Not long ago, IT and Communications Minister Ravi Shankar Prasad was the happiest person after getting the spectrum auction right, which resulted in the government earning over ` one lakh crore. Ever since, the government had to go through a lot of embarrassment over the net-neutrality debate, call drop issue and now, the encryption conundrum. While we are seeing some action from the government, the Telecom Regulatory Authority of India (TRAI) and the telcos on the call drop issue, the draft net-neutrality policy is still being re-worked. Why is there a hullabaloo over the encryption draft policy? Is encryption problem specific to India alone? Before we go into how other countries are handling this, let us get a basic understanding of encryption.
Encryption is a mechanism used to ensure that any content (e-mail or any message sent over the internet) is securely transmitted from the sender to the receiver. Essentially, the content is scrambled using some encryption key or some random number), so that only the intended receiver can read it through a process called decryption (opposite of encryption). It is safe to assume that all the content exchanged on the internet is encrypted and there are any many different ways of encryption used by different companies. WhatsApp or Facebook or any other service provider would use different encryption mechanisms. In fact, all the internet banking and e-commerce sites too use encryption for secure communication.
Why is this an issue? Countries, including India, see a threat to national security as there can be communication between possible criminals. Hence, governments want to define encryption methods to be used. This means, the government can read (sniff) the data being exchanged and assess any security threat. The draft National Encryption Policy wants the government to access all forms of online communication between government, citizens and corporates. So, does the government want to control everything?
There is no doubt that cyber surveillance is needed and even if we assume that the intention behind the encryption policy is only to ensure safety and prevent any compromise on national security, it is important that privacy is not breached. That’s the tricky part. It is not surprising to see such an uproar over the encryption draft policy that was released recently. The bizarre provision asking people to store all messages, like WhatsApp messages and call logs on their mobile phones for 90 days, created a lot of confusion. The telecom minister clarified that individuals need not store and that the policy was not applicable to the social media. But again, it is not entirely clear why would the government allow social media, especially services like WhatsApp or Viber, to be removed from the purview as these are easy communication applications and could be misused. In any case, the government has salvaged the situation revoking the draft policy, which is expected be re-drafted.
As with the net neutrality issue, the encryption issue is also a hotly debated subject across the globe, including in countries like the UK and USA, and rest of Europe. In the US, government security agencies have been fighting for access to encrypted data arguing that if access is denied, it could result in their inability to get some potentially life-saving information. The government wants the communication systems to be designed in such a way that full access is provided to the law enforcement agencies. In fact, a recent news report suggests that the Information Technology Industry Association, representing technology companies like Google,Apple, Facebook, Microsoft and IBM have asked the Obama administration not to push for access to data from smartphones and other digital devices.
Another report states that a group of influential computer scientists in the US have dismissed the move by the government to access data as unprincipled and unworkable. The report argues that if the law enforcement agencies are provided guaranteed access to everything, an attacker or hacker who gains access to the very agencies can create unprecedented havoc. The UK government faced a huge embarrassment after there was a proposal to completely ban all types of encryption. As expected, there was a huge uproar and Prime Minister David Cameron had to clarify that the government would look for alternate solutions for handling the encryption issue. The government’s U-turn was seen as a victory by UK’s internet users. Security experts, governments and regulators across the globe are still debating if governments could have avoided 9/11 in the US or the attack in France earlier in January this year. Also, questions are being raised about how many more such attacks are required for some stringent action to be taken. It may be recalled that post the 26/11 Mumbai attacks, the Indian government had a long dispute with Blackberry for over access to mails, chats and internet browsing history. Eventually, Blackberry agreed to provide lawful access to the government. Hopefully, the government and the telecom department have learnt something from that experience.
But then, the moot question remains: how much of access must the government get? Can the government work with application service providers like WhatsApp to provide back-end access to data on need-basis? Can the government get the telcos to provide access to the data? Will the technology companies, most of them based outside India agree to provide access? Will Indian telcos agree? The legal aspects must be thoroughly examined before proceeding with the proposal.
Also, it is important to note that the recommendations in the US or Europe may not be directly relevant in India as our internet market is not as mature. This means, we will need an India-specific solution and a huge opportunity for India’s premier technology institutions like IITs and IISC to make a mark.
Looking at the complexity of the issue and larger implications due to multiple stakeholders, it is better to have some in-depth deliberation by creating a “select group” with an extensive representation from across the board before making the policy available for public comments. It is also imperative that the new draft considers a phased approach for implementation. The government could have avoided the embarrassment without having to rush, considering that the draft National Encryption Policy was in the works for six years or so.
In order to avoid future fiascos, Ravi Shankar Prasad has now asked for better coordination amongst the different departments in his ministry and has asked for a clear process/procedure to be created. In fact, such a process would be relevant for other ministries as well. The government has all the rights to implement policies since national security is paramount, without compromising on citizens’ privacy. Can the government get the balancing act right?
(Views expressed are personal)
The author is an ICT professional and columnist. E-mail: krishnak1@outlook.com