Skip to main content

Cybersecurity Spotlight: India’s Encryption Policy

May 31, 2016


Minnie Ray Chaudhury

In today’s increasingly interconnected world, governments are struggling to strike a balance between privacy and security within their borders, particularly regarding the issues around encryption. Information technology (IT) companies are also joining the discussion–siding with the privacy concerns of their customers. The debate between Apple and the United States government in February is one example of the debate over encryption. In light of the struggle around this issue, other nations are exploring matters of encryption as it best serves the needs of their government. India, for example, tends to lean towards the side of IT companies and the public these companies serve because of the role IT plays in the Indian government and society.

Since Apple’s refusal to create software to give the FBI access to one of the San Bernardino shooter’s iPhones in February, India has been quite careful in how to respond to issues of encryption. But even prior to the incident, India learned a lesson on the importance of privacy to their citizens when, in September 2015, the Indian Ministry of Communications and Information Technology published a draft of a national encryption policy. However, the draft was withdrawn in the same month due to the outburst of public concern.

While the encryption policy draft is no longer accessible online, newspaper articles criticized the draft and the government for overextending their powers into the lives of the citizens. Had the policy been passed, the government would have had legal access to all information online–with broader implications for companies existing outside of India, as well as the Indian public. The Minister of Communications and Information Technology, Ravi Shankar Prasad, said that he withdrew the draft because he felt the details had become exaggerated in the media, stoking the public’s concerns. He assured the public that the Ministry would take the criticism into consideration while revising the draft, before releasing it again.

Currently, all Indian Internet providers, such as Reliance and Airtel, are allowed to use up to 40-bit encryption. Anything more than that and they have to acquire permission from India’s telecommunications regulatory authority—Telecom Regulation Authority of India (TRAI). “Over the top” services (OTT), such as WhatsApp and Skype, are exempt from this regulation. WhatsApp, which has 70 million users in India, introduced end-to-end encryption in April of this year, offering maximum security to their users. In this way, WhatsApp has sided with Apple, essentially saying that the company can’t ethically give the government access to information that the company has denied itself access to.  As of right now, WhatsApp is still operating legally within India. India’s future response to WhatsApp and other encrypted services is still tricky to predict.

It appears, in light of the withdrawal of the encryption document last year, that the Indian government holds the views of the public in high consideration, at least when it comes to matters of cybersecurity. Earlier this month, Prasad announced that the Indian government has tools in “mobile forensics” that can hack into phones such as the iPhone. However, the absence of a discussion about creating backdoors or universal keys for the government seems to be a strategic choice on the part of the Ministry—particularly after seeing the comments made by Apple’s Tim Cook and Google CEO Sundar Pichai. While journalists agree that issues of encryption pose a threat to the government, it seems the public as well as major companies such as Apple, Google, and WhatsApp, are in agreement that a backdoor or universal key would be detrimental to the security of information. Prasad—a member of the major Indian conservative political party, the BJP—assured the public that Narendera Modi’s government fully supports social media freedom.

The way in which India has been addressing the encryption issue illustrates that the government may think that India’s best interests lie in siding with major IT companies, such as Apple and Google. The pro-industry orientation is also evident in the way India addresses the larger question of cybersecurity in general. In a 2013 document titled the National Cybersecurity Policy, the government recognized the central importance of the IT industry in the growth and progress of the Indian economy. The 2013 policy also outlined an increased need for securing the computing environment in order to build trust and confidence with all of the various IT companies located within India, as well as the public that uses such products. It notes that a cyber-attack against India and the IT industries within the Indian border could prevent further growth in the Indian economy.

The concern over Indian cybersecurity is deeply intertwined with the fact that IT helps bring connectivity to India’s 68% rural population. A serious attack could extinguish this population’s already limited access to public and healthcare services. Because of these risks to India, the 2013 document proposed that the government follow and implement global security practices in order to ensure a secure and resilient cyber environment.

India’s interest in following and implementing global standards illustrates the government’s intention of complying with the standards of countries more involved in setting these norms, such as the United States. Since the United States provides a home to most of the major companies that also operate in India, it can be said that India will pay very close attention to America’s cybersecurity policy, with even attention paid to the interests of the IT companies involved. The dual focus on US policy and major industry players is also evident in the way the Communications Ministry has been handling the discussion of encryption with the public.

The Indian government clearly is focused on the importance of IT and cybersecurity to its citizens. For example, a law was just passed in February 2016 that banned differential pricing in India after Facebook’s non-profit violated publicly held notions of net neutrality. The decision to ban differential pricing was made less than a month after taking thousands of public comments into consideration. Thus, while foreign companies need to be careful when doing business in India, issues of IT appear to be handled in a careful and swift manner by the government. The swiftness with which IT issues are handled is in contrast with the often slow governmental response to other issues.

India’s cyber-environment is currently quite vulnerable and receives frequent attacks from countries such as Pakistan, China, and Russia. Ministers from China, Russia, and India came together in April of this year to discuss issues such as cyberspace and cybersecurity as developing, but influential, countries. The ministers highlighted the role that the United States plays in cybersecurity and in turn emphasized the need to promote and adhere to internationally set regulations on the cyber environment. However, it also seems these countries are advocating for an equal foothold in matters of Internet governance. All three countries agreed on the necessity of state-sovereignty in terms of handling internal matters.

Different governments will likely have different solutions to issues of encryption depending on their government’s best interest. More authoritative regimes, for example, may not listen to the concerns of their citizens, while countries such as India seem to be taking a more democratic approach. Finding the balance between privacy and security is difficult, however, and India’s next steps in the discussion are somewhat unpredictable.

This publication was made possible in part by a grant from Carnegie Corporation of New York. The statements made and views expressed are solely the responsibility of the author.