In recent developments, WhatsApp announced it will not comply with the proposed British Online Safety Bill (OSB), which effectively prohibits end-to-end encryption (E2E). This decision has sparked discussions about similar information technology laws globally, particularly regarding the Information Technology Rules, 2021, and the Information Technology Act of 2000 in India.
A Closer Look at the British Online Safety Bill
The OSB is proposed British legislation designed to enhance online safety by imposing “Duty of Care” responsibilities on online platforms. The OSB’s Clause 110 permits the regulator to instruct most internet service providers, including private messaging apps, to identify and remove terrorism and child sex exploitation and abuse (CSEA) content. While the OSB doesn’t directly demand the removal of E2E encryption, it necessitates the scanning of all messages to detect such content, which indirectly signifies breaking encryption.
Indian Laws Aligned to OSB
In comparison, through the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, India has mandated messaging platforms with over five million users to “enable the identification of the first originator” of a message. Unlike the OSB, this doesn’t involve scanning and flagging all encrypted content, but identifying the original sender of a widely forwarded message. Despite this, WhatsApp took legal action against the Indian government over this traceability prerequisite.
Understanding End-To-End Encryption
E2E encryption is a secure communication technique that encrypts data on the sender’s device, securely transmits it over any communication channel, and decrypts it only at the recipient’s end. This provides users protection against unauthorised access, interception, or eavesdropping by hackers, governments or service providers.
Legal Framework for Encryption in India
In India, there isn’t a specific encryption law. However, several sector-specific rules, such as those for the banking, finance, and telecommunications industries, require minimum encryption standards. Users are not allowed to use encryption standards higher than 40 bits using symmetric key algorithms without prior approval. However, rules for certain sectors recommend a higher encryption level than 40 bits.
Information Technology Act of 2000
The Information Technology Act of 2000 regulates electronic and wireless modes of communication but lacks substantive provision or policy on encryption.
UPSC Civil Services Examination: Question from Previous Year
A question asked in the examination in 2017 dealt with the legal obligation of certain entities to report on cybersecurity incidents. The correct answer was that service providers, data centres, and corporate bodies are all legally obliged to report such occurrences within a reasonable time. This is in accordance with section 70B of the Information Technology Act, 2000, which mandates the appointment of an agency namely, Indian Computer Emergency Response Team (CERTIn) to serve as the national agency for incident responses.