What Apple versus FBI means for India

Law schools across India illustrate the difference between “culpable homicide” and “murder” through the famous K.M. Nanavati case of 1961. Nanavati, a commander with the Indian Navy, was informed by his wife of her affair with Prem Ahuja and her desire to end the marriage. An enraged Nanavati barged into Ahuja’s house, and after an angry exchange of words, shot and killed him. In the trial that followed, Nanavati’s punishment hinged upon whether his act was premeditated. If it was, he would be guilty of murder. But were the shooting unplanned and truly a “crime of passion”, as the tabloids referred to it, Nanavati would be punished for the lesser offence of culpable homicide. The Supreme Court found him guilty of murder, but not after a protracted drama that involved a jury exonerating him.

Illustration: Deepak Harichandan

Let’s tailor the Nanavati case to a modern setting. In the 2016 adaptation of the crime, the police retrieve Ahuja’s iPhone, which purportedly contains a draft tweet suggesting he feared for his life. The tweet was never published, and Mumbai cops need it to prove Nanavati had threatened him previously. The Information Technology (IT) Act (specifically, Section 69) confers sweeping powers on the Maharashtra government to retrieve such information but Twitter claims it cannot extract unpublished tweets. The cops turn to Apple Inc. with a request to unlock Nanavati’s phone, but it refuses, suggesting that building a backdoor for one iPhone will compromise the security of all.

What options do the Mumbai police have? Apple is not an Indian company and can refuse to comply with Section 69 of the IT Act, claiming the provision violates California law (where it is based). Apple India Private Ltd, its Indian subsidiary, is registered under the Companies Act but mostly performs administrative and financial functions. Apple does not provide Internet services, and has no software licensing agreement with Indian telecom operators.

What’s more, Indian developers whose content is featured in the App Store sign agreements directly with the parent company. Short of proceeding legally against an Apple India director or revoking its import licence — neither of which would be sound measures — the Government of India has limited options to secure its compliance.

For these reasons, the Indian debate over encryption is very different from the discussion that Apple’s ongoing tussle with the U.S. Federal Bureau of Investigation (FBI) has generated. The FBI sought access via a court warrant to the locked iPhone of Syed Rizwan Farook — a U.S. citizen who in December 2015 killed 14 people and injured scores in a mass shooting in San Bernardino, California — which Apple has refused to provide. Technologies that allow the FBI to force its way into the shooter’s iPhone will compromise the operating systems of all iPhones, Apple’s CEO Tim Cook argued in a letter to consumers. The legal precedent set by this case will be closely studied, but what lessons does the San Bernardino case hold for India, where Apple’s market share is less than 1 per cent?

Lessons for India

The first lesson is for Indian regulators: find the right mix between protecting user data, while allowing law enforcement agencies to retrieve it for investigation. The U.S. does not have high data protection standards but law enforcement agencies have met with increasingly steep judicial barriers — thanks to the Snowden revelations — to extract electronic data. As a result, companies like Apple have been encouraged to invest in strong encryption, as the evolution of its operating system iOS shows.

India, on the other hand, has low data protection standards as well as low legal thresholds for intercepting information. Measures necessary to intercept information have had the unintended consequence of stalling the development of indigenous high-security devices like the iPhone.

For instance, the Department of Telecommunications continues to prescribe low encryption standards for Internet Service Providers (ISPs), while subjecting them to liability for attacks on the network. ISPs are faced with a catch-22 situation, with little room to strengthen their security. The dangerous mix of low data protection standards and legal barriers against monitoring puts India alongside China (see table).

High legal barriers to extract data Low legal barriers to extract data
High data protection standards European Union Russia
Low data protection standards United States China, India

The second lesson is for Internet companies based abroad: cooperate with law enforcement agencies on legitimate requests for user data. Popular Internet applications and social media platforms in India today are all based in the U.S. or Europe, and host data in servers abroad. To retrieve information from Nanavati’s hypothetical iPhone, Apple would need to create a sophisticated “backdoor” to break its encryption protocols. This is an extraordinary instance, involving a drastic solution. But even in the majority of cases where law enforcement agencies can solve crimes based on information available with data giants, their compliance with government requests has been abysmal. Research by Rebecca MacKinnon and Elonnai Hickok suggests the Indian government in 2013 placed 3,598 requests for user data from Facebook with a 53 per cent compliance rate, while the U.S. government made nearly 12,600 requests with a compliance rate of 81 per cent. There is simply no basis or justification for the differential treatment of compliance requests but for the fact that Facebook is a U.S.-based company. Given desperate times, the Indian government took desperate measures: in its draft encryption policy released (and withdrawn subsequently) last year, it sought backdoors into all Internet applications based abroad.

Price breeds compromise

The ‘Apple v. FBI’ debate in the U.S. has generated much controversy because nearly half of America’s mobile users today own an iPhone. Encryption is commonplace, while courts, law enforcement agencies and tech companies — all based in the U.S. — debate the optimal mix of interception and data protection. The Indian context is far from comparable. Most Indians, especially first-generation Internet users, own unencrypted devices. The competing pressures of the market have only contributed to the overall insecurity of India’s Internet infrastructure. The rush towards cheap smartphones like Freedom 251 — whose vendors could not even offer a secure website to process phone bookings — has seriously compromised the integrity of user data. What’s more, to secure their data and to retrieve it for investigation, Indian authorities need the assistance of foreign Internet companies, who appear more interested in bottom lines than law enforcement.

There is no side to choose in this fight, since India needs its own variants of Apple and the FBI: high-security devices that protect data, and a law enforcement agency that can effectively retrieve electronic information.

(Arun Mohan Sukumar heads the Cyber Initiative at the Observer Research Foundation, New Delhi.

Posted by on February 24, 2016. Filed under Technology. You can follow any responses to this entry through the RSS 2.0. Both comments and pings are currently closed.