Law enforcement must decrypt data only from seized devices, proposes NASSCOM, DSCI

Only information stored on a particular mobile phone in possession of the Law Enforcement Agencies (LEA) must be available for decryption, proposes a paper released by software industry body NASSCOM and the Data Security Council of India (DSCI).

Titled The Road Ahead for Encryption in India, the paper looks to address the regulatory framework for encryption in light of the joint parliamentary committee’s report on the Personal Data Protection Bill and the upcoming review of the IT Act.

It focuses on the gaps in the current regulatory design, and rights and obligations of the industry and the government.

The paper lists the following questions with respect to encryption and government surveillance, and has sought comments on it by September 30.

Should there be recognition of a general right to deploying encryption in line with the right to informational privacy recognised by the Puttaswamy Judgement?

Are there any gaps in the existing procedures surrounding the issuance of interception, monitoring and decryption directions under the IT Act and the Indian Telegraph Act?

What should be the disclosure requirements for the government in relation to interception, monitoring and decryption orders?

What changes should be made to India’s legal framework surrounding encryption and interception, monitoring and decryption of information, to be compatible with bilateral information sharing mechanisms such as those under the CLOUD Act?

• Should a ‘duty of care’ standard be adopted for LEA access to decrypted content?
• Can the draft intermediary guidelines impose an obligation on intermediaries on traceability, even though it might not be possible to do so by the platform?
• Should India ask communication providers to set up new capabilities in order to encrypt and decrypt data?
• Should government-aided ethical hacking be considered to provide LEA access to decrypted information in India?
• What amendments will be required under the IT Act or other legislation to enable ethical hacking in India?
• If ethical hacking is used to access decrypted data, how should concerns around disclosure of zero-day vulnerabilities be addressed?
• Can LEA use local key escrow and such solutions to access encrypted data on a device? What should be the scope of accessibility for the LEA?