The Right to Privacy and the Technology Divide Between Rich and Poor- A Huge Concern
Law Centrum
14 May 2022
In India encryption regulation, like all other forms of technology-driven legislation, is a work in progress.
The advancement of technology in the communication industry has made people's lives easier. Mobile phones are being used by mostly every section of society, from the daily wage worker to the industrialist, to carry out their daily responsibilities. The article covers two fundamental questions: How has this technology widened the gap between rich and poor in terms of preserving their rights? what is the status quo of existing law in India in managing privacy issues.
INTRODUCTION
Smart phones have infiltrated everyone's lives, regardless of their financial or educational background. People are increasingly using smart phones to stay connected, store data, and organize their lives. This communication technology has both positive and negative consequences. Users of mobile phones confront a variety of difficulties, including privacy and security concerns. Despite the knowledge that smart phones offer security risks, the majority of them continue to rely on them. On the one hand, low and middle-income individuals rely on affordable gadgets to communicate and share information because mobile phones have become indispensable for daily activities. High-income people, on the other hand, prefer pricey technology. While all gadgets, regardless of price, enable access to the internet, the technology employed to protect privacy and data differs from device to device depending on cost. Electronic devices that favour one part of society over another cannot only be viewed as a privacy or cyber security issue, but as a democratic issue.
CHARACTERISTICS OF SMART PHONES ON PRIVACY ISSUES
Smart phones have become an inextricable aspect of people's lives which are internet-enabled mobile phones that are akin to computers and have advanced computational capabilities. Due to this, people nowadays prefer smart phones over traditional feature phones. A normal feature phone's principal function is to make calls and send text messages. It lacks an operating system, Wi-Fi, or any of the other modern functions seen in smartphones. In the global smart phone market, there are only two operating systems - while Apple invented and developed iOS, Google created Android.
Regarding privacy and security perspectives, both operating system has varying features. For instance, all data stored on the iPhone including text messages exchanged from one user to another are encrypted by default without the user having to do anything. If it was stolen, the possessor would have an extreme difficulty extracting any data from it. However, Android phones have a different security system. Android phones, or the majority of android phones sold in the market, do not encrypt data kept on the device by default, and the built-in text messaging software in android does not use encryption. So, if the android phone was stolen, one can retrieve all the data they want from that device. Most of the iPhones have finger-print recognition feature which unlocks only on the finger-print of authorized user. Now with the introduction of Face ID, as replacement to Touch ID, one need to only glance at the phone to be able to access it [1]. However, similar functionalities are available in expensive Android phones, which is inaccessible to the general public.
There is now a digital security divide between the wealthy, who can purchase gadgets that automatically secure their data, and the poor, whose devices do little to protect their data. As a result, high-end device users are protected from a variety of security and privacy concerns. When digital privacy is invaded, the people who can least afford it are the most exposed to fraud and identity theft.
CRYPTOGRAPHY, PRIVACY AND NATIONAL SECURITY CONCERNS
In the digital age, encryption is critical for citizens' private rights to be protected, and it is seen as a critical instrument in defending privacy against state persecution. It is vital to comprehend the basics of encryption and cryptography before moving on to the legal complications involved. 'Encryption' refers to the process of transforming data into unintelligible data (encrypted data) in order to ensure its secrecy [2]. Encryption software or hardware scrambles plaintext data into an illogical format called cypher text using a mathematical process called cypher. The only person who has the decryption key can decipher the encryption text. The cypher text is turned back to comprehensible plaintext using the decryption key [3].
TYPES OF ENCRYPTIONS
Symmetric and asymmetric encryption are the two types of encryptions. Symmetric encryption, also known as private key encryption, requires a single key for both encrypting and decrypting a coded communication. The sender encrypts a message with a private key, and the receiver decrypts the message with the same private key. Asymmetric key encryption, often known as public key encryption, uses two keys for encryption and decryption: a public key for encryption and a private key for decryption. The public encryption code is exposed to all users in this system, while the private key is only known by the receiver. While the public key can easily encrypt messages, decryption requires access to the private key.[4] Public key encryption is the most widely used digital encryption technique today. The system's strength is private key access, as obtaining a private key from a public key is "computationally impossible." "Without forcing or somehow acquiring direct access to the private key, it is almost impossible to break powerful public key encryption."
PRIVACY ISSUE
The use of encryption to protect privacy and data is critical. At the same time, policymakers see encryption as a tool that criminals could employ to avoid law enforcement surveillance. Because of technical advancements, the encryption on iPhones is automated, and law enforcement no longer has access to evidence. Legislators must strike a balance in the public interest between competing interests of privacy and security.
LEGAL POSITION IN INDIA
India, which now lacks encryption minimum standards, urgently requires comprehensive encryption technology laws.
Right To Interception in India
Surveillance, interception of electronic communications, and traffic data held by internet service providers are all accessible by the government. In India, Section 69 of the Information Technology Act of 2000 gives the central government and state governments the authority to issue orders for the interception, monitoring, or decryption of any information through any computer resource in order to protect India's sovereignty or integrity, defence, security, friendly relations with foreign states, or public order, or to prevent incitement to commit any cognizable offence, or to investigate any offence. The subscriber or intermediary is required to help the intercepting agency in gaining access to a computer that generates, transmits, receives, or stores such information, as well as intercept, monitor, or decrypt the information or give information stored in a computer resource. Section 69A allows the central government the authority to make directives prohibiting the public from accessing any information via a computer resource. Similarly, Section 69B empowers government the authority to monitor and collect traffic statistics or information from any computer.
Recent Rules Under Information Technology Act, 2000 Passed on Interception, Blocking, Collection of Traffic Data
The IT (Procedure and Safeguards for Interception, Monitoring, and Decryption of Information) Rules, 2009, were approved by the central government to establish a framework and legal procedure for such interception, with intermediaries being required to cooperate and help. Although Rule 24 prohibits the interception, monitoring, or decryption of information without the permission of the Secretary of the Ministry of Home Affairs, Central Government, as the case may be, in an emergency, such directions could be issued by an officer not lower than the rank of point Secretary to the Government of India. The security agency is required to keep the sensitive material obtained for six months before destroying it unless it is needed for further investigation. The sensitive information must be kept private, and its abuse would be a direct invasion of privacy.
Breach of Sensitive Personal Information
It is vital to address the safeguarding of confidential information from the standpoint of invasion of privacy. In general, all sensitive personal information is confidential; nevertheless, confidential information may include information of commercial value or interest in addition to personal sensitive information. Sec 3 of the IT (Reasonable Security Practices and Procedures) Rules, 2011, in India, defines Personal information that consists of bank account, credit card, or physical, physiological, and mental health condition, sexual orientation, medical records and history, biometric information, or any detail of these aspects given to a body corporate to render a service or information received under the above clauses by a body corporate for processing, stored, or processed under a lawful contract is considered sensitive personal information.
Breach of confidentiality under Sec 72 and 72 A & 43A of IT Act, 2000
Unauthorized disclosure or use of disclosed information by a person authorized to fulfil functions granted by the act will cause harm to the party who owns the information, necessitating a legal remedy. Sec 72A of the Information Technology Act of 2000 imposes penalties on private contractors that violate confidentiality. Even if a body corporate fails to ensure the adoption of appropriate security standards to protect personal data of individuals, an aggrieved person can sue for compensation before the adjudicating Authority under Sec 43A of the IT Act 2000.
OTHER LAWS AND RECOMMENDATIONS PERTAING TO THE USE OR REGULATION OF ENCRYPTOIN AND OTHER SUCH TECHNOLOGIES IN INDIA
Section 84A of the Information Technology Act of 2000, has delegated the Central Government the authority to frame any rules on the use and regulation of encryption. While the act regulates electronic and wireless modes of communication, contains no substantive provisions or policies on encryption. The Central Government has yet to issue any such rules under this clause. Aside from that, there are a few instruments where encryption technology and products are controlled and mandated by certain terms and conditions.
Department of Telecommunication (DoT) License with Internet Service Providers (ISPs)
The terms and conditions of the license agreement between the Department of Transportation and the ISPs allow only the use of encryption technologies up to 40 bits with RSA algorithms or equivalents without prior clearance from the Department of Transportation. Only with approval and submission of the decryption key in two halves to the Department of Transportation can a higher encryption standard be used. Furthermore, under these license terms, ISPs are prohibited from implementing bulk encryption (Clause 2.2 (vii) of the License Agreement between DoT and ISP, January 2010). It is crucial to note, however, that while the Unified Service License Agreement expressly prohibits bulk encryption (Clause 37.1), it does not mandate a 40-bit standard. Instead, they indicate that the acceptable encryption standard under this Agreement will be determined by standards established under the Information Technology Act of 2000. (Clause 37.5). However, as previously indicated, no rules have been drafted under the IT Act that prescribe or control the use of encryption technologies in India.
Securities and Exchange Board of India (SEBI) Guidelines on Internet based Trading and Services
According to the SEBI Committee on Internet based Trading & Services' Report on Internet Trading, a 64/128-bit encryption standard is recommended for secure transactions and online trading. It was strongly recommended that "free usage of 128-bit encryption be allowed." It is qualified, however, by the requirement that the Department of Transportation's encryption policy and regulation be followed. "Data in motion and data at rest should be in encrypted form by using strong encryption methods such as Advanced Encryption Standard (AES), RSA, SHA-2, etc," according to SEBI's cyber security and cyber resilience framework for Stock Exchanges, Clearance Corporations, and Depositories, as well as Registrars to an Issue / Share Transfer Agent with a portfolio of over two crores.
Reserve Bank of India (RBI) in its report on Internet Banking released in 2001, RBI mandated a minimum security standard of using of SSL for server authentication and the use of client side certificates, the use of 128-bit SSL encryption for communication between browsers and the server, and encryption of sensitive data like passwords in transit within the enterprise itself.
CONCLUSION
In modern world, security is all about ensuring the right user has access to the right content on the network. Whatever measures are taken as far as security is concerned is to enforce this control and to ensure no compromise is made. As evidenced by continuous legislative activity, encryption regulation, like all other forms of technology-driven legislation, is an ongoing process.
REFERENCES [1] The Privacy Quandary, The Hindu, Sep 20, 2017. [2] OECD Guidelines for Cryptography policy. [3] Aparna Viswanathan, ‘Cyber Law (Indian & International Perspectives on key topics including Data Security, E-commerce, Cloud Computing and Cyber Crimes’, Edition: 1st Edition, 2012 (Rep. 2015), LexisNexis India, Gurgaon.) [4] Peter Teufl, Thomas Zefferer, Christof Stromberger. Mobile Device Encryption Systems. 28th Security and Privacy Protection in Information Processing Systems (SEC), Jul 2013, Auckland, New Zealand. pp.203-216.