Legal Challenges In Implementing Cryptography

By Antara Jha: Cryptography is a technique used to safeguard confidential data and communication by encoding them with codes, ensuring that only authorized individuals can access and interpret them. It involves transforming plain text into a coded form that is unintelligible to anyone without the right key to decode it. Cryptography provides a means to maintain data confidentiality, integrity, and authenticity while transmitting or storing it. It is used in various domains such as finance, healthcare, and military to protect sensitive information from being accessed by unauthorized individuals or entities. The primary goal of cryptography is to ensure secure communication and secure data storage.

Modern cryptography concerns itself with the following four objectives:

1.         Confidentiality– The information can’t be understood by anyone for whom it was unintended.

2.         Integrity – The information cannot be altered in storage or transit between sender and intended receiver without the alteration being detected.

3.         Non-repudiation– The creator/sender of the information cannot deny at a later stage their intentions in the creation or transmission of the information.

4.         Authentication– The sender and receiver can confirm each other’s identity and the origin/destination of the information.

Modern cryptography is concerned with four primary objectives: confidentiality, integrity, non-repudiation, and authentication. Confidentiality ensures that information cannot be understood by anyone who was not intended to receive it. The aim is to prevent unauthorized access to sensitive information. To ensure the confidentiality of information, it is encoded using a specific algorithm, which can only be deciphered by the intended recipient using the appropriate key.

Integrity is another important objective of cryptography. It refers to the prevention of unauthorized changes to the information during storage or transmission. Cryptographic algorithms used for ensuring integrity of data can detect any changes made to the data and alert the intended recipient of the same.

Non-repudiation ensures that the creator or sender of information cannot deny their intentions at a later stage. This means that the sender cannot claim that they did not send the information or that the information was altered by someone else. Non-repudiation is important in legal and financial transactions, where proof of intent is crucial.

Finally, authentication is the process of verifying the identity of the sender and receiver of information. It ensures that the sender is who they claim to be, and the recipient is the intended recipient. Authentication helps prevent unauthorized access to information and ensures that communication is secure.

In summary, modern cryptography aims to protect information by ensuring confidentiality, integrity, non-repudiation, and authentication. These objectives are crucial in today’s digital age, where sensitive information is constantly being transmitted over various channels. Cryptographic algorithms and techniques play a critical role in ensuring the security of this information.

In contemporary times, encryption has become synonymous with privacy, and in India, the subject of privacy is of paramount importance to the policymakers and legal system, particularly since the Puttaswamy Judgment, where the Supreme Court unanimously acknowledged the Right to Privacy as a fundamental right. Consequently, Indian lawmakers and policymakers need to take various factors into account when regulating encryption under Indian cyber law. This article will explore some of the key factors that must be taken into account.

With the rise of digital communication, encryption has become an essential tool for ensuring privacy and security in online transactions. However, this technology can also be used to facilitate criminal activities, which makes it crucial to strike a balance between privacy and national security. Indian lawmakers and policymakers must navigate this delicate balance, taking into account the potential risks and benefits of encryption.

Additionally, there are technical and legal challenges associated with regulating encryption. For example, encryption can be used to protect sensitive information such as financial transactions, medical records, and government secrets, which raises questions about how to regulate it without undermining these important functions. Furthermore, some forms of encryption can be difficult to crack, which can make it challenging for law enforcement agencies to investigate and prosecute crimes.

Given these challenges, Indian lawmakers and policymakers must carefully consider the various factors involved in regulating encryption. This article will examine some of the key issues and provide recommendations for how to strike the appropriate balance between privacy and security in the digital age.

Below are some of the factors that will be examined in this article:

The relationship between privacy and national security and ensuring that they are proportionate to one another.  Striking a balance between economic and legal considerations.

Cryptography has been primarily linked to military intelligence, and its utilization by criminals and terrorists could impede law enforcement activities, resulting in the limitation of its usage by governments. Moreover, the intricate mathematical algorithms utilized in cryptography can lead to patent-related legal issues. Consequently, algorithm creators protect their intellectual property by patenting it and demanding that users acquire a license.

In general, the legal concerns related to cryptography can be categorized into three groups:

1.         Export Control Issues: The US government has classified certain types of cryptographic software and hardware as munitions and subjected them to export control. This means that any commercial entity seeking to export cryptographic libraries or other software that use them must first obtain an export license. While the export laws have relaxed in recent years, certain commercial grade cryptographic software packages may still require an export license. The majority of the software and capabilities included in J2SE v1.4 are not subject to export control, but it is possible for a JCE provider to have capabilities that require review by export control authorities and an export license. This means that vendors of JCE providers must obtain export clearance to avoid potential legal issues.

2.         Import Control Issues: It is not immediately obvious that some countries limit the use of particular kinds of cryptography within their borders, and it is up to the user to comply with the law. In J2SE v1.4, cryptographic capabilities are linked to jurisdiction policy files to deal with this issue. The jurisdiction files that come with J2SE v1.4 restrict the size of keys and other parameters to enable “strong” but “limited” cryptography. Users in the United States need to download and install additional policy files to access “unlimited” capabilities.

3.         Patent Related Issues: In order to prevent legal issues related to patent infringement, it is advisable to use algorithms that are not patented, whose patents have expired, that are licensed for royalty-free use, or for which you have obtained a license. The patent on RSA, which is the widely used public key cryptography, was a major obstacle to its widespread use before it expired in 2000. The algorithms included in J2SE v1.4 are either free from patent issues or are available for royalty-free use.

These are general recommendations to keep in mind when deploying solutions that involve cryptographic components. Usually, it is the security product vendor who is responsible for ensuring compliance with legal requirements, but it is still important to exercise caution. If you plan to use open-source software that is freely available online, you need to take extra care to ensure legal compliance as you may not have a vendor to rely on. It is always better to seek guidance from legal experts if you are unsure about legal requirements related to cryptography. It is important to note that these guidelines are not exhaustive and may not cover all legal issues related to cryptography. Therefore, it is essential to conduct proper research and seek expert advice to avoid potential legal problems. By being proactive and careful, you can mitigate legal risks associated with the use of cryptography in your business or organization.

Despite the information presented in this section or the entire book, the author and publisher disclaim any legal responsibility for the outcomes or consequences that may arise from following the advice given or utilizing the security methods explained in the book. The regulations governing cryptography are intricate, dependent on the jurisdiction, and are continuously evolving. It is entirely the responsibility of the reader to guarantee that they operate within the confines of the law.

Legal challenges to traceability:-

1.         Praveen Arimbrathodiyil vs. Union of India (WP(C) 9647/2021): A FOSS developer and volunteer of FSCI, Praveen A, has filed a petition in the High Court of Kerala with the assistance of SFLC.in. The petition challenges Part II of the Rules, 2021, which includes Rule 4(2) of the Rules, 2021. One of the grounds for the petition is that it violates the right to encryption of citizens, which is a subset of the right to privacy protected under Article 21 of the Constitution of India.

The petition also argues that the traceability provision places unreasonable restrictions on the ability of intermediaries, thus violating the right to freedom of trade and profession under Article 19(1)(g) of the Constitution of India. The case has been admitted by the court, and notice has been issued to the respondents.

The petition was filed by Praveen A, a FOSS developer and volunteer of FSCI, with the assistance of SFLC.in. It challenges Part II of the Rules, 2021, including Rule 4(2), and argues that they violate the right to encryption of citizens, which is a subset of the right to privacy protected under Article 21 of the Constitution of India. The petition also argues that the traceability provision places unreasonable restrictions on intermediaries, violating the right to freedom of trade and profession under Article 19(1)(g) of the Constitution of India. The High Court of Kerala has admitted the case and issued notice to the respondents.

2.         Anthony Clement vs. Union of India (Dy. No. 32487/2019(SC)): A petition was filed in the Madras High Court that demanded the linking of Aadhaar with social media accounts of users, which was eventually rejected based on the principles laid down in the Puttaswamy judgment. During the proceedings, the issue of co-existence of traceability of users with end-to-end encryption was raised, and Prof. V. Kamakoti filed an affidavit suggesting that tracing the originator of messages can be achieved by adding information of the originator with each message and displaying it during decryption.

Dr. Manoj Prabhakaran proposed an alternative to Prof. Kamakoti’s suggestion and emphasized the long-term risks of enabling traceability on encrypted platforms. Dr. Prabhakaran argued that the proposal was susceptible to falsification of information of the originator, and even if digital signatures were used to address the risk of spoofing, it would have limited use in addressing the problem of fake news in the long run.

Currently, the Supreme Court is deliberating on the matter as WhatsApp/Facebook has pleaded that traceability cannot coexist with end-to-end encryption. WhatsApp stated that it is impossible for them to trace the originator of the message on their platform since they don’t possess the decryption keys. The central question before the Supreme Court is to determine whether any new feature can be added to social media platforms, such as WhatsApp, to enable the tracing of the originator of information.

The Government of India had submitted that the Intermediary Rules would be notified in January 2020. The last hearing took place in January 2020, and the notification of the Rules was still awaited. The case is critical as it seeks to address the right to privacy of citizens, and it remains to be seen whether traceability can be achieved without compromising end-to-end encryption and the privacy of users.

3.         WhatsApp vs. Union of India (2021): WhatsApp Inc. and Facebook have initiated two petitions in the High Court of Delhi, challenging the Rule 4(2) of the Rules, 2021. The petitions assert that the provision infringes upon end-to-end encryption and undermines the fundamental right to privacy. According to the petitions, the rule is in contradiction to the K.S. Puttaswamy vs. Union of India (2017) judgement and fails to comply with the principles of proportionality, necessity, and minimization. Rule 4(2) of the Rules 2021 mandates that a “significant social media intermediary,” which offers messaging services, must allow identification of the first originator of the information on a computer source as per the Information Technology (Procedure and Safeguards for interception, monitoring, and decryption of information) Rules, 2009, in response to a judicial or IT Act, 2000 order.

While cryptography provides a powerful tool for securing information, its implementation comes with certain technical challenges. These challenges can affect the performance, scalability, and compatibility of cryptographic systems. Here are some key technical considerations:

1. Key Management: Cryptographic systems rely on the use of keys for encryption and decryption. Key management involves securely generating, storing, distributing, and revoking cryptographic keys. It can be challenging to establish a robust key management infrastructure that ensures the confidentiality and integrity of keys throughout their lifecycle.
2. Algorithm Selection: Choosing the right cryptographic algorithm is crucial for achieving the desired level of security. There are numerous algorithms available, each with its own strengths and weaknesses. It’s essential to consider factors such as computational efficiency, resistance to attacks, and compatibility with existing systems when selecting an algorithm.
3. Performance Impact: Cryptographic operations, especially those involving complex algorithms, can be computationally intensive and may introduce significant overhead. Implementing strong encryption and decryption mechanisms can impact system performance, especially in resource-constrained environments. Balancing security requirements with performance considerations is a key challenge in cryptographic system design.
4. Compatibility and Interoperability: Implementing cryptography across different platforms, devices, and systems can pose challenges in terms of compatibility and interoperability. Cryptographic protocols and algorithms must be standardized to ensure seamless communication and data exchange between different entities. Ensuring compatibility across diverse systems and versions can be complex.
5. Cryptographic Strength: Cryptographic algorithms must withstand attacks from potential adversaries. As technology advances, new vulnerabilities and attack techniques may emerge, rendering previously secure algorithms obsolete. It is crucial to regularly evaluate the cryptographic strength of algorithms and update them to maintain resilience against evolving threats.
6. Side-Channel Attacks: Cryptographic implementations can be susceptible to side-channel attacks that exploit information leaked through unintended channels such as power consumption, timing variations, or electromagnetic emissions. Protecting against side-channel attacks requires implementing countermeasures such as secure coding practices, physical security measures, and advanced cryptographic techniques.

In conclusion, implementing cryptography presents both legal and technical challenges that need to be carefully addressed to strike a balance between privacy, security, and regulatory requirements. The legal challenges involve navigating the delicate balance between privacy rights and national security concerns, while also considering export control, import control, and patent-related issues.

On the technical front, key management, algorithm selection, implementation vulnerabilities, performance impact, and compatibility are critical factors that must be carefully considered. Addressing these technical challenges ensures the secure and efficient implementation of cryptography in various domains, safeguarding sensitive information and enabling secure communication and data storage.

As technology advances and the digital landscape evolves, it is crucial for lawmakers, policymakers, and technical experts to work together to develop robust legal frameworks, standards, and best practices that promote the responsible and secure use of cryptography. By addressing these challenges, we can harness the power of cryptography to protect data privacy, facilitate secure transactions, and foster trust in the digital age.

About The Author: Antara Jha completed LLM degree in Cyber Law and Cyber Crime Investigation from the National Forensic Sciences University in Gandhinagar, India. He is working in C-DAC which comes under Ministry of Electronics and Information Technology, Government of India.