PSTN days. More so when all the latest technologies that we use are foreign grown and almost nothing is developed out of india. We need them in the interim to empower our domestic companies to become capable. This will take time. Hence, reading emails and messages is not a pratical solution. Moreover, if the Govt was so sure of the correctness of their path, why did they officially announce even in the current draft that they will exclude whatsapp and other popular web based services out of the ambit of the law (80% of Internet is these popular services)? It is not prratically impossible to monitor them all, and not in our economic interest. We have to find other innovative ways to deal with the situation.
Senior Advisor (Management & Technical) Retired
9 年Dear Parag In larger context all are private citizens, say in India or elsewhere. Today a significate %age of internet users become public nuisance under covert circumstances that is shaking the world. Hence intelligence steps are critical at acess & later in mainstream traffic.The keys can be with the special govt agency from where leakage is statistically negligible (e.g. nuclear combination keys). Of course monitoring is never 100%. But good leads will lead to close follow up of the relevant. traffic (just like in principle telephone tapping). Since all genuine encrypted packets will be decipherable under future law, those that cannot be will obviously be 'suspect'. While sensing the illegal packets the only option is to trace the source & 'forcefully break the code' as being done presently by US, UK etc (individually and/or jointly). Get miscreants in advance of time & check abuse as far as possible. Living on the ground is always a hard choice on rational balance of options. .
Dear MR. P K Basak, I am not questioning the government's right to monitor and intercepts communication between private individuals. They have the sovergin rights and should do so in national interests. But the real question here is that with all these technology advancements in place, is it possible to monitor 100 % of the communication of all the private individuals? Most of the terrorists will have IP packets running encryption which will be illegal and will not be enforceable in case they (terrorist) get to access the networks. And it it be impossible to identify and block these traffic flowing from one point to other. Sharing of keys solution is for law abiding citizens, and we know that they are not at all a threat to national security, and on the other hand the process of sharing keys will make the networks more venerable in case these get leaked and misused by non state actors. Why try a system which can only be forced on law abiding harmless citizens and cannnot be enforced on terrorist and criminals? That was the point that I was trying to drive through my note.
Senior Advisor (Management & Technical) Retired
9 年The Right to Privacy is not ‘Absolute’ & has many limitations. National interests can override any right or freedom anytime anywhere, The Govt can regulate subject to legal challenge (e.g. telephone tapping). An ‘IMEI clone detecting system’ may somewhat check access. However technologies in cloning, spying, hacking etc are usually ahead. . The focus has to continue on the internet mainstream - likely to be mixed with ‘unwanted & disguised’ terrorists, drug racketeers, money launderers etc. In this real situation, genuine users must be protected & at the same time miscreants tracked in advance. The elected Govt could preferably set up a special agency for e-intelligence. Also a retired high-level judge (HC or SC) may be empowered to monitor abuse / misuse, if any, in the guise of intelligence leads. You are aware of the Five Eyes Alliance (the secret services of UK, Canada, Australia, New Zealand & USA) that has a clear goal to remove the encryption of others on the Internet wherever possible. I guess the better option is to have the strongest encryption (like the German Govt's objective) with the enforceable mandate to share the necessary keys with the Govt. P K Basak Ex – Sr Advisor (Management & Technical)