1.

Introduction

Encryption technology has popularly been used for varied purposes including secure communication.
This allows for individuals to communicate amongst each other without anyone else being able to
monitor the content of such conversations. This, thus, keeps such conversations even outside the
purview of Law Enforcement Agencies (‘LEAs’). This preserves the privacy of the users and allows them
to safely communicate without any threats of surveillance. However, this aspect of encryption
technologies has also led to States, including India, seeking the introduction of ‘backdoors’ to this
technology, particularly citing concerns of misinformation, child pornography, and national security. In
the year 2020 itself, encryption has faced multiple challenges across the globe. They include the
proposal of an Act to mandate encryption backdoors in the United States, opposition to the proposal
from Facebook to introduce encryption in its Messenger service, and blocking of ProtonMail in Russia
owing to concerns of misinformation. In India specifically, an ad hoc Rajya Sabha committee
recommended undermining of encryption to fight child pornography, and the Indian government jointly
signed a statement with six other States arguing safety risks of end-to-end encryption.

In this debate, a particularly interesting feature that has influenced the discussions on encryption in
India is the proposal to mandate traceability of messages sent on social media platforms. It is this
proposal that we seek to analyze in this paper in the context of the right to privacy that has been
recently accorded the status of a fundamental right in India. Accordingly, in the second section, we lay
down the contours of the right to privacy and the test laid down by the Supreme Court in the
Puttaswamy decision to determine its infringement. Then in the third section, we look at the encryption
debate as it has developed in the Indian context. In the fourth section, we carry out the substantive
analysis of the traceability proposal on the Puttaswamy test and argue that it does not satisfy the same.
Finally, in conclusion, we briefly touch upon some of the alternatives to encryption backdoors that are
currently in practice.

2. Privacy as a Fundamental Right: The Puttaswamy Test

The question of whether privacy is a fundamental right first arose in 2015 before a three-judge bench of
the Supreme Court. The Court was assessing the constitutional validity of the Aadhar ecosystem. Therein
the learned Attorney General had argued that Part III of the Indian Constitution does not accord the
right to privacy the status of a fundamental right despite case law to that effect, as larger benches of the
Apex Court in M P Sharma 1954 SCR 1077 (8 judge bench) and Kharak Singh 1964 SCR 332 (6 judge
bench) have ruled otherwise. Thereafter, the three-judge bench referred the matter to a five-judge
bench to ensure “institutional integrity and judicial discipline”. Ultimately, the five-judge bench referred
the constitutional question to an even larger bench of nine judges to pronounce authoritatively on the
status of the right to privacy. This culminated in the decision in Justice K.S. Puttaswamy (Retd.) v. Union
of India (2017) 10 SCC 1.

The operative part of the judgment in Puttaswamy over-ruled the decisions in M P Sharma and Kharak
Singh to the extent that they held the right to privacy was not protected by the Constitution. The nine-
judge bench ruled that ‘right to privacy’ is an intrinsic part of right to life. Accordingly, it further held
that the body of case law that developed subsequent to Kharak Singh, recognizing the right to privacy,
enunciated the correct position of law.

As the Puttaswamy decision rooted the right to privacy in Article 21 of the Constitution it can only be
taken away through procedure established by law. The Supreme Court has already clarified in the
Maneka Gandhi v. Union of India (1978) 1 SCC 248 decision that this procedure has to be just, fair and
reasonable. How does ‘due procedure’ among other standards of ‘judicial review’ will operate in cases
where the state restricts the fundamental right to privacy, has also been explained in the Puttaswamy
case through a four-fold test created on the basis of the observations made by Justices Chandrachud
and Kaul. The four elements of the test are as follows:

(i). Legitimate Aim stage: The court is required to check if there’s a legitimate aim to infringe upon the
right to privacy.

(ii). Suitability or rational nexus stage: This requires the court to examine if there is a rational connection
between the infringement of the right and the purpose of the restriction. In other words, it has to be
seen whether the measure is suitable for achieving the purpose of the restriction.

(iii). Necessity stage: This is to test if there is a less restrictive or equally effective alternative means of
achieving the goal in terms of restrictions on the right.

(iv). Balancing stage: Herein, the benefit that the State gains by restricting the right has to be balanced
with the impact of loss of the right.

If any restriction fails to satisfy the above four-pronged test, then it would amount to a violation of
Article 21.

3. The Indian Encryption Debate

The Indian encryption debate has been moulded on the anvil of the Indian Telegraph Act. Section 5 of
the Indian Telegraph Act empowers the government to lawfully intercept and monitor communication.
Additionally, Section 84A of the Information Technology Act, 2000, (“IT Act, 2000”) was introduced
through an amendment in 2008. It allowed the government to prescribe modes and methods for
encryption to ensure secure use of the electronic medium and promote e-governance and e-commerce.
Following a more prescriptive mandate of regulation, Section 69 of the IT Act, 2000, allowed the Central
and State governments to monitor and collect information through any computer resource for
cybersecurity. This is supplemented with the Information Technology (Procedure and Safeguards for
Interception, Monitoring and Decryption of Information) Rules, 2009. Its Rule 9 provides that an order
for decryption could relate to any information sent to or from a ‘person or class of persons’ or relate to
‘any subject matter’.

With the growing challenge of the proliferation of Child Sexual Abuse Material (‘CSAM’) online, several
countries including India have been growing apprehensive about the increase in encryption technology
making it difficult to trace pornographic content and catch CSAM criminals. It was in this atmosphere
that the National Encryption Policy was formulated in 2015. Critics opined that it was more of a
‘decryption’ policy because it only allowed platforms to function if they complied with the mandatory
regulatory mechanism. The policy was said to simply secure government access to encrypted data,
rather than securing user data. The Draft Intermediary Guidelines of 2018 further rekindled this debate
by proposing to mandate intermediaries to introduce traceability on their platforms.

The new IT rules were finally notified by the Government on 25 th February 2021 by notifying the
Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“IT Rules,
2021”) . In a bid to enforce traceability Rule 4(2) of the IT Rules 2021 lists out all the exceptions
mentioned in Article 19 (2) of the Constitution. This is despite the extant criticism of the similar provision
in the Draft IT Rules of 2018 from stakeholders across the ecosystem.

The proposal to mandate traceability seeks to ensure that platforms introduce technological updates to
ensure that the original sender of a particular message could be traced. While some argue that this
could be carried out without undermining the end-to-end encryption that WhatsApp provides, the
common opinion is that it is not technologically possible to introduce traceability without undermining
encryption. Admittedly, the Supreme Court in the Puttaswamy judgment explained that the
Government’s access to personal data for legitimate national security concerns is a reasonable
restriction on right to privacy. However, the Apex Court also reiterated that such exceptions must be
narrowly tailored and must meet the four-fold test prescribed in the decision, as discussed earlier.
Accordingly, in the next section we shall analyze whether the traceability requirement satisfies this four-
pronged test.

4. Examining Traceability on the Touchstone of Puttaswamy

Legitimate Aim of the State in a Democratic Society

With specific reference to backdoors on encryption, and legitimizing it based on the concerns of
terrorism and prevention of crimes, the UN Special Rapporteur on the promotion and protection of the
right to freedom of opinion and expression has stated that governments have not demonstrated that
criminal or terrorist use of encryption serves as an insuperable barrier to law enforcement objectives.
Moreover, it has been noted by the UN Special Rapporteur on Freedom of Expression, Frank LaRue that
it is a matter of concern that vague and unspecified notions of national security, have been unduly used
to justify interception and access to communications. The use of an amorphous concept of national
security to justify invasive limitations on the enjoyment of human rights is of serious concern
enjoyment. It is broadly defined and is thus vulnerable to manipulation by the State as a means of
justifying actions that target vulnerable groups such as human rights defenders, activists, whistle
blowers etc.

Accordingly, in Canada and the US, the tests of “pressing and substantial objective” and “compelling
government interest” respectively have been disregarded as they are insufficiently rigorous.

In Klass and Ors v. Germany (1979) 2 EHRR 214, the European Court of Human Rights took note of the
development of sophisticated forms of espionage and terrorism and ruled national security concerns are
justified, only under exceptional circumstances. Given that undermining encryption is not possible on a
case-to -case basis but is done en masse, the legitimacy of this action is in question.

Suitability of the measure or rational nexus between the infringement of the right and the purpose for
the restriction

The purpose of introducing traceability as given by LEAs is that it would enable them to catch cyber
criminals. However, the suitability of this measure to achieve the said objective is contestable given that
studies suggest that creating backdoors does not stop criminals from using encryption. In fact, it makes
it more difficult for the police to catch them. Encryption is a tool which is available online for anyone to
download and use even if the government bans it. The knowledge required for building encrypted
platforms is readily available in the public domain. Criminals already know how to write their own
encryption codes. If a vulnerability or backdoor is created on popular encrypted platforms for the LEAs
to use to track perpetrators then the savvy criminals will simply shift to another platform, possibly their
own platform which is well encrypted.

Websites like GitHub are a storehouse of open source software for creating encrypted platforms which
can be used by non-state actors to develop their own encrypted platforms, the moment they get
concerned about backdoors being introduced in popular messaging platforms. The Signal protocol which
has one of the most enhanced end-to-end encrypted protocols with no known backdoors is also
available on GitHub. Moreover, a software known as Mujahideen Secrets was developed by al-Qaeda
way back in 2007 to encrypt their online communications. Likewise, following the Snowden leaks in 2013
on NSA surveillance, three different terrorist organisations including GIMF, The Al-Fajr Technical
Committee, and ISIL, created their own unique encryption tools.
Recently, The Global Encryption Coalition released a non-technical paper explaining why undermining
encryption is in fact not at all a solution to terrorism or CSAM proliferation in the cyberspace, and how
undermining encryption would create more problems than it seeks to resolve. It is equally noteworthy
that if encryption is broken then users will have no guarantees of their data being safe due to the lack of
a robust data protection regime in India. In order to emphasize the need for such a regime, the case
study of the Minnesota Database queries is important. In Minnesota, more than 62% police officials
were reported to use the surveillance capabilities of the State to surveil over their ex-wives and ex-
girlfriends is an apt example of this threat.

Hence, undermining encryption will only mean that the police, at best, will be able to catch the gullible
and less technically adept criminals, while the smarter ones who are more dangerous perpetrators of
the online vices will easily get away. Further, without adequate safeguards for data, it will indeed be a
concerning issue for the citizens to trust institutions that collect and store their data.

Necessity Stage:

In order to satisfy this test, the government will have to prove that there is no other less restrictive way
for the government to get the data for tracking CSAM and catching its proliferators than to break end-
to-end encryption. Some might argue that because there is no other way to get the information about
who the originator of the content was, traceability may just meet the proportionality test. However,
there are a plethora of studies which establish that in most cases access to ‘content data’ is not required
and the availability of metadata is sufficient. Moreover, as the Europol’s SIRIUS Digital Evidence Report
explains, the tedious process of obtaining digital evidence via the Mutual Legal Assistance mechanism
and the lack of standardization in company policies make it almost impossible to successfully process
content data obtained from undermining encryption to achieve the desired result of tracking criminals.
In any case, the justification and proof that the demand for traceability is indeed the least restrictive
means available have to come from the State. This burden is something which the State has failed to
meet till now.

On the other hand, UNICEF has recently released a report explaining how encryption is crucial to ensure
online child safety. Even the TRAI after two years of extensive consultation with leading stakeholders in
the ecosystem, analysis of international jurisprudence and the discussions at the International
Telecommunications Union opined that the encryption technology should not be tinkered with. It was
observed in its report that if the encryption technology is broken then the platforms will not be able to
provide the same level of security to the users who will be rendered vulnerable to cyberattacks and
surveillance.

Balancing Stage

To meet this requirement, it needs to be proven that the balance between the right to privacy of the
citizens and the government’s argument of national security to introduce traceability lies in the latter’s
favour, allowing for the infringement of privacy. It is difficult to satisfy this test as privacy of the citizens
is the foundational block of national security. The exercise to create this balance is rendered even more
difficult in light of the fact that the argument of national security on the basis of which the LEAs try to
justify the demand of backdoors is itself compromised due to weakened encryption. The Greek
Watergate Scandal, popularly known as the “Athens Affair”, where the political and military elites of
Athens were spied using a vulnerability introduced for lawful interception, is a perfect evidence of this
fact. Accordingly, the introduction of traceability will make the platforms vulnerable to foreign
surveillance and attacks by savvy criminals which will in turn threaten user safety and the privacy,
eventually leading to a national security crisis in itself rather than solving the existing one.

Compromising with encryption has ramifications for not just privacy of the citizens but also for the
digital economy and critical information infrastructure of the nation. Online banking and e-commerce
services can be rendered vulnerable due to weakened encryption leading to loss of consumer trust and
harm to the competitiveness of the companies in the global market. High-end encryption technology
protects not just users and businesses, but also Critical Information Infrastructures of the government
like those of Aadhar and Aarogya Setu among others. In addition to these, undermining encryption will
also have adverse effects for cross border data flow. Hence, the government’s demand for traceability to
combat online challenges can certainly not be balanced against the ramifications of backdoors on a
country’s socio-economic health in addition to its impact on the security and the fundamental right to
privacy of the citizens.

Summing Up

In light of the above arguments, it is difficult to justify the demand to introduce traceability on
encrypted platforms on the threshold of the four-fold test proposed in the Puttaswamy judgment. The
Puttaswamy case also requires a case-by-case analysis to determine whether the intrusion is valid.
However, undermining encryption would render the whole population susceptible to cyber-
vulnerabilities. Thus, a blanket creation of a backdoor, i.e., an exploit within a secure platform, that
compromises the privacy of all would be worrisome, and is certain to fail the test of Puttaswamy.

This implies that there is a need to look at possible alternatives to remedy the problems that traceability
seeks to resolve. A primary measure to this end should be strengthening LEA capabilities in metadata
analysis which, as mentioned earlier, would enable them to carry out effective investigations. For
misinformation in specific, a recent alternative that has been used is that of content moderation and the
addition of filters regarding the veracity of the information by social media platforms such as Twitter.
This solution, however, has also left a lot to be desired in implementing it on scale or tackling the
existing COVID-19 pandemic that has impacted the already limited availability of content moderators

Views are Personal