The Legal Saga of Breaking End-to-End Encryption in India – Constitutional or Unconstitutional?

By Vivek Basanagoudar & Kabir Singh

I. Introduction: Decoding Encryption and its Significance ​ Encryption, or its lesser-known name, the ancient art of cryptography, is the conversion of plaintext data into an unintelligible form, in a manner that the original data, without the application of an inverse decryption process, is impossible to recover.  With the 1990’s internet boom came the need of securing online communications and transactions, which had multiplied by millions. Encryption is precisely what fulfilled this need, and is now omnipresent in every aspect of our life, from the mobile phones in our pockets to the banks where our money is deposited. It plays a significant role in our day-to-day life and carries out numerous important functions such as ensuring sender and recipient anonymity, participation anonymity, authenticity of messages, etc. Hence, the existence of encryption is indispensable for the existence of maintaining citizens’ right to privacy in the online world.

However, despite its obvious benefits, some consider encryption a “double-edged sword”, due to its supposed interference with the intelligence capabilities of law enforcement agencies (“LEAs”). Due to the same, there have been numerous calls for the abandonment of End-to-End Encryption (“E2EE”), the most commonly applied secure encryption technology by commercial messaging platforms, such as WhatsApp, Telegram etc. It is in continuation of this saga against encryption, that the Government of India passed the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 Rules (“IT Rules”) and proposed the Draft Indian Telecommunication Bill, 2022 (“Draft Telecom Bill”), both of which mandate the breakdown of E2EE. ​ Hence, the objective of this article is to argue against the breakdown of E2EE by the above-mentioned legislations, and prove that the same is violative of the fundamental right to privacy under Article 21 of the Indian Constitution, and thus unconstitutional.

II. Understanding the Indian Encryption Legal Landscape – 

A.  The Legal Status of Encryption The fundamental right to privacy has been recognised to be a part of Article 21 of the Constitution i.e., the fundamental right to life by the Supreme Court in the landmark judgment of K.S. Puttaswamy v. Union of India (Puttaswamy I). The judgment also noted that there exist various types of privacies, including the right to communicational privacy, which is an individual’s right to control who has access to their communications; and informational privacy, which is an individual’s right of preventing their information from being disseminated and controlling the extent of access over it. In continuation of the same, the Supreme Court recently held in Subhash Chandra Agrawal that the right to privacy includes the right to protect one’s identity and anonymity.

Moreover, various scholars have also argued that a right to encryption may be founded on the basis of the rights to communicational and informational privacy, given their interlinked relationship with encryption i.e., the former’s existence is dependent on the latter’s application in the modern digital world. Hence, while not explicitly held, it may be argued that there exists a general right to encryption.

B.  Breakdown of E2EE by New Legislations As mentioned earlier, the Government of India has proposed legislations which mandate the breakdown of E2EE i.e., the implementation of these legislations would mandatorily require the removal of E2EE across intermediaries. The precise provisions which allow doing so are Rule 4(2) of the IT Rules and Section 24(2)(a) of the Draft Telecom Bill since they mandate tracing the “first-originator” of any message, and grant intercepting powers of any message, respectively. One might find the Draft Telecom Bill’s inclusion in the above strange, but since the proposed Bill’s scope has been enlarged to regulate OTT Platforms, commercial messaging apps such as WhatsApp, and Telegram also come under its purview.

Application of the aforementioned legislations would require all the services that are governed by said legislatures to build the ability to identify the first originator of every message/communication since it is impossible to predict which message would require tracing. Moreover, the application of said legislations is technologically impossible to implement with E2EE, since said technology ensures that the contents of the message are only privy to the sender and receiver of the message. Disabling the same for even intercepting a single message would inevitably lead to its disabling for the entire platform, thus endangering the privacy of each user. The same has been affirmed by numerous scientific organisations and research groups. Thus, the implementation of the challenged legislations would result in endangering the right to privacy of every Indian citizen who uses these platforms. This is precisely why WhatsApp has challenged Rule 4(2) of the IT Rules in the Delhi High Court (WhatsApp LLC Vs. Union of India), and why Section 24(2)(a) of the Draft Telecom Bill should not be introduced in the Parliament.

The Supreme Court in Puttaswamy I held that any violation of the right to privacy must pass the three-pronged test of – i) Legality (Valid law); ii) Legitimate State Aim (Necessity); and iii) Proportionality. The next part argues that the legislations do not pass the Puttaswamy I test, and are hence unconstitutional.

III. Determining the Constitutionality of Breakdown of E2EE –   A.  Valid Law The Apex Court in Puttaswamy I held that any invasion of the right to privacy must be backed by a valid law i.e., passed by the Parliament of India. The IT (Amendment) Act of 2008, added Section 84A, according to which the Government holds to power to prescribe the modes and methods of encryption in India. Alongside the same, Section 69 grants the Central Government the Power to issue directions for interception or monitoring or decryption of any information through any computer resource, and Section 87(2)(y) further allows them to make rules in furtherance of the same. The IT Rules, which mandate tracing the first-originator are a form of secondary legislation, passed by the Executive under the Information Technology Act, 2000 (IT Act), and not the legislature. Therefore, the point of consideration is whether the IT Rules being a secondary legislative statute could be characterised as ‘valid law’.

The Supreme Court in a multitude of cases, such as Union of India v. S. SrinivasanIndian Young Lawyers Assn. v. State of Kerala, has held that if a secondary legislation goes beyond the scope of its parent act, it may be struck down. However, by the virtue of Sections 69, 84A, and 87(2)(y), the IT Rules do not go beyond the scope of their parent act, and hence may be regarded as valid law. The authors refrain from delving into the Draft Telecom Bill for this prong of the test since the Bill is still in its draft version and has yet to be passed.

Thus, the legislation in question meets the valid law prong. At the same time, it is key to note that the three-prong test must be passed in totality i.e., even if a single prong is not met, the legislation is unconstitutional.

B.  Legitimate State Aim This prong is also known as the test of necessity, since it involves delving into whether the legislation in question possesses a legitimate state aim. The authors argue that the legislations in question do not possess a legitimate state aim, since breaking down of E2EE is not a legitimate state aim. The Government’s primary argument is that E2EE acts as a great deterrent against LEA’s investigation capabilities, and grants protection to criminals. However, this is untrue because breaking down the E2E encryption is not the only way the LEA’s can investigate. There are equally effective investigative alternatives. With the advent of technology and the interconnected network web created by it, technology can be accordingly leveraged to the advantage of the LEAs.

Just in India, there exists more than 1.18 billion mobile connections, 700 million internet users, and 600 million mobile phones, which is rising by 25 million every quarter, and each of the mentioned leaves a digital trail. These digital trails could be used by the LEAs via data analytic techniques, and combat crime and terrorism, thus making their claim of being interrupted by E2EE invalid. Moreover, breaking E2EE would mostly affect citizens since terrorists usually use far more sophisticated technology. Additionally, scientific research has proved that the Government possesses  well-established “workarounds”  encryption, which can be deployed without sacrificing the right to privacy of every Indian user, by breaking E2EE. The same is further supplemented by real-life incidents, such as the infamous case of US San Bernardino Shooting. In the said case, the FBI fought a legal battle against Apple, for the sake of creating a backdoor in the iPhone used by the attackers. Apple greatly resisted the same, and despite their refusal to grant access, the FBI still managed to access the iPhone, with the use of a third-party which deployed work-arounds the iPhone’s encryption system.

Hence, since there exists no necessity of breaking E2EE, the challenged legislations do not possess a legitimate state aim and fail this prong of the test.

C.  Proportionality The last prong of the Puttaswamy I test is the proportionality standard, which ensures that the nature and quality of the encroachment on the right to privacy are not disproportionate to the purpose of the law. The Supreme Court has held a similar stance in the cases such as Kerala State Beverages (M&M) Corp. Ltd. v. P.P. SureshOm Kumar and Ors. vs Union of India, which have clarified that infringement of fundamental rights must be done via the “least restrictive alternative”.

In the present scenario, the legislations in question lead to the violation of the right to privacy of each of the million Indian users who use the affected platforms since, even keeping the technological aspect aside, there is no way to predict which message would be targeted for interception. This consequently contrasts with various Supreme Court judgments such as Gobind v. State of M.P](https://web.archive.org/web/20230319090840/https:/main.sci.gov.in/judgment/judis/6014.pdf)., and [Malak Singh v. State of P&H*, which have held that surveillance must only be restricted to those who show the possibility of committing crimes. The present legislations affect every Indian user, thus blatantly ignoring the requirement of restrictive surveillance.

Additionally, it must be noted that breaking E2EE would have adverse effects of unimaginable proportions, since it would infringe on human rights and the privacy of many groups such as journalists, attorney/doctor client privileges, financially sensitive information and more. Encryption is sine quo non for cyber security, and more importantly, national security. Lastly, as argued earlier, the Government possesses numerous workarounds in encryption, meaning breaking E2EE is not the “least restrictive alternative”. Thus, the challenged legislations do not meet the proportionality standard.

Hence, to summarise, while the legislations meet the valid law prong, they do not meet the prongs of legitimate state aim and proportionality, and thus do not pass the test laid in Puttaswamy I. To conclude, the legislations are violative of Article 21 and unconstitutional.

IV. The Way Forward The Supreme Court of India in the landmark case of Ram Jethmalani v. Union of India famously remarked that sacrificing fundamental rights “on the anvil of fervid desire to find instantaneous solutions to systemic problems” would lead to dangerous circumstances. These concerns have unfortunately come to prophetically materialise into reality in the present scenario. ​ In pursuit of finding an instantaneous solution to the problems faced by E2EE, which could have easily been circumvented, the Government has attempted to completely ban its implementation, haemorrhaging the fundamental right to privacy of millions of Indian citizens. Thus, the authors sincerely hope that Courts strike down Rule 4(2) of the IT Rules, and that the Government withdraws Section 24(2)(a) from the Draft Telecom Bill, for the noble purpose of protecting the fundamental right to privacy of the citizens of India.