INTRODUCTION
In this digital age with the rise of data collection by various entities, data privacy has gained a lot of importance for new age digital users.
Data Encryption in the light of online communications is the final lock that secures the data of an individual by preventing any access to a third party. The dark nature of this concept is the reason that it has always been a bone of contention between the Advocates of free speech and privacy and the State.
Data Decryption is the opposite of Encryption and means making the data accessible for use. Data Erasure is another important concept that gained much recognition in the European Union (hereinafter referred to as the “EU”) but still has not been given concrete acceptance by the Legislature or the Law.
This blog shall delve into the concepts of Data Encryption, Decryption and Erasure.
ENCRYPTION AND DECRYPTION
According to the Indian laws, the process of transforming plain text into text that cannot be decoded or accessed without utilising a decryption process is known as Encryption. The Science of Encrypting and Decrypting Data is referred to as Cryptography.
The process of Cryptography is an important tool for securing online communications wherein the text by the first party is converted into a cipher text and then sent to the receiver i.e. the second party, with a certain decryption code to convert it back to plain text and access the same. In this whole process, the original text cannot be used by any third party unless they have access to the decryption code.
In recent times, all major Over-The-Top (hereinafter referred to as “OTT”) service providers like WhatsApp and Telegram, among others, have engaged this process. This cryptography ensures that a particular communication is only between the sender and the receiver and no third party can access it or other such private communications.
This nature of non-accessibility to third parties has led to the problem of “Going Dark” issue, which means that even the security agencies are oblivious of such communications which may cause unlawful activities. This is one major problem based on which the State justifies surveillance on online communications.
EMERGENCE OF ENCRYPTION
The need of encryption arose when during Snowden Leaks it was found that the American Law Enforcement Agencies were accessing communications under the garb of surveillance and violating the digital privacy of the people.
- In India, the use of online communication for malicious activities was brought into the limelight when it was found that in the infamous attacks of 26/11, the terrorists had used Blackberry devices to communicate with their handlers in Pakistan;
- Other such uses that justify State surveillance and non-encryption include dissemination of fake and inciteful news;
- Child Pornography is another such illegality which is disseminated through these platforms in the dark.
USE OF ENCRYPTION BY INDIAN AGENCIES
Though no Central Legislation provides encryption standards, various sector regulators have stipulated the same. Some of the standards are listed below:
- One the major regulator is Securities and Exchange Board of India (hereinafter referred to as “SEBI”), which has prescribed that data in transit should be encrypted using 128-bit encryption and that encryption should be used for internet-based trading.
- The Reserve Bank of India (hereinafter referred to as “RBI”) has prescribed banks to protect data at rest and in transit.
- Unique Identification Authority of India (hereinafter referred to as “UIDAI”) has held that Personal Identity Data (hereinafter referred to as “PID”) should be encrypted with a dynamic session key.
- Ministry of Health and Family Welfare (hereinafter referred to as “MoHFW”) has specified that all recorded patient data must be encrypted and decrypted using the best available key strength.
- Even Telecom and Internet Service Providers are allowed to keep encryption until a certain limit beyond which they need to seek an approval.
DATA ERASURE
Data Erasure, also referred to as Right to be Forgotten in the EU regime is a right that has been provided to users to request certain data to be erased from the data repository or the internet. The idea behind Data Erasure is that the data has achieved its purpose during its life cycle and hence, should be erased.
The concept gained wide recognition because once a thing gets uploaded on the Internet; it remains there forever for the whole world to see. This data or information may sometimes be sensitive or defamatory in nature, which can cause an individual to lose out on future opportunities due to their past actions.
Such a right was provided by the Personal Data Protection Bill, 2019 (hereinafter referred to as “the Bill”) but since the Bill itself was withdrawn, the Right to Data Erasure failed to see the light. Even the Judiciary was not fixated on the same and had concluded that it would be better if the Central Government itself recognises the Right to be Forgotten or the Right to Data Erasure by Law. In a report conducted by Deloitte- Blanco, it was found that out a large number of organisations in India, only 21% were aware about data sanitisation and erasure practices and this is often because of the unawareness of most of the organisations regarding where the data is.
DATA ENCRYPTION AND RIGHT TO PRIVACY
In 2017, the 9-judge bench of the Supreme Court in the Justice KS Puttaswamy (Retd.) v. Union of India [(2017) 10 SCC 1] unanimously held that the Right to Privacy is a fundamental right under Article 21 of the Constitution of India (hereinafter referred to as the “Constitution”). The judgement dealt with both informational and communicational privacy, which are closely related to encryption.
The judgment imposes a negative obligation on violating individual privacy and imposes a positive obligation on the State to protect the privacy of its citizens by taking all required and necessary steps.
Moreover the Supreme Court also recognised both State and Non- State actors as a threat to the privacy of a citizen and held that the scope of the Right to Privacy is not exhaustive and may also include encryption.
Thus, though not explicitly it can also be inferred that Right to Encrypt Data is also an essential part of the Right to Privacy and such encryption should be allowed.
WHATSAPP AND END TO END ENCRYPTION
WhatsApp is among the most popular internet messaging applications which provides End-to-End Encryption, which means that only the sender and receiver are privy to the communication and the same is not accessible to any third party.
As has already been discussed above, this encryption has sparked a Going Dark v. Golden Age for surveillance debate which is basically between the privacy and free speech activists and the state with nationalist interests.
One such argument against decryption and back door entry is that, with there being large number of such encryption providers, the perpetrators may shift to other services as a blanket ban on encryption and cannot be imposed on all such communication applications in the garb of national security.
AMLEGALS REMARKS
Data Encryption is a tool in the hands of the everyday digital user to have secured communications without the fear of some third party accessing their data or communications and enjoy digital privacy. In the existing debate between Going Dark and Golden Age for surveillance, the Government can formulate a new policy which would strengthen the encryption practices and also ensure the privacy of an individual. Such policy should also have a provision for constitution of a Central Authority which would have the power to direct the intermediaries to decrypt data in the rarest of rare case.
India, in these times, should adopt a pro-encryption policy in order to ensure that the privacy of its citizens is protected and even financial transactions and other services which can be secured through encryptions flourish.
India is in dire need of a new Data Protection Regime and a new National Encryption Policy, which provides for high-strength encryption of personal data as well as offers judicial leeway to law enforcing authorities to access encrypted data and communication in the case of a crisis.
Data Erasure is also an important tool which should be recognised in India as it has been in the EU, though with the necessary modifications to prevent it from overarching the right to free speech. Data Erasure would allow individuals to control their data in public and uphold informational privacy.
– Team AMLEGALS assisted by Mr. Niloy Ghosh (Intern)
For any queries or feedback, please feel free to get in touch with chaitali.sadayet@amlegals.com or aditi.tiwari@amlegals.com.
Leave a Reply