Backdoors; A Violation of the Reasonable Expectation of Privacy (test)

Can we build backdoors to an E2E platform? Perhaps. 

Are E2E platforms with backdoors safe? No. 

Can we build back doors to an E2E without compromising the security of the E2E platform? Most certainly not! 

The Puttaswamy Judgement is a Matryoshka doll of tests; one test opens to another [on the of the tests, see generally here]. In para 292 of the majority decision, the Court affirms the Respondent counsel’s argument that Article 21 protects claims which are within the reasonable expectation of privacy. 

The Court lays down a check list of the following queries; 

(i). What is the context in which a privacy claim is set up? 

(ii). Does the claim relate to private or family or confidential relationship? 

(iii). Is the claim a serious one, is it trivial? 

(iv). Is the disclosure likely to result in any serious or significant injury and the nature and extent of disclosure? 

(v). Is disclosure relating to personal and sensitive information of an identified person? 

(vi). Does disclosure relate to information already disclosed publicly? If so, what are its implications?

 The reasonable expectation of privacy test was developed in Katz v. US in relation to the fourth Amendment. The test was adopted and continues to be relied by English and European Courts. 

Encryption as a Reasonable Expectation 

An E2E encrypted platform is secure to the extent of breaking its bit key (FYI the longer the string of characters in a bit key, the harder it is to break). Without the key, texts, images, and documents send over the remain encrypted. It is for that reason; law enforcement agencies and governments insist on backdoors within the system.  

The term ‘backdoors’ is a metaphor for any special access of the State to encrypted communications. Undisputedly, a backdoor is a vulnerability in the system. To create a vulnerability in the system is to build a strong castle with glass; it protects nothing!  

In that light, in the Indian context, can a user of an E2E platform have reasonable expectations to the security of that platform? We think so. Let us elaborate. 

Any user of an E2E platform uses that platform with the expectation that their conversations are protected. The Court makes reference to an instance where a person cannot reasonably expect privacy for posts on Facebook, wherein any person posting ‘vital details’ of oneself cannot claim the right of privacy. Accordingly, if conversations were held on a private platform – owing to a vulnerability introduced by a backdoor – the details of such conversations are public, is it not violative of the reasonable expectation of privacy? 

Would a reasonable expectation of privacy encompass protection to such conversations? Indeed yes. The Court observes that a reasonable expectation of privacy protects the zone of privacy entailing the protection of lives of individuals as members of the society. The Court concedes that “an individual is not an (sic) hermit”. Furthermore, the Court affirms that an individual in course of interaction with others is engaged in behavioral patterns [299] 

Introducing a backdoor is a serious abdication of such expectations since it opens use of that venerability by the State, foreign agents, and non-State bad actors. 

These explanations fulfill prolongs (i) to (iii) of the test.  

Regarding the term ‘disclosure’ used in the test, it may be argued that by mandating backdoors, the State does not disclose anything. However, such an argument is fallacious because any claim of privacy under Article 21 should be evaluated by this test. A narrow view that the State should actively disclose information is problematic since many claims against the State may be outside although it is likely to affect privacy of the individual. Hence disclosure must include both active and passive disclosure. While active includes efforts to disclose information affecting privacy, passive includes indirect actions affecting privacy of the citizen. Such includes any efforts to disclose data through third party agencies, reducing encryption or security standards among others. 

Moreover, the term disclosure is misleading as it does not all encompass only declaration of information but, at least in the context of the Aadhaar judgement, also collection. This interpretation is in line with the majority decision. Accordingly, the Court analysed whether information collected by the State was within the reasonable expectation of privacy of a citizen.  

Having bought clarity to the following, effecting a backdoor to an encrypted communication system is likely to fulfill criteria to include within the reasonable expectation of privacy. 

A person’s private conversation is part of his zone of privacy. A disclosure of such conversations constitutes a severe breach of his privacy. Although the conversation may include public, non-private information, it also includes confidential, sensitive information essential to the zone of privacy of the individual for the development of the personality of the individual. Would individuals express through these encrypted platforms their inner most thoughts, ideas, and opinions if they are aware their conversations may be targeted by the state, foreign state or bad actors looking to exploit them?  

It is for these reasons that a backdoor mandate contradicts the reasonable expectation of privacy.