Apple’s new operating system changed the encryption game, perhaps forever. A few days ago, the company told a federal judge in the US that ‘in most cases now and in the future’ it would be impossible for it to access data on password-protected iPhones – for ‘devices running iOS 8 or higher, Apple would not have the technical ability to … take possession of a password protected device from the government and extract unencrypted user data from that device for the government’, Apple said since the security features were such that the passwords were generated by the phone itself. In a debate with the National Security Agency’s director Michael Rogers, Apple CEO Tim Cook was quite forthright and said ‘you can’t have a back door in the software, because you can’t have a back door that’s only for the good guys’. Nor is it just Apple that is saying this. Several other US firms like Google and Microsoft, and some of America’s top cryptographers have echoed the same message, of millions of Americans being vulnerable to hackers if tech firms were required to either provide ‘back doors’ for the government or provide access to their source code or encryption keys – it is also true that several of these firms have billions of dollars of business riding on their ability to secure people’s data. While intelligence agencies, the New York Times reported, are understandably upset at what FBI chief James Comey called the ‘going dark’ problem, the fact is the US government appears to be buying their argument. According to NYT, the Obama administration has backed down on its dispute on seeking encrypted data since this could create an opportunity that China and others, including cybercriminals and terrorists, could exploit.
India’s encryption policy is still in the works, but this is a challenge it will now have to address. The draft encryption policy, hastily withdrawn after civil society ripped into it last month, seemed heavily influenced by the intelligence agencies’ needs and, for instance, required users of even WhatsApp type of services to keep their messages for 90 days and, if required by law, make them available to the government. The policy, of course, had other aspects which were impossible to implement – it expected service providers located outside India to enter into an agreement with the government for providing encryption services; presumably that meant the encryption codes would have to be given to the government. In the past, there has been a pitched battle with Blackberry on providing encryption codes while the firm argued that these codes were generated by users and not by it – the diktat that Blackberry locate its servers in India was also part of the same mindset; indeed, while the DoT allows a maximum encryption level of 40-bit keys, presumably to make life easier for intelligence agencies, the RBI specifies that banks use at least 128-bit encryption keys. With higher and higher encryption now the norm, and even built into operating systems of phones like Apple, it is obvious the nature of the game has changed dramatically – as it had to, given how with billions of dollars of revenues riding upon security, every tech firm has a huge interest in investing in providing what users want. Indian intelligence agencies, and the new encryption policy, will have to adjust to this new reality.