Right to Encrypt : Subset of Right to Privacy?
(This blog post is third in series of “Encryption and Human Rights” series by SFLC.in)
Encryption allows users anonymity on the Internet. Governments across the world have been challenging the security and privacy provided by encryption under the garb of child sexual abuse material and terrorism activities. Most recently, the Government of India introduced the draconian traceability provision which is also constitutionally untenable. Prior to this, the Five-Eyes alliance with India and Japan as signatories had released a statement against end-to-end encryption. Encryption has been known to be particularly important to retain confidentiality and anonymity on the internet. It allows users to freely search the internet without any fear of being traced by the state. Browsers like the Tor browser have been specifically designed to safeguard information which has to be shared in such a manner that it cannot be viewed by the prying eyes.
Privacy as a fundamental right
Internationally, Privacy has been recognized as a human right. Article 12 of the Universal Declaration of Human Rights (“UDHR”) states that no one shall be subjected to arbitrary interference with their privacy, and that everyone has the right to protection of law against such interference. Similarly, Article 17 of the International Covenant on Civil and Political Rights (“ICCPR”) declares privacy as a human right. India is a signatory to both UDHR and ICCPR.
A nine judge bench in 2017, in K.S. Puttaswamy vs Union of India, had declared privacy as a fundamental right flowing from Article 21 of the Constitution of India. Like other fundamental rights, the right to privacy is not absolute in nature. It is subject to reasonable restrictions as defined by the law. The limitations of the right would be “identified on a case-to-case basis depending upon the nature of the privacy interest claimed.”i In the judgment, the Supreme Court of India laid down a three-pronged test for any invasion on privacy i.e.:
b) legitimate state aim
The Puttaswamy 1 lays down the foundation of safeguards against unwarranted invasions on privacy of Indian citizens. Unfortunately, in the absence of a data protection legislation, the encroachments on one’s privacy are either without any legislative backing or are disguised under Protocols or Rules which evade parliamentary scrutiny. Most recent examples of such instances are the Parivaar Pehchaan Patra by the Government of Haryana, the Health Data Management Policy and the Health ID, Aarogya Setu app, and the traceability provision in the Intermediary Guideline Rules, 2021.ii
Role of Encryption in upholding the right to privacy
Encryption today is being used by both the Government as well as the private sector. However, one of the marked shift in the crypto debate has been the wide range adoption of encrypted services and tools including communication services. Even the NewYork Times, which broke the first #MeToo story, used a secure encrypted platform for submission by victims to share their stories.iii Communication platforms like Signal, WhatsApp, Matrix and Telegram have adopted end-to-end encryption which provides privacy and security of communication to users. Strong Encryption is widely used in email services such as ProtonMail. Even encrypted tools like Tor browsers have gained popularity with the increased digital literacy and wider adoption of internet across the world. Encryption provides a sense of security and safety against the prying eyes of state and malicious third parties – this is particularly important for journalists, whistle-blowers and activists who often fall prey to state sponsored snooping.
Modern encryption has become the cornerstone of digital security and is used all over the world for all sorts of tasks including – safely browsing the internet, making online purchases and carrying out financial transactions. All users of digital devices knowingly or unknowingly use encryption on a daily basis. For instance, when a cellphone device is locked, the user could choose to have its contents encrypted, which can be accessed solely by entering the decryption key which can be in form of a password or biometrics. If a person uses Signal, she is relying on end-to-end encryption to send her message. If a person buys something from Amazon, she is using SSL encryption to make the financial transaction. In fact, as of 2019, the HTTPS traffic on internet has crossed 90% i.e. 90% of web traffic is encrypted.iv
To put it succinctly, Encryption ensures confidentiality of communications, data stored on devices as well as data in motion, and of internet searches.
Challenges to Encryption
There has been an anti-crypto sentiment since the 1990s. However, the sentiment has gained popularity of late by several government and governmental groups such as the five-eyes alliance. To undermine the security and privacy provided by end-to-end encryption, the Government of India recently notified the traceability provision via subordinate legislation and bypassing Parliamentary scrutiny. The Government of India, through Department of Telecommunications, has also banned bulk encryption by telecom service providers via the Unified License.
Most recently, Apple Inc., which has been known to be a privacy preserving company, is in the process of incorporating a technical proposal to scan images on a user’s device which pertain with Child Sexual Explicit Material.v As per Matthew Green, Professor of Cryptography at John Hopkins University, the client side scanning by Apply will essentially add surveillance to encrypted messaging systems. This has been labelled as a backdoor by several experts and that client side scanning shall compromise end of end-to-ed encryption.vi In addition to these, Brazil has been discussing the introduction of traceability in encrypted communications for a few years now.
Right to Encrypt as a subset of right to privacy
In 2017, the Supreme Court of India, recognized privacy as a fundamental right flowing from Article 21 of the Constitution of India in Justice K.S. Puttaswamy vs Union of India (2017). The judgment recognized data protection as an integral part of informational and communicational privacy which a component of fundamental right to privacy. In his judgment, Justice F. Nariman talks about different aspects of the right to privacy in the Indian context and observes “Informational privacy which does not deal with a person’s body but deals with a person’s mind, and therefore recognises that an individual may have control over the dissemination of material that is personal to him. Unauthorised use of such information may, therefore lead to infringement of this right”. Justice D.Y. Chandrachud, in his judgment discussed fundamental notions of privacy, which includes communicational privacy that enables an individual to restrict access to communications or control the use of information which is communicated to third parties and informational privacy, which reflects an interest in preventing information about the self from being disseminated and controlling the extent of access to information.vii
The right to encrypt allows users anonymity on the Internet. This is particularly important when considering whistleblowers or sources who wish to remain confidential. Right to encrypt also allows users to freely search the internet without any fear of being traced by the state. The right to encrypt is analogous to the journalistic privilege for the protection of confidential sources of information which is also known as the shield laws. Currently, there is no judgment on this issue in the Indian Courts. They can, however, take inspiration from the Courts in the US and Europe, which have placed the burden on the Government to compel journalists to reveal their sources of information only if it can prove that there is an “overriding public interest”. A similar argument can be used when the Court asks for information to be decrypted. In the United States, while the Courts have declined to provide journalists with this protection, states have enacted press shielding laws, that protect a journalist’s confidentiality.
The Court has recognized that restriction of a right must come hand in hand with due procedures.viii This ensures the protection of the rights against the possible arbitrary whims of the State. The right to encrypt, though not recognized as a formal fundamental right, comes within the ambit of the right to privacy. It is one of the means by which an individual is allowed to exercise her right to privacy. Its importance has also been recognized by international human rights organizations like the Electronic Frontier Foundationix which have said that individuals must be free to exercise their right to privacy and free expression without the arbitrary interference of the State.x
In a petition challenging Part II of the Intermediary Liability Rules, 2021, it has been prayed that right to encrypt must be declared as a subset to right to privacy. However, the case is yet to be taken up for hearing.xi
iJustice K.S. Puttuswamy v. Union of India, (2017) 10 SCC 1
ii You can read more about Parivaar Pehchan Patra here; To learn more about Health Data Management Policy and Health ID, click here, here and here; To learn more about Aarogya Setu, click here, here and here. To learn about the traceability provision, click here, here and here.
iii Kunal Purohit, How to report on #MeToo: listen to what Pulitzer-winning journalists have to say, Newslaundry (Oct. 29, 2018), https://www.newslaundry.com/2018/10/29/how-to-report-on-metoo-listen-to-what-pulitzer-winning-journalists-have-to-say.
iv HTTPS encryption on the web, Transparency Report, Google (2019), https://transparencyreport.google.com/https/overview?hl=en&time_os_region=chrome-usage:1;series:time;groupby:os&lu=load_os_region&load_os_region=chrome-usage:1;series:page-load;groupby:os.
v Jon Brodkin, Apple Explains how iPhones will scan photos for child-sexual abuse images, ArsTechnica (August 6, 2021), https://arstechnica.com/tech-policy/2021/08/apple-explains-how-iphones-will-scan-photos-for-child-sexual-abuse-images/ ; Apple Inc., Expanded Protections for Children, https://www.apple.com/child-safety/.
vi Centre for Democracy and Technology, Apple’s changes to messaging and photo services threaten users’ security and privacy (August 5, 2021), https://cdt.org/press/cdt-apples-changes-to-messaging-and-photo-services-threaten-users-security-and-privacy/.
vii Justice K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1.
viii Maneka Gandhi v Union of India, 1978 AIR SC 597.
x David Kaye, Report of the Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression (2015), Report to the Human Rights Council (A/HRC/29/32), available at http://www.ohchr.org/EN/HRBodies/HRC/RegularSessions/Session29/Documents/A.HRC.29.32_AEV.doc.
xiPraveen A. vs. Union of India, WP(C) 9647 of 2021.