<p>The internet today has become intertwined with human existence, especially in communication. Nonetheless, the human need to secure communication privacy and the foundational nature of privacy pose a challenge to governments globally: the conflict between privacy and law enforcement.</p>.<p>The recent order passed by the Karnataka High Court, staying the ban on Proton Mail service, is a case in point. Proton Mail is a Swiss privacy-focused, end-to-end encryption-based email service designed in 2014. In 2025, the court ordered a ban on the service, citing non-compliance with Section 69 of the Information Technology Act, 2000, and instances of hoax bomb threats and obscene messages being sent to schools and women.</p>.<p>The Proton Mail case raises a wider question about the need for an encryption law in India that reconciles fundamental rights and the needs of law enforcement agencies. Section 84A of the IT Act empowers the central government to issue standards for “modes or methods” of encryption. However, no standards exist yet. </p>.AI-based attendance is a privacy crisis.<p>Additionally, in 2015, a draft policy on encryption was put forth; however, no substantive measures were taken. The said policy attempted to establish a regime where the State would prescribe encryption algorithms and key sizes. However, this ran the risk of putting all encryption within the easy reach of the government and thus raising concerns about free speech.</p>.<p>Currently, the power to intercept telecommunication stems from the Telecommunications Act, 2023, which grants wide powers to detain, reroute, and intercept communications to any officer designated by the central government. It is extended to electronic means of communication by the IT Act, including the obligation on data handlers to take “reasonable security measures.” </p><p>The Act enlists public order, prevention of incitement of a cognisable offence, and investigation of offences as grounds for de-encryption. The power to grant the request for such interceptions vests with the State or central secretaries of the Home Ministry, giving the ministry absolute power without a judicial officer on the review committee.</p>.<p>The IT Act thus stands as the major regulation in this regard and authorises only the executive authorities to access encrypted data. The Act also grants wide discretion to bureaucrats, without safeguards. Beyond this, it is pertinent to account for cross-border communication, undertaken using various platforms established outside India. As seen in the Proton Mail case, compliance with Indian law remains an issue. Even though mutual assistance treaties exist, they seldom prove to be useful, given the complexity and onerous obligations on the parties.</p>.<p><strong>Risks cannot justify overreach</strong></p>.<p>These lacunae in the law act as a hurdle in achieving the Supreme Court’s mandate prescribed in <em>Shreya Singhal</em> and <em>Justice K S Puttaswamy</em>. In <em>Shreya Singhal</em>, the Court held that standards of freedom of speech and expression on the internet are not to be examined against a dissimilarly relaxed standard under Article 19(1)(a) but are to be exclusively limited to the criteria in Article 19(2).</p>.<p>In <em>Puttaswamy</em>, the Court prescribed a four-pronged test for laws limiting privacy rights. One of these tests used the phrase “necessary in a democratic society for a legitimate aim”, which has been argued to emphasise the need to reconcile privacy and legitimate State aims. Thus, even in the context of national security and public order concerns, these requirements must be met.</p>.<p>Though the right to privacy has been recognised by the Supreme Court, the right to encryption has not been categorically mentioned. A statutory framework recognising the same with narrowly tailored restrictions, in consonance with <em>Puttaswamy</em>, should be the first step. Furthermore, clarity on the use of ethical hacking to access encrypted information must be provided through the IT Act. </p><p>Experts have suggested adopting technical solutions such as user franking, metadata analysis using machine learning technologies, and homomorphic encryption to ensure both the privacy of individuals and the security of society.</p>.<p>Encryption is not a novel phenomenon; ancient societies have been known to use codes and have privacy preferences. This is necessary for a democratic society, as encrypted communication technologies, apart from serving the right to privacy, also act as a vital tool for journalists, whistle-blowers, etc. The potential for harm due to encryption, particularly in law enforcement, should not become an excuse for State surveillance and abuse by private miscreants. Therefore, a reasoned, proportional, principle-oriented, and constitutionally sound approach is needed now.</p>.<p><em><strong>Harshita and Ram are final-year and third-year law students, respectively, at National Law University, Jodhpur.</strong></em></p><p><em>(Disclaimer: The views expressed above are the author's own. They do not necessarily reflect the views of DH.)</em></p>
<p>The internet today has become intertwined with human existence, especially in communication. Nonetheless, the human need to secure communication privacy and the foundational nature of privacy pose a challenge to governments globally: the conflict between privacy and law enforcement.</p>.<p>The recent order passed by the Karnataka High Court, staying the ban on Proton Mail service, is a case in point. Proton Mail is a Swiss privacy-focused, end-to-end encryption-based email service designed in 2014. In 2025, the court ordered a ban on the service, citing non-compliance with Section 69 of the Information Technology Act, 2000, and instances of hoax bomb threats and obscene messages being sent to schools and women.</p>.<p>The Proton Mail case raises a wider question about the need for an encryption law in India that reconciles fundamental rights and the needs of law enforcement agencies. Section 84A of the IT Act empowers the central government to issue standards for “modes or methods” of encryption. However, no standards exist yet. </p>.AI-based attendance is a privacy crisis.<p>Additionally, in 2015, a draft policy on encryption was put forth; however, no substantive measures were taken. The said policy attempted to establish a regime where the State would prescribe encryption algorithms and key sizes. However, this ran the risk of putting all encryption within the easy reach of the government and thus raising concerns about free speech.</p>.<p>Currently, the power to intercept telecommunication stems from the Telecommunications Act, 2023, which grants wide powers to detain, reroute, and intercept communications to any officer designated by the central government. It is extended to electronic means of communication by the IT Act, including the obligation on data handlers to take “reasonable security measures.” </p><p>The Act enlists public order, prevention of incitement of a cognisable offence, and investigation of offences as grounds for de-encryption. The power to grant the request for such interceptions vests with the State or central secretaries of the Home Ministry, giving the ministry absolute power without a judicial officer on the review committee.</p>.<p>The IT Act thus stands as the major regulation in this regard and authorises only the executive authorities to access encrypted data. The Act also grants wide discretion to bureaucrats, without safeguards. Beyond this, it is pertinent to account for cross-border communication, undertaken using various platforms established outside India. As seen in the Proton Mail case, compliance with Indian law remains an issue. Even though mutual assistance treaties exist, they seldom prove to be useful, given the complexity and onerous obligations on the parties.</p>.<p><strong>Risks cannot justify overreach</strong></p>.<p>These lacunae in the law act as a hurdle in achieving the Supreme Court’s mandate prescribed in <em>Shreya Singhal</em> and <em>Justice K S Puttaswamy</em>. In <em>Shreya Singhal</em>, the Court held that standards of freedom of speech and expression on the internet are not to be examined against a dissimilarly relaxed standard under Article 19(1)(a) but are to be exclusively limited to the criteria in Article 19(2).</p>.<p>In <em>Puttaswamy</em>, the Court prescribed a four-pronged test for laws limiting privacy rights. One of these tests used the phrase “necessary in a democratic society for a legitimate aim”, which has been argued to emphasise the need to reconcile privacy and legitimate State aims. Thus, even in the context of national security and public order concerns, these requirements must be met.</p>.<p>Though the right to privacy has been recognised by the Supreme Court, the right to encryption has not been categorically mentioned. A statutory framework recognising the same with narrowly tailored restrictions, in consonance with <em>Puttaswamy</em>, should be the first step. Furthermore, clarity on the use of ethical hacking to access encrypted information must be provided through the IT Act. </p><p>Experts have suggested adopting technical solutions such as user franking, metadata analysis using machine learning technologies, and homomorphic encryption to ensure both the privacy of individuals and the security of society.</p>.<p>Encryption is not a novel phenomenon; ancient societies have been known to use codes and have privacy preferences. This is necessary for a democratic society, as encrypted communication technologies, apart from serving the right to privacy, also act as a vital tool for journalists, whistle-blowers, etc. The potential for harm due to encryption, particularly in law enforcement, should not become an excuse for State surveillance and abuse by private miscreants. Therefore, a reasoned, proportional, principle-oriented, and constitutionally sound approach is needed now.</p>.<p><em><strong>Harshita and Ram are final-year and third-year law students, respectively, at National Law University, Jodhpur.</strong></em></p><p><em>(Disclaimer: The views expressed above are the author's own. They do not necessarily reflect the views of DH.)</em></p>
