Executive Summary & Recommendations: Report on Analysing the National Security Implication of Weakening Encryption
Encryption in today’s increasingly interconnected world is perhaps the only technology that provides us a sense of safety online. It is the most important enabler of free speech and indirectly thus, allows for the internet enabled communication to provide the same privacy we expect within the confines of what a physical conversation with another person offers, but in the digital world. Despite its pivotal importance in maintaining individual privacy, it does indeed hamper the state’s ability to fulfil legitimate state security actions in certain cases. Most debates seem to address the topic in a Privacy vs. Security binary. We reached out to key stakeholders to get a more nuanced perspective of this debate. Post that we hosted semistructured interviews with veterans from intelligence and law enforcement agencies to appreciate the challenges they faced in investigating cybercrimes and its interaction with end-to-end encryption technology. Our findings are listed below:
Firstly, weakening encryption technology through backdoors has short term benefits with long term consequences as the States cannot be secure if their citizens are not. Mandating backdoors either through legal or other means, has short term advantages for the intelligence agencies intent on targeting bad actors, but in the long term impacts their own citizens, thus not only nullifying the short term gains, but also creating exponential long term costs.
Secondly, in our interactions with former and serving members of India’s intelligence community, we learnt that there is a significant lack of capacity on part of our intelligence infrastructure to analyze meta data as well as effectively use any decrypted content that even a backdoor may provide, should the state go through with such a legislation. In such a scenario we recommend capacity building, preferably one without compromising E2EE, especially, when studies indicate that E2EE does not need to be done away with or weakened to achieve state objectives. It is thus crucial to stop legislating encryption hostile laws.
Thirdly, a net importer of weapons with no indigenous capability to build, maintain and service them, cannot be a credible military power. Correspondingly, a net importer of encryption technologies with no capability to build, break and maintain them, cannot be a credible cyber power. Given that more and more weapon systems and critical infrastructure are getting digitalized, a Nation-State which has encryption debt (like India) will always be vulnerable.
Similar to how a country in debt cannot hope to come out of it, by going deeper into debt, encryption debt cannot be reduced by becoming more hostile to encryption, as it erodes whatever cyber capabilities that exist, across the spectrum. Hence an action plan for reducing encryption debt is a must, and developing a E2EE stack offers a faster way to get there.
Fourthly, Indian Surveillance projects need to be reformed in order to abide by the Puttaswamy mandate while increasing their technical expertise to use meta data for meeting state security goals. This is recommended considering that making backdoors into E2E encrypted platforms is largely futile as it will only push illegal chats to other platforms offering encrypted communication.
Fifthly, while lawmakers globally have cracked down on E2E encryption as the key enabler of illegal and terrorist activities, this perspective is dismissive of the data available that speaks to the contrary. The SIRIUS EU Digital Evidence Situation Report wherein 325 experts from law enforcement agencies were interviewed, concluded that the key challenge was to access even the basic information on users owing to lengthy processes and varied cooperation mechanisms of different companies. Accordingly, it is recommended that process and personnel for accessing meta data on presentation of legal warrant be defined for seamless investigations in India.
Sixthly, while the State’s interest in regulating the spread of CSAM and fake news online are legitimate, the State shall endeavour to limit their actions within the confines of the Puttaswamy mandate and the proposed data protection framework. This requires adherence of data minimisation principle and passing a four fold test to put any valid restriction on an individual’s privacy.
Seventhly, the State’s proposed originator traceability requirement is not only contrary to the Puttaswamy mandate, but also is technically infeasible without fundamentally breaking E2E encryption. E2E encrypted messaging tools and applications are now being used by at least 400 million users in India, which is 25% of the population. Hence mandating ‘originator traceability’ which cannot be implemented without breaking E2E encryption, puts each of these users at risk.
Eighthly, there is a pressing need for routine sensitization as well as upskilling of all stakeholders in the criminal justice system about the complex dual-use dynamics that form the basis of encryption technology.
Lastly, there is a need to understand where our intelligence and law enforcement agencies are facing challenges, more importantly in terms of access. A study should be commissioned to assess the need of modern technology required by the said institutions. The need for advanced technology for lawful hacking and meta data analysis must be assessed and catered to all while adhering to the standards ruled by the Puttaswamy case. This is a key step towards increasing our capabilities to keep our citizens secure while ensuring that E2E encryption protect individual privacy the way it does currently.
The key recommendations of the report are:
1. Development of an action plan for reducing encryption debt and nurturing an E2EE stack to achieve this;
2. Pausing the legislation of encryption hostile laws;
3. Committing to surveillance reforms; and
4. Launching a nationwide study to gauge the requirements of law enforcement and intelligence agencies.