Encryption and the extent of privacy

Ed. Note.: This post, by Benjamin Vanlalvena, is a part of the NALSAR Tech Law Forum Editorial Test 2016.

A background of the issue

On December 2, 2015, 14 people were killed and 22 were seriously injured in a terrorist attack at the Inland Regional Center in San Bernardino, California, which consisted of a mass shooting and an attempted bombing. The FBI announced on February 9, 2016 that it was unable to unlock the iPhone used by one of the shooters, Farook. The FBI initially asked the NSA to break into the iPhone but their issue was not resolved, and therefore asked Apple to create a version of the phone’s operating system to disable the security features on that phone.

Apple however refused which led to the Department of Justice applying to a United States Magistrate judge who issued a court order requiring Apple to create and provide the requested software and was given until 26^th February, 2016 to respond to the order. Apple however announced their intention to oppose the order. The Department of Justice in response filed a new application to compel Apple to comply with the order. It was revealed that they had discussed methods to access the data in January however, a mistake by the investigating agencies ruled out that method. On March 28, the FBI announced that they had unlocked the phone and withdrew the suit.

The dilemma

Privacy is a recognised fundamental right under Article 17 of the International Covenant for Civil and Political Rights and Article 12 of the Universal Declaration of Human Rights.

Encryption is a process through which one encodes or secures a message or data to make the content readable only by an authorized party or by someone who has the decryption key. Apple claims that it does not perform data extractions as the ‘files to be extracted are protected by an encryption key that is tied to the user’s passcode, which Apple does not possess.’ This, according to the FBI Director, James Comey, is a cause for concern as it means that even with a court order, the contents inside the device of all kinds of criminals would not be accessible. Having a backdoor or ‘golden key’, though slightly different [though not totally] from mass surveillance, as agencies herein would be having the capability to access data stored in the devices as compared to a constant monitoring of data. It’s no longer a matter of constant surveillance but the potentiality of other non-governmental persons gaining access through some illegitimate means. The major contention is that there is an assumption either that those who have access to the key are ‘good people’, who have our interests in mind or that the backdoor would only be accessible by the government. The Washington Post reported that the FBI had (after failing to get Apple to comply) paid professional hackers to assist them in cracking the San Bernardino terrorist’s phone. This itself is a cause of concern as it is proof of vulnerabilities existing in our phones which are seemingly secure.

A data that is encrypted cannot be considered to be totally secure if there is some party which has a means to bypass said encryption. The FBI’s request is therefore problematic as it gives it a backdoor to the data which would be a vulnerability which effects all users. One should bear in mind that the trade of such ‘zero-day vulnerabilities’ is not something unheard of and the NSA or FBI having such tools which keep our data secure is problematic as such tools could be end up in the hands of hackers or leaked. One of the most hard hitting points raised is the issue of national interest, that terrorists or paedophiles use encryption and that it is a “safe space” for them. However, a creation of a backdoor according to the former NSA chief, Michael Hayden, would  be futile as terrorists would be making their own apps based on open-source software, the presence of a backdoor would simply make innocent persons less secure and vulnerable to people who would be taking advantage of such backdoors.

While the intention of the agencies might be good or in the interests of the public, one should keep in mind that once a backdoor is provided, not only is this a dangerous precedent but the dangers of such an encryption leaking an effecting the lives of common persons is huge.

For more information, visit:

https://tcf.org/content/commentary/weve-apple-encryption-debate-nothing-new/

https://www.aclu.org/feature/community-control-over-police-surveillance

https://www.ctc.usma.edu/posts/how-terrorists-use-encryption

https://www.youtube.com/watch?v=peAkiNu8mHY

https://www.youtube.com/watch?v=DZz86r-AGjI

AADHAR AND THE RIGHT TO PRIVACY

Ed. Note.: This 101, by Vishal Rakhecha, is a part of the NALSAR Tech Law Forum Editorial Test 2016.

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 or simply the Aadhaar Act passed in the Lok Sabha to facilitate the transfer of benefits and services to the individuals. This is done by giving them Unique Identification Numbers. At first glance Aadhaar seems like a brilliant scheme to ensure that the tax payer’s money does not end in the wrong hands. But the provisions in the Act raise some serious concerns about the way it can be used by the state to encroach upon the right to privacy of individuals. Apart from this the centrally maintained system to save the data in the Central Identities Data Repository makes it vulnerable to cyber-attacks. The huge uproar against the government is also because of the way Aadhaar was passed, as a money bill, despite the fact that it does not qualify for the same.

According to the ‘law’[1] having an Aadhaar card is not mandatory. But, almost all government schemes today require it from availing a subsidy on LPG to applying for a passport. This continuing trend of using Aadhaar cards as a proof of identity has been spilling into the private sector, since the government allows private entities to use Aadhaar as an identity proof, from getting a mobile number to wanting to sign up on matrimonial sites, it becomes impossible to conduct your day to day activities freely without having an Aadhaar card.

Despite the fact that the government is practically forcing the citizens to get an Aadhaar card, they place their trust on the regime to have some amount of reasonable standard in securing their data. To begin with the entire concept of using bio-metric scans being used is not fool-proof and there have been cases where the fingerprints of the registrar have been registered combined with the fact that unlike passwords and pass codes, bio-metrics cannot be re-issued.

The data collected is not sufficiently protected[2], say for example the fact that the Aadhaar numbers are not cryptographically encrypted and are available in a manner readable by humans. This gives scope for people to easily identify the individuals and the chances of identity theft also increase due to this. The passwords and PIN are stored in the form of hashes but the biometric data is stored in the original form. All the information about the keys and hashes in the UIDAI makes internal trust a very important basis for the protection of the data. This is clearly troubling as the people inside the system can access the data anytime they want and also makes it very easy for someone once inside to tamper with the records. There is no set procedure to carry out data inspection making the process extremely arbitrary.

The fact that Aadhaar is not able to protect the privacy of the data giver is aggravated by the way the data is maintained. The centralised system makes it even more susceptible to attacks[3] as these systems have been shown to have inherent flaws when it comes to protecting privacy. The Aadhar in particular is again more harmful as there are no justifications or reasons as to why there is a need for the centralised database. The fact that the data is localised makes it the ideal target for hackers and foreign governments. Apart from the fact that this system is more vulnerable, it is also much costlier than say a smartcard (which is followed in the UK) or an offline biometric reader. These systems are more advantageous as they are cheaper, do not require real-time access and are safer compared to the centralised system.[4]

Now coming to the Act itself which has several problems, while it is true that Act makes it mandatory to use the information only in the way specified when taking the ‘consent’ of the data giver. Firstly, we need to understand that most people who apply for the scheme are people who have little or no knowledge about the information and have no idea about the consequences of doing so could be. Even if we ignore this fact, the Act provides for section 33(1) which allows for the disclosure for the information pursuant to the order of a district judge or above and section 33(2) which allows any officer of the rank of Joint secretary and above the right to order the disclosure of the information in the interest of national security without the consent of the person.

It is extremely important to understand that an Act that was made to ensure that the money transferred from the Consolidated Fund of India to the person who deserves the money gives the government so much power to actually be able to conduct surveillance on the people is clearly problematic. This is because one, there is a blatant absence of self-imposed checks on the executive power in the mode of ensuring that the government in the way as to what constitutes a situation of national security. Two, under what circumstances the judges can authorise the revelation of the data has not been specified. This gives immense power to these bodies to swoop down and let the government use the data in whatever manner they deem fit.

Though the Act has several benefits but the very hasty manner in which it was passed and the fact that there is a lack of self-restriction on the way the state can use the information. It is understandable that there are certain circumstances which necessitate the government to monitor individuals but unless it is done in a manner which gives the state immense power in terms of the ability to clamp down on dissent whenever it wants to. This is the very reason that there is such a massive amount of criticism of the Aadhaar Act. There is still scope for amendments to be made to the law if the legislature wants to maintain the trust with the civil society.

[1] http://supremecourtofindia.nic.in/FileServer/2015-10-16_1444976434.pdf,  Justice K.S.Puttuswamy (Retd) & anr v. Union of India & ors

[2] Japreet Grewal, Vanya Rakesh, Sumandro Chattapadhyay, and Elonnai Hickock, http://cis-india.org/internet-governance/blog/report-on-understanding-aadhaar-and-its-new-challenges, Report on Understanding Aadhaar and its New Challenges, The Centre for Internet Studies

[3] https://www.eff.org/issues/national-ids, Electronic Frontier Foundation

[4] Kritika Bharadwaj, http://thewire.in/63223/the-mission-creep-behind-the-uidais-centralisation-ideology/, The Mission Creep, Behind the Aadhaar Project, The Wire

 

Battling Goliath: An Analysis of the National Privacy Principles (Part II: Principles Five to Nine)

(Image Source: https://flic.kr/p/igPaVp)

This is the second in a two-part post on the National Privacy Principles. This post deals with Principles Five through Nine. Footnotes are especially important.
Disclaimers: I have taken a bit of artistic license with these two posts, so do allow for that. Feedback, comments, recommendations, are welcome.

---

Following up on the previous post, I discuss National Privacy Principles Five through Nine of the Justice AP Shah Report, continuing the parallel with the story of David and Goliath. Continue reading Battling Goliath: An Analysis of the National Privacy Principles (Part II: Principles Five to Nine) →