By Arun Mohan Sukumar
Any country that aspires to be a cyber power must concern itself with two questions: First, does it secure the data of its systems, networks and users, and second, whether law enforcement agencies can effectively retrieve such data for legitimate purposes. The first concern is a property of the country’s approach to data protection, and the second, its proclivity to intercept data. Where the private sector plays a crucial role in the digital economy, it is incumbent on businesses to protect the data of their users and consumers.
Where governments use digital networks to provide e-governance services, its mandate is also to protect the integrity of sensitive user data from any outside intrusion. On the other hand, the license to intercept data is purely a prerogative of governments, conferred by appropriate legislation. This is a neat theoretical demarcation, but increasingly, private sector players are using data protection technologies to secure data from all players, including law enforcement agencies. Three factors have contributed to this situation:
The Snowden revelations, which suggested that governments where the rule of law is strong too are susceptible to mass surveillance. On this count, the leaks broke a cozy compact between governments and the private sector everywhere, changing the rules of the digital economy irreversibly.
The realisation that technology can contribute to “security by design,” thereby making all physical devices agnostic to intrusion requests, whether from a cyber criminal, hacker or law enforcement authority.
The lack of common legal standards for data protection and lawful interception across jurisdictions. Rather than looking to comply with varying national laws, the private sector is evolving its own set of norms, led by a select few global companies.
The bundling of law enforcement agencies into a motley mix of actors—criminals, hackers, cyber militias and business competitors—poses an unusual problem. How will cops solve cases where electronic evidence is encrypted and inaccessible to all but the user? Just as the private sector invests heavily in new technologies to enhance security, governments would channel their resources to buying exploits and developing countermeasures to encryption—in sum, rendering cyberspace as a whole unstable. This problem is particularly relevant to the Asia Pacific, which hosts the biggest concentration of internet users in the world. However, most data from the region is stored in the West. Faced with a lack of agency (given the net outflow of data) and the lack of technologies (in comparison to Western countries), Asian nation-states are faced with an existential question: Do we opt for freedoms or firewalls?
The struggle between Apple and the US Federal Bureau of Investigation (FBI) over access to the San Bernardino shooter’s iPhone highlights the varying priorities of the private sector vis-à-vis the government. The FBI sought access via a court warrant to the locked iPhone of Syed Rizwan Farook—a citizen of the United States who in December 2015 killed 14 and injured scores in a mass shooting in California—which Apple has refused to provide. Technologies that allow the FBI to force its way into the shooter’s iPhone will compromise the operating systems of all iPhones, Apple’s CEO Tim Cook argued in a letter to consumers. The legal precedent set by this case will be closely studied, but what lessons does the San Bernardino case hold for Asia, and particularly India, where Apple’s market share is less than one percent?
To illustrate how the confrontation between Apple and FBI would play out in India, consider an example. Law schools across India illustrate the difference between “culpable homicide” and “murder” through the famous K.M. Nanavati case of 1961. Mr. Nanavati, a commander with the Indian Navy, was informed by his wife of her affair with Prem Ahuja and her desire to leave the marriage. An enraged Mr. Nanavati barged into Mr. Ahuja’s home, and after an angry exchange of words, shot and killed him. In the trial that followed, Mr. Nanavati’s punishment swung on whether his act was pre-meditated. If it was, he would be guilty of murder. But were the shooting unplanned and truly a “crime of passion,” as the tabloids referred to it, Mr. Nanavati would be punished for the lesser offence of culpable homicide. The Supreme Court found him guilty of murder, but not after a protracted drama that involved a jury exonerating him.
Let us tailor the Nanavati case to a modern setting. In the 2016 adaptation of the crime, the police retrieve Mr. Ahuja’s iPhone, which purportedly contains a draft tweet suggesting he feared for his life. The tweet was never published, and Mumbai cops need it to prove Mr. Nanavati had threatened him previously. The Information Technology Act (specifically, Section 69) confers sweeping powers on the Maharashtra government to retrieve such information but Twitter claims it cannot extract unpublished tweets. The cops turn to Apple with a request to unlock Mr. Ahuja’s phone, but Apple refuses, suggesting that building a backdoor for one iPhone will compromise the security of all.
What options do the Mumbai police have? Apple is not an Indian company and can refuse to comply with Section 69 of the IT Act, claiming the provision violates California law (where Apple Inc. is based). Apple India Private Ltd, its Indian subsidiary, is registered under the Companies Act but mostly performs administrative and financial functions. Apple does not provide internet services, and has no software licensing agreement with Indian telecom operators. What is more, Indian developers whose content is featured in the App Store sign agreements directly with Apple Inc., the parent company. Short of proceeding legally against an Apple India Director or revoking its import license—neither of which would be sound measures—the Government of India has limited options to secure its compliance.
For these reasons, the Indian debate over encryption is very different from the discussion that Apple’s ongoing tussle with the FBI has generated. Nevertheless, the episode offers two broad lessons.
The first lesson is for Indian regulators: Find the right mix between protecting user data, while allowing law enforcement agencies to retrieve it for investigation. The US does not have high data protection standards, but law enforcement agencies have met with increasingly steep judicial barriers—thanks to the Snowden revelations—to extract electronic data. As a result, companies like Apple have been encouraged to invest in strong encryption, as the evolution of its operating system iOS shows.
India, on the other hand, has low data protection standards as well as low legal thresholds for intercepting information. Measures necessary to intercept information have had the unintended consequence of stalling the development of indigenous high-security devices like the iPhone. For instance, the Department of Telecommunications continues to prescribe low encryption standards for Internet Service Providers, while subjecting them to liability for attacks on the network. ISPs are faced with a Catch-22 situation, with little room to strengthen their security. The dangerous mix of low data protection standards and legal barriers against monitoring puts India in the bottom quadrant of Table 1, alongside China.
The second lesson is for internet companies based abroad: co-operate with law enforcement agencies on legitimate requests for user data. Popular internet applications and social media platforms in India today are all based in the US or Europe, and host data in servers abroad. To unlock Mr. Ahuja’s iPhone for the Mumbai police, Apple would need to create a sophisticated “backdoor” to break its encryption protocols. This is an extraordinary instance, involving a drastic solution. But even in the majority of cases where Indian law enforcement agencies can solve crimes based on information available with data giants, their compliance with government requests has been abysmal. Research by Rebecca MacKinnon and Elonnai Hickok suggests the Indian government in 2013 placed 3,598 requests for user data from Facebook with a 53% compliance rate, while the US government made nearly 12,600 requests with a compliance rate of 81%. There is simply no basis or justification for the differential treatment of compliance requests but for the fact that Facebook is a US-based company. Given desperate times, the Indian government took desperate measures: In its draft encryption policy released (and withdrawn subsequently) last year, it sought backdoors into all internet applications based abroad.
The ‘Apple v. FBI’ debate in the US has generated much controversy because nearly half of America’s mobile users today own an iPhone. Encryption is commonplace, while courts, law enforcement agencies and tech companies—all based in the US—debate the optimal mix of interception and data protection. The Indian context is far from comparable. Most Indians, especially first generation internet users, own unencrypted devices. The competing pressures of the market have only contributed to the overall insecurity of India’s internet infrastructure. The rush towards cheap smartphones like Freedom 251—whose vendors could not even offer a secure website to process phone bookings—have seriously compromised the integrity of user data. What is more, to secure their data and to retrieve it for investigation, Indian authorities need the assistance of foreign internet companies. There is no side to choose in this fight, since India needs its own variants of Apple and the FBI: high-security devices that protect data, and a law enforcement agency that can effectively retrieve electronic information.
This is part of a series of special essays brought to you by Firstpost ahead of the #Raisina Dialogue that begins in New Delhi on Tuesday. #Raisina is India’s first MEA sponsored global conclave on geopolitics and geoeconomics, Firstpost is the media partner.