Data PrivacyGrey Areas (Part I) – Data Encryption

September 1, 20210

INTRODUCTION

 “What goes unnoticed is mostly meant to remain that way.” – Eugene Kaspersky

In today’s time, the practice of Data Encryption is not uncommon. Governments, businesses, corporations, transnational organizations and high-profile individuals use it all the time to ensure that their information, which is highly confidential, remains safeguarded and beyond the reach of online predators.

In order to gain an understanding of how the process of Data Encryption works and how the same is useful, it is, first and foremost, important to understand what Data Encryption actually entails. Data Encryption can be understood as a translation of data into a different form, or a code, so that only people with access to a specific secret keycode or a password can read and interpret it.

Such Encrypted Data is often referred to as ‘Ciphertext’, while Unencrypted Data as ‘Plaintext’. At present, Data Encryption is one of the most effective and most commonly deployed methods put in place by organizations for securing sensitive data belonging to them and/or in their possession.

 

HOW IS DATA ENCRYPTED AND WHAT ARE THE TYPES OF DATA ENCRYPTIONS?

Data, or ‘Plaintext’, is converted into what we call ‘Ciphertext’ by using an Encryption Algorithm and an Encryption Key. The Ciphertext can only be deciphered and converted into its original form, i.e. Plaintext, if it is decrypted using the correct Encryption Key. Primarily, there exist two main kinds of Data Encryption, which are:

  1. Asymmetric Encryption, and
  2. Symmetric Encryption.

Symmetric Encryption is when Symmetric-Key Ciphers use the same key for encrypting as well as decrypting the data, be it in the form of a message or a file. Symmetric Encryption is typically quicker than Asymmetric Encryption. On the other hand, Asymmetric Cryptography, also known as Public-Key Encryption, makes use of two different keycodes, one private and another public. The Public Key can be shared carefully with others, but the Private Key must remain hidden at all times.

This process, resultantly, assures the confidentiality, integrity, authenticity and non-reputability of e-communications and data, especially via digital signatures. Major companies and organizations tend to prefer using the Asymmetric Encryption services over Symmetric Encryption. The reason behind this is to ensure the protection of Confidential Digital Data which is mostly stored on computers and transferred over the internet or other means.

Now, given the intricate nature of engagement, the implementation of Data Protection measures such as Data Encryption require the organizations and companies to formulate and abide by a Data Encryption Policy which mentions certain norms, rules and conditions for operation to be followed while dealing with Sensitive Data. Such statutory policies generally differ based on the nature of an organization’s work and dealings as well as the situations in which the organization operates.

 

HANDLING DATA ENCRYPTION

The responsibility for handling Data Encryption within a business or any said organization can be influenced by a lot of factors such as the organization’s size, sector of operation and working conditions. It can be argued that whoever has control of the Encryption Keys, which can be used to decrypt and rematerialize all the protected data, holds the utmost responsibility.

In order to avoid misplacement or loss of Data resulting in transgression, it is extremely important to limit the access of Encryption Keys to only certain duly authorized individuals. But the bigger question is whether the organizations and corporate houses store consumers’ data along with the Decryption Key themselves or not. For instance, Social Media giant WhatsApp is known for its extreme Data Encryption Policies (E2E or End-to-End Encryption) and practices which ensures that the information exchanged between the sender and the receiver is not accessible to any third party, not even to WhatsApp itself.

On the other hand, Facebook has often been in the news, accused of selling consumer data over to third party organizations, which data included personal details such as date of birth, relationship status, employment status, even email addresses and phone numbers, posing a big question mark on their Data Protection and Encryption Policies and measures, which they claim are being actively implemented.

The bottom line remains that there is a dire need for implementing a comprehensive Data Protection regulatory framework in order to hold these Social Media organizations accountable for their actions and to mandate them to follow proper protocols pertaining to Data Encryption and other Data Protection measures.

 

ACCOUNTABILITY FOR DATA

When data is misused and/or disclosed without proper and due consent, it calls for accountability and the operation of strict legal provisions. Be it the General Data Protection Regulation (GDPR) in the European Union or the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021(IT Rules) in India, when we analyze the two regulations, it is observed that both are purposed to enforce Data Protection in one or the other manner.

However, the difference in enforcement measures is what causes the rift. While GDPR heavily penalizes any and all acts amounting to a breach of Data Security and Non-Encryption measures for Data Protection, the IT Rules in India try to surpass the limitation of access of Encrypted Data in the name of protection of ethics and online security.

With the coming in of the IT Rules, the Indian Government is mandating the Social Media Organizations and several other Media Corporations, including OTT Platforms, to make Secure Data readily available as per the Government’s request in order for them to be able to track down “offenders” online, on the other side, this will cause the companies to compromise their user’s privacy for helping the Government in maintaining decency in public internet spaces.

Because of this very reason, WhatsApp filed a case against the Government of India, before the Delhi High Court, alleging that IT Rules violate the Right to Privacy of an individual since the IT Rules, amongst other things, mandatorily require the concerned organization to decrypt the conversation between two or more people in order to trace the “first originator” of a particular message/post. In comparison, while Twitter chose not to comply with the IT Rules, Instagram, Facebook and other social media platforms have readily complied with the same.

 

AMLEGALS REMARKS

The recent introduction of the IT Rules has led to the debate and deliberation pertaining to decrypting of the messages sent through Social Media Platforms in order to comply with the Government’s Orders. The debate arose because the Social Media Companies, in order to comply with such directions, shall be required to breach their End-to-End Encryption which is promised to the users. The most pressing issue in this regard is whether such directions are in violation of the Fundamental Right to Privacy.

While considering this, it is also pertinent to note that these Social Media companies have often come under scrutiny for selectively following the laws of different countries. For example, WhatsApp readily accepted the compliances as per the European Data Protection Laws but are reluctant to follow the laws introduced in India. In fact, the recent Privacy Policy announced by WhatsApp in India stipulated sharing WhatsApp’s user data with Facebook caused quite a stir in India, where it was mandatory for users to agree to such Policy while the same was optional for users in the European Union.

Apart from the Governmental imposition by means of legal measures within a State, there are also several other contemporary challenges to Data Encryption to ensure Data Protection such as hackers and online predators. While the most basic method of attacking Data Encryption is just random attempts on cracking the code by trying various Keycodes until the right one is found, alternative methods are also deployed, such as breaking a Cipher by side-channel attacks and Cryptanalysis to go after the implementation of the Cipher rather than trying to figure out the Cipher itself and finding a weakness in the Cipher and exploiting it. These attacks generally tend to succeed if there is an error or a weakness in execution of the Data Encryption or within the system design itself.

The most important part is to understand Data Encryption as a measure of Data Protection and Security. Companies and organizations face many challenges in securing their data and preventing loss thereof. As employees or consumers use external devices which operate on public networks and server spaces, removable media and online applications are accessed much more often as a part of daily life, in which case sensitive data no longer remains under the company’s or sender’s control and protection.

In order to avoid such situations adversely impacting the privacy and rights of the users, ensuring the Auto-Encryption of devices is a must. Working in sync with regulatory compliances and following practices such as sending encrypted emails while working on public network spaces and enabling Automatic Data Loss Prevention Solutions can help keep the data as well as the Encryption Key safe.

While Data Encryption may seem like a daunting, complicated process, Data Loss Prevention Software handles it very efficiently. In the end, keeping your work/private information safe is the utmost priority not only for preventing the loss or misplacement of data and avoiding unprecedented mis happenings, but also to make sure that your Right to Privacy stays intact.

– Team AMLEGALS, assisted by Mr Aryan Srivastava (Intern).

___________________________________________________________________________________________________________________________________________

 

For any query or feedback, please feel free to connect with vineeta.tekwani@amlegals.com or aditi.tiwari@amlegals.com.

Leave a Reply

Your email address will not be published. Required fields are marked *

© 2020-21 AMLEGALS Law Firm in Ahmedabad, Mumbai, Kolkata, New Delhi, Bengaluru for IBC, GST, Arbitration, Contract, Due Diligence, Corporate Laws, IPR, White Collar Crime, Litigation & Startup Advisory, Legal Advisory.

 

Disclaimer & Confirmation As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking on the “I AGREE” button below, user acknowledges the following:
    • there has been no advertisements, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
    • user wishes to gain more information about AMLEGALS and its attorneys for his/her own information and use;
  • the information about us is provided to the user on his/her specific request and any information obtained or materials downloaded from this website is completely at their own volition and any transmission, receipt or use of this site does not create any lawyer-client relationship; and that
  • We are not responsible for any reliance that a user places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof.
However, the user is advised to confirm the veracity of the same from independent and expert sources.