top of page
Search

Encryption vs Law Enforcement: India's Cyber Dilemma

  • Jun 17
  • 5 min read

Introduction


In the digital age, encryption has become an essential tool for safeguarding personal privacy and secure communication. Through end-to-end encryption (E2EE), individuals are able to share sensitive data on platforms like WhatsApp, Telegram, and Signal without fear of unauthorized interception. This technology reinforces trust, confidentiality, and the fundamental right to privacy. However, this protective shield can also transform into a weapon. E2EE creates "warrant-proof spaces" where legally authorized access by investigative authorities becomes ineffective. This "going dark"

problem restricts the State's ability to prevent and prosecute serious offenses, raising deep concerns about public safety and national security. Ultimately, a balanced framework is required—one that preserves the integrity of encryption while allowing limited, lawful access in serious cases.


The Constitutional and Indian Legislative Landscape:

 

End-to-end encryption occupies a complex position at the intersection of national security, privacy rights, and data protection in Indian jurisprudence. The legal position is substantially governed by the Information Technology Act, 2000, the Intermediary Guidelines and Digital Media Ethics Code Rules, 2021, and the Digital Personal Data Protection (DPDP) Act, 2023. Most critically, it is anchored by constitutional protections under Article 21 (Right to Privacy) and Article 19(1)(a) (Freedom of Speech).


The Supreme Court’s watershed judgment in Justice K.S. Puttaswamy v. Union of India (2017) established that privacy is a fundamental right. The bench explicitly noted that privacy encompasses informational privacy. However, the right is not absolute and can be restricted on grounds of national security and public order, provided the restriction is proportionate, narrowly tailored, and subject to judicial scrutiny. Furthermore, in the 2019 data protection sequel judgment, the Supreme Court noted that encryption is a legitimate and necessary mechanism to fulfill the state's obligation to protect personal data from unauthorized access.


The Regulatory Clash and Technical Impossibility:

 

The government’s most direct regulatory engagement with encryption arises through Rule 3(1)(b) of the IT Intermediary Rules, 2021, which requires messaging intermediaries to enable the identification of the "first originator" of information. This mandate has generated significant litigation. In WhatsApp Inc. v. Union of India (pending before the Delhi High Court), WhatsApp challenged the rule, arguing that


E2EE cannot be selectively weakened. Their counsel starkly remarked, "If we are told to break encryption, then WhatsApp goes."


This highlights the "Technical Impossibility" defense: mathematical encryption cannot distinguish between legitimate law enforcement access and illegitimate hacking. Interestingly, a leaked 2022 internal document—MEITY's Unified Access and Regulation of Digital Services (UARDS) Proposal—revealed that even the Ministry of Electronics and IT acknowledged that E2EE cannot be "selectively" broken without compromising security infrastructure.


Furthermore, under Section 69 of the IT Act, the government possesses strong interception powers. In Rajendra Kumar Singh v. State of Bihar, the Supreme Court held that interception powers must involve stringent procedural safeguards, ruling that blanket or generalized surveillance violates Article 21. With E2EE, service providers technically cannot provide unencrypted content even when legally compelled under Section 69, because they do not hold the decryption keys.


Investigative Challenges in Encrypted Spaces:

 

Indian law enforcement faces massive hurdles when tackling crimes shielded by E2EE:


  • Financial Frauds: Scammers routinely use Telegram and WhatsApp for phishing and investment frauds. While Section 66A of the IT Act was struck down in Shreya Singhal v. Union of India, Section 66D (cheating by personation) still applies, but evidence collection remains frustrated by encryption.


  • Child Sexual Abuse Material (CSAM): The National Crime Records Bureau (NCRB) reported a 300% increase in CSAM cases from 2018–2022, heavily facilitated by encrypted messaging channels.


  • Terror Coordination: The Ministry of Home Affairs has cited E2EE as an impediment to counter-terrorism. In the Pulwama attack investigation, law enforcement encountered severe dead-ends trying to access encrypted communications.


  • Drug Trafficking: The Narcotics Control Bureau (NCB) has documented extensive use of Telegram and Signal to coordinate drug supplies under the NDPS Act, 1985.


Global Frameworks and the Risk of State Overreach:

 

Without precise statutory definitions for "National security," there is a constant risk of state overreach and the erosion of civil liberties. For instance, in May 2023, the Indian government used Section 69 of the IT Act to ban 14 open-source messaging apps (like Briar) in Jammu and Kashmir. The Delhi High Court upheld the ban, asserting that natural justice could be set aside in the name of national security.


Globally, other free nations face the same friction. In the US, cases like Carpenter v. United States and Riley v. California established strong warrant requirements for digital data. Yet, in FBI v. Apple (the San Bernardino case), tech companies forcefully resisted building backdoors due to systemic security risks. Conversely, authoritarian frameworks like Russia’s Yarovaya Law or China’s 2019 Cryptography Law simply force tech entities to hand over decryption keys directly to the state.


The pressure on tech companies is mounting. Meta Platforms announced that Instagram will discontinue E2EE for its direct messaging feature starting May 8, 2026, due to regulatory pressure and content moderation difficulties. This global shift highlights that encryption is increasingly viewed as a barrier to safety.


Technical Proposals: Kamakoti vs. Hashing:

 

To enforce traceability without breaking E2EE, two main models are debated in India:


  1. The Kamakoti Proposal: Advanced by Professor V. Kamakoti (IIT Madras), this recommends embedding an encrypted metadata tag containing the originator's identity directly into each message. The decryption key would sit in escrow with the intermediary, to be released only via a valid court order.

  2. The Hashing Technique: This generates a unique alphanumeric hash of a message before it encrypts on a device. Intermediaries would log these hashes in a central database. If a malicious message spreads, its hash could be matched to trace the origin without reading the actual text. However, critics argue this creates a permanent surveillance infrastructure vulnerable to massive abuse.


Conclusion and Way Forward:

 

As Benjamin Franklin famously warned, "Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety."


Weakening encryption to catch bad actors creates a dangerous security paradox—it leaves the digital systems of everyday citizens, businesses, and government networks completely vulnerable.


India's path forward must avoid absolute solutions:


  • Targeted Investigations: Law enforcement should shift resources toward metadata analysis, device-level forensics, and judicially authorized hacking instead of asking for platform-wide backdoors.

  • Judicial Oversight: Strengthen the checks and balances under the IT Act so that surveillance requests face strict proportionality tests.

  • Statutory Clarity: Provide precise statutory definitions for "national security" within our digital policies to avoid arbitrary application.


As recognized globally on Global Encryption Day (held every October 21st under the theme "Secure Your World"), strong encryption is non-negotiable for a trustworthy digital ecosystem. India must build an accountable, proportionate legal framework that defends individual liberties while strengthening smart, tech-driven police capacities.


Author: Adhyatmika Panda , in case of any queries please contact/write back to us via email to chhavi@khuranaandkhurana.com or at  Khurana & Khurana, Advocates and IP Attorney.


REFERENCES / BIBLIOGRAPHY


Statutes:


  • Information Technology Act, 2000 (India).

  • Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.

  • Digital Personal Data Protection Act, 2023 (India).

  • Narcotic Drugs and Psychotropic Substances Act, 1985.

  • Unlawful Activities (Prevention) Act, 1967.


Judgments:


  • Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1.

  • Justice K.S. Puttaswamy (Retd.) v. Union of India, (2019) 1 SCC 1.

  • Shreya Singhal v. Union of India, AIR 2015 SC 1523.

  • Rajendra Kumar Singh v. State of Bihar, (2011) 8 SCC 706.

  • Shyam Narayan Chouksey v. Union of India, (2014) 8 SCC 534.

  • WhatsApp Inc. v. Union of India, W.P.(C) 39/2021 (Delhi High Court).

  • Carpenter v. United States, 138 S. Ct. 2206 (2018).

  • Riley v. California, 573 U.S. 373 (2014).

  • In re Search of an Apple iPhone (San Bernardino Case), No. 5:16-cm-00010 (C.D. Cal. 2016).


Reports & Articles:


  • National Crime Records Bureau (NCRB), Crime in India Reports (2018-2022).

  • Srinivas Shekhar, "Data Makes the World Go Round-Until It Doesn't," Forbes (Jan 2026).

  • CNN Investigative Report, "Online Networks Promoting Drug-Facilitated Sexual Abuse," (2026).

Comments

bottom of page