Pages

16 September 2021

Understanding the Encryption Debate in India

ANIRUDH BURMAN, PRATEEK JHA

SUMMARY
Encryption has become a contentious instrument for protecting the security and confidentiality of online communication. Rapid digitalization in the past decade has led to the proliferation of domestic and foreign online communication services that use encryption and, consequently, pose challenges to national security bodies and law enforcement agencies (LEAs). To address these challenges, the Indian government introduced new regulations in February 2021.

These regulations require large social media platforms to enable traceability, or the ability to provide information concerning the originator of online communications. Technology companies and privacy activists have opposed such a move on the grounds that traceability would require the breaking of the end-to-end encryption used by many online communication platforms like WhatsApp and therefore would compromise the security of online communications on such platforms.

This traceability requirement, however, is only the latest development in a drawn-out, contentious debate over the use of encryption. The contestation between maintaining higher degrees of online security and issuing new rules to grant technological exceptions for security agencies and LEAs is not specific to India. One of the first serious discussions on the issue took place in the United States in the 1990s, when public opposition warded off an early government attempt to sidestep encryption protections with a court order.

In the past decade, the use of encryption has only grown more pronounced. The revelations that the United States’ National Security Agency was collecting vast amounts of communications data led to the introduction and increased adoption of end-to-end encryption for online communications. End-to-end encryption is now used widely by online communication platforms like WhatsApp, Signal, and Threema. Its use presents law enforcement and national security agencies with new challenges. Even though these agencies today have greater and easier access to more information than ever before, the absolute confidentiality provided by encrypted online communication platforms makes it harder for these agencies to engage in real-time surveillance to investigate crimes and identity wrongdoers.

While some policymakers from India and other countries argue that encryption must only be weakened to solve specific problems, most experts agree that, as of today, there is no technological solution that would weaken encryption for specific law enforcement and national security purposes, while managing to maintain preexisting levels of security and confidentiality for general use. The introduction of any mechanism for specific access would, it is claimed, introduce both known and unknown vulnerabilities into these communications platforms. Such a mechanism would have a systemic effect on all online communication dependent on encryption for ensuring security and confidentiality.

In India, these developments create challenges in specific ways. For example, India reports the highest number of child pornography cases worldwide, and encrypted communications makes it difficult to identify culpable parties. Similarly, as India has digitized rapidly, there has been a surfeit of fake and offensive online news that has, in some cases, led to mob lynchings. In addition, terrorist networks have been found to be using encrypted communication channels while planning and carrying out terrorist attacks in India.

Over the years, the Indian government’s approach to encryption has responded to these concerns in a variety of ways. Indian financial regulators mandated the use of encryption for banking and financial services as they realized the security of such transactions was best protected through encryption. At the same time, the Indian government prohibited telecom operators from implementing bulk or mass encryption in telecommunication services. Starting in 2015, the government introduced different regulatory proposals requiring that messaging platforms and other communication service providers provide plaintext copies of communications to Indian government agencies on request. These proposals, however, faced significant opposition and were withdrawn.

Earlier in 2021, the Indian government’s new rules requiring traceability have been officially notified. The mechanisms through which they will be implemented are not yet clear. It is also unclear if these rules are the last demands the Indian government will make to weaken encryption, or whether further demands will arise in the future. To weigh the relative benefits and drawbacks of the Indian government’s proposal, analysts should consider relevant factors such as (but not limited to) whether such changes will offer law enforcement officials the access they desire, how the security of encrypted communications will be affected, and how citizens’ civil liberties will be impacted, among others.

INTRODUCTION

Encryption and cryptographic techniques for preserving the security of online communication have become increasingly contested in India. Rapid digitalization in the past decade has led to the proliferation of domestic and foreign online communication services that use encryption and, consequently, pose challenges to national security bodies and law enforcement agencies (LEAs). To help overcome these challenges, the Indian government issued controversial new rules in February 2021 that require messaging communication providers to supply information regarding the originators of messages. Many providers argue that this requirement significantly weakens the end-to-end (E2E) encryption they deploy.1

The contestation between maintaining higher degrees of online security and issuing new rules to grant technological exceptions for security agencies and LEAs is not specific to India. Conflicts between LEAs and companies that use encryption to protect personal data and communication have become public in many countries. For example, in 2016, there was a contentious public debate in the United States when the Federal Bureau of Investigation asked Apple to provide a backdoor to the smartphone of a suspected criminal by breaking its encryption protections.2 Apple refused. While the bureau found a workaround, this did not create a durable solution to the issue.3 In 2019, the Australian government passed a law that enables government agencies to force businesses to break encryption.4 The law has faced opposition from those arguing that this approach will weaken encryption and have adverse economic consequences.5 And in October 2020, the LEAs of the Five Eyes intelligence-sharing pact (which includes Australia, Canada, New Zealand, the United Kingdom, and the United States) issued a statement that called on technology companies to find a solution to the issue of E2E encryption.6 India supported this statement.7

On the one hand, thanks to digitalization, India’s security agencies and LEAs now have access to significantly more types of data—via mobile devices, over-the-top (OTT) platforms, and cloud storage, for example; they therefore can tap into more personal information for surveillance and investigation purposes. And for service providers, advances in encryption offer obvious benefits in terms of ensuring confidentiality, protecting the security of online communications and transactions, and authenticating the identities of individuals. But security agencies and LEAs argue that as more forms of secure and confidential communication become widely available, malicious actors are increasingly using them as shields to conceal criminal or terrorist activities. They further assert that the demands to cope with the negative effects of digitalization currently outweigh the advantages.

While other countries are dealing with similar issues, the solutions to India’s concerns must reflect its particular legal and market structures and its security and law enforcement imperatives. The growth of mobile phone usage, internet access, and broadband networks has led to the significantly increased usage of OTT services for messaging, voice calls, and other forms of communication. Many of the industry’s major companies, such as WhatsApp and Signal, use E2E encryption. OTT messaging services are provided by businesses who are not telecom service providers.8 Therefore, these services function very differently from traditional infrastructure, such as phone lines and towers.

This first paper in a series explores the prevailing tensions and countervailing demands in the use of E2E encryption in the context of India’s online communications. A second paper will assess the possible pathways to a solution for India. This paper will detail the evolution of the debate on encryption in India and what has led to the government’s recent rules that mandate traceability. Finally, it will propose a framework for analyzing the merits and demerits of possible policy designs.

ENCRYPTION AND ITS ROLE IN SECURING ONLINE COMMUNICATIONS

Indian law defines encryption as the process of converting plaintext into text that cannot be deciphered or cannot be accessed without using a decryption process.9 A report of the U.S. National Research Council describes the process of cryptography and encryption as follows:

In the traditional application of cryptography for confidentiality, an originator (the first party) creates a message intended for a recipient (the second party), protects (encrypts) it by a cryptographic process, and transmits it as ciphertext. The receiving party decrypts the received ciphertext message to reveal its true content, the plaintext. Anyone else (the third party) who wishes undetected and unauthorized access to the message must penetrate (by cryptanalysis) the protection afforded by the cryptographic process . . . .10

Encryption increases the security of stored information on devices and that of online transactions and communications so as to ensure that transmitted data are not altered or intercepted.11 These safeguards contribute to increased public confidence in storing and sharing information about, for example, one’s health, payments, finances, political views, and sexual orientation. Encryption is also essential for protecting national security and for preventing corporate espionage through the interception of mobile communications.12

The use of E2E encryption is particularly relevant for communications using mobile phones. A 2017 U.S. government study summarized the threats to consumers:

. . . call interception and monitoring, user location tracking, attackers seeking financial gain through banking fraud, social engineering, ransomware, identity theft, or theft of the device, services, or any sensitive data. This puts at risk not just mobile device users, but the carriers themselves as well as other infrastructure providers.”13

For this reason, many global standard-setting organizations in the mobile ecosystem now require support for encryption.14

Historically, many governments have been opposed to granting the public access to strong encryption tools.15 Unrecoverable encryption prevents LEAs from accessing transcripts of online communications, thereby denying them a useful tool for prosecution.16 This is especially so because of the decoupling of services and the physical hardware used to provide the services. For example, the OTT service provider can be in a different country from the sender or receiver, and the signaling path (links that carry call setup messages) can differ from the voice path (links that carry the conversation).17

One of the earliest and most widely known proposals for a solution to the encryption issue was presented in the United States in the 1990s. The administration of former president Bill Clinton sought to introduce an encryption device in the form of a chipset called the Clipper Chip.18 The Clipper Chip would encrypt voice and text communications, but the U.S. government and its approved agencies could decrypt communications that used this technology with a court order. This proposal received significant backlash and was dropped entirely.19 However, another proposal—an export-control regulatory regime preventing the dissemination of advanced cryptographic technology to other countries—was instituted, and some elements of it are still in place.20

Yet, over time, policymakers came to realize the benefits of encrypted communications and their role in protecting the online economy. In the United States, export controls on cryptography were relaxed. Similarly, Indian government agencies began permitting the use of stronger encryption for securing communications.21

However, the technological hurdles to accessing encrypted communications create significant challenges for national security agencies and LEAs. The latter, in particular, face difficulties in (1) tracing and authenticating the identities of the communicating parties, (2) carrying out real-time monitoring and wiretapping, and (3) avoiding detection by the relevant parties while accessing the communications.22

In E2E encryption, only the computers or devices being directly used by the parties have access to the encryption and decryption keys.23 This process involves encrypting conversations at both ends of the communication—the sender as well as the receiver of the communication. A public key is used to encrypt the message, while a private key, which only the receiver has access to, is used to decrypt it.24 This prevents the communication from being compromised if any other part of the system is compromised. E2E encryption for online communication is used to secure what is termed data in transit, as it travels from one device or account to another. Meanwhile, data at rest—the term for information stored on a particular device, cloud service provider, or other location—is secured through other encryption mechanisms.25

There are also less secure forms of encryption where the service provider has access to the decryption key. In such cases, they can decrypt the information without the intervention of the message’s sender or receiver.26 This means that LEAs can access such communication with the cooperation of the service provider.

In India, while telecom service providers are prohibited from using bulk encryption, (where all communications passing through the system are encrypted) OTT messaging providers like Signal and WhatsApp offer E2E encrypted communication.27 Table 1 gives an overview of popular OTT messaging service providers in India and their current security practices.

The debate around securing online communications was rekindled in the past decade due to the revelations by Edward Snowden, a former contractor working for the U.S. National Security Agency (NSA). In 2013, Snowden leaked evidence to show how the NSA engaged in mass surveillance of millions of Americans and foreign government officials, with the cooperation of telecom service providers.46 This included access to the metadata of phone calls and access to servers of technology companies such as Google, Apple, and Facebook.

As a result, consumers grew more conscious of the security of their online communications.47 One report estimated that U.S. technology companies were beginning to suffer serious adverse economic consequences in the aftermath of the Snowden revelations.48 This was especially so in foreign markets that were major sources of growth potential for U.S. technology companies. Many of these companies adopted E2E encryption because of this fallout.49 The development of E2E encryption was therefore (at least initially) designed to mitigate the negative consequences of the direct and indirect role of technology companies in aiding government surveillance. In addition, technology companies’ embrace of E2E encryption also weakened support for LEAs’ demands to weaken encryption for online communications in the United States.50

The growing use of encryption does not mean that encryption is completely secure or that it is a comprehensive solution for online security and confidentiality. For one, the proliferation of new communication mediums has also increased the number of forums through which such communication can be tracked and accessed.51 Email services usually provide encryption from their clients to mail servers, and emails reside in plaintext on the mail servers.52 Second, there are other vulnerabilities that can be exploited. For example, even though Skype was using E2E encryption, the locations of users could be tracked.53 Third, data stored or backed up on cloud storage services and local devices are often easier to access.54 Lastly, as detailed in table 1, most service providers collect a significant amount of metadata that are made available to security agencies and LEAs.

Therefore, while E2E encryption poses challenges for security agencies and LEAs, there are many other mechanisms through which similar data can be accessed. The ability to access such data is, however, also contingent on market structures and the regulatory regime for data access. For example, Indian LEAs are unable to access content data stored in the United States within a reasonable period.55 Easing these constraints may enable easier access to data stored on devices that are not E2E encrypted. Similarly, the technological capabilities of Indian security agencies and LEAs are crucial determinants in seeking alternatives to breaking encryption. The next section discusses the context in which Indian security agencies and LEAs have made demands for seeking exceptional access to encrypted information.

ENCRYPTION AND INDIA’S SECURITY AND LAW ENFORCEMENT CHALLENGES

The Indian government’s demands for weakening encryption have been made for both national security and law enforcement reasons. Multiple government officials have pointed to the difficulties encryption poses in preventing terrorism, fake news, and crimes against women and children.56 While these difficulties explain why access to encrypted data is needed, the demands conflate many different policy objectives. Until recently, it was hard to disentangle the exact set of criteria that would require the government to access encrypted data. This section examines how the government’s demands and corresponding regulatory changes have evolved.

Discussions of Indian government policy on encryption started escalating in the 1990s. The internet was made publicly available in India in 1995 by VSNL, a state-owned network service provider.57 The Information Technology Act, passed in 2000, mandated the use of digital signatures for online transactions. It endorsed the use of public key infrastructure for these digital signatures.58 Regulatory bodies such as the Reserve Bank of India (RBI) and the Securities and Exchange Board of India (SEBI) also recognized the need to provide secure transactions over the internet. In 2001, the RBI and SEBI issued guidelines recommending the use of a 128-bit cryptographic protocol, the Secure Sockets Layer, for ensuring browser protection and security for e-commerce.59

Following the conflict between India and Pakistan in Kargil in 1999, the Kargil Review Committee noted that adequate attention and resources had not been dedicated toward developing encryption and decryption skills.60 The committee also highlighted that organized crime and anti-national elements were increasingly relying on encrypted communications.

This historical lack of capacity in dealing with the use of encryption has become more pronounced due to rapid digitalization. Even as digitalization increases, India continues to face terrorist and national security threats and continues to rank high on the Global Terrorism Index.61 In addition, it has hostile, nuclear-armed neighbors on both its land borders. As communications continue to move online at a tremendous pace, the internet has become a key tool of information exchange for terrorist outfits. Reports by several international bodies attest to this.62 Reports also document that domestic cells of international terrorist groups have relied heavily on E2E encryption.63

The first major act of terrorism that highlighted India’s national security concerns with E2E encryption was the attack in Mumbai in 2008. The terrorists were found to be using BlackBerry devices. Consequently, the Indian government required RIM, the device manufacturer, to locate communication servers in India. In 2012, it agreed to hand over messages of communications to Indian agencies in plaintext.64

Law enforcement issues arising from online communications have become more widespread over the past decade. Since 2017, there have been several reports of mob violence and lynchings incited by misinformation shared on WhatsApp. Between 2017 and 2018, the spread of unchecked malicious content and fake messages were reported to be directly linked to mob violence. It was said that thirty-four people had been lynched across nine Indian states because of misinformation on social media.65 LEAs have also cited instances where the spread of misinformation during violent protests or riots have greatly exacerbated already tumultuous law and order predicaments.66

Another issue faced by LEAs is the increase in child pornography cases in India. According to the National Center for Missing and Exploited Children (NCMEC), India reported the highest number of child pornography cases in the world between 1998 and 2017.67 NCMEC argues that its ability to report child pornography cases to LEAs will be severely circumscribed if E2E encryption is implemented without a solution to safeguard children.68 Though OTT messaging companies like WhatsApp use mechanisms to detect such material, their techniques are limited to the analysis of all unencrypted material such as profile and group photos.69 WhatsApp bans 300,000 accounts per month for suspected child sexual abuse material in response to user reports.70

At the same time, the Indian government has claimed that social media companies refuse to cooperate with it for legitimate law enforcement activities. The problems Indian LEAs face in getting access to personal data from foreign technology companies further exacerbate this issue.71 In January 2021, protests by some Indian farmers against newly enacted laws turned violent. The Indian government blamed social media companies for not being responsive to official demands for taking inflammatory content down.72 This specific incident served as the catalyst for recent changes to India’s regulations of intermediaries and social media companies, including a mandatory provision requiring OTT communication services to provide information about the originators of messages to LEAs.

While this latest change seems like a major disruption to the existing policy landscape, the Indian government has consistently taken the position that there must be exceptions to encrypted communications on grounds of protecting national security and combating crime. This is evident in the direction of regulatory developments in the country over the last two decades.

REGULATORY DEVELOPMENTS REGARDING ENCRYPTION IN INDIA

India has an established process for accessing communications built into its laws, but this process is designed primarily to access information from telecom service providers. In 1999, the Indian Ministry of Communications’ Department of Telecommunications prescribed that service providers use up to a 40-bit symmetric key length—an archaic standard even for the time—to encrypt their networks.73 But in 2013, this requirement was dropped. Telecom service providers are now prohibited from relying on bulk encryption, thereby making access to telecom data by LEAs easier.

In 2015, the Indian government released a draft of the country’s National Encryption Policy for public comment.74 In its preamble, the draft policy highlighted the importance of securing internet transactions while also balancing the requirements of national security agencies and LEAs. However, the policy did not prescribe the encryption standards to be used; instead, it merely stipulated that the central government would set the standards for citizens, businesses, and government entities. The draft policy puts the onus on these three categories of service providers to make the plaintext of communications available on demand for law enforcement purposes. The policy faced significant backlash and was withdrawn in September 2015.75

In 2018, the Ministry of Electronics and Information Technology introduced a draft of new intermediary rules for social media platforms.76 The primary aim was to hold social media platforms accountable under law for the spread of fake news. The new obligations included cooperating with LEAs to trace messages to their first originators and using automated tools to remove unlawful content.77 In 2021, a modified version of these rules was officially notified in the Gazette of India.78 These rules changed the conditions under which intermediaries, including OTT service providers, will enjoy safe harbor protections.79

The rules include obligations for two new types of intermediaries—social media intermediaries and significant social media intermediaries. A social media intermediary primarily enables interactions, and exchanges of information, between two or more users.80 Significant social media intermediaries are those that have a minimum of 50 lakh (5 million) registered users in India.81

Obligations for significant social media intermediaries include the appointment of compliance officers, the establishment of a complaint mechanism, and the creation of a notice and appeal mechanism.82 Some of the new obligations have a direct bearing on E2E encryption. The rules state that significant social media intermediaries engaged primarily in messaging services must enable identification of the first originator of a message.83 This stipulation is limited to cases involving serious crimes listed in the rules.84 However, the rules do not require intermediaries to provide the contents of these messages. Significant intermediaries must also endeavor to use technology-based tools to (1) proactively identify acts depicting rape and child sexual abuse or conduct and (2) display a notice to users trying to access the information.85 The ministry has the power to place these obligations on any other intermediary as well.86

The challenge for OTT messaging companies is that E2E encryption by design does not allow for tracing and filtering, which require tracking every instance a message has been sent.87 This cannot be done since even the service provider does not have the ability to decrypt and access messages. Therefore, in stipulating these obligations, the Indian government is continuing the trend of making escalating demands on communication service providers, including OTT companies, to break encryption and cooperate more with LEAs.

However, the Telecom Regulatory Authority of India (TRAI) has struck a discordant note. In September 2020, the authority released its recommendations on a regulatory framework for OTT communications services. These recommendations were the product of a stakeholder consultation process that began in November 2018. The TRAI highlighted that “any requirements to cater to get the details of communication in an intelligible form or clear text [plaintext] would either lead to change in the entire architecture of such OTT services which might not provide same level of protection as offered today.”88 It is unclear why the ministry in charge of telecommunications and the TRAI have failed to reconcile these disparate views on the technical feasibility and security consequences of mandating traceability and/or weakening encryption through other means.

In addition, demands for weakening encryption have not always been clear and specific. The Indian government has long sought broad access to encrypted information for equally broad objectives. Draft provisions requiring access have been justified on grounds ranging from protecting India’s national security to aiding investigations of serious crimes. Instead of articulating specific requirements, however, the Indian government started by objecting to the use of E2E encryption itself.89 Concerns over the spread of fake news were added to the list of issues.90 These demands have become more specific and defined in scope in recent times. In 2018, India’s minister for electronics and information technology stated the following:

When we talk of traceability, we don’t talk of decrypting the messages but we insist on location and identification of the original sender of WhatsApp messages when such messages lead to provocation of violence, heinous offences and other serious crimes.91

It is this demand that has been codified in the rules published in 2021.

CONCERNS ABOUT WEAKENING ENCRYPTION

OTT service providers such as WhatsApp have claimed that identifying the originator of a message is likely to be an issue since doing so would require them to track every message.92

They argue that there is no way to predict which messages the government would want.93

An Indian scholar and member of India’s National Security Advisory Board asserts that traceability can indeed be implemented by OTT services.94 However, others state that this proposal does not take into account cryptographic practices used in E2E encryption and that it would make attribution more difficult.95 In addition, some claim that the proposal would increase systemic vulnerability, since a third party would be able to see when a user is sending a message.96

The arguments for and counterarguments against traceability are emblematic of the misunderstanding of the use of encryption. As one scholar argues, the design of even a small-scale encryption process is extremely complex, and even minor changes often introduce fatal flaws.97 He also points out that any system established for handling requests from government agencies will be vulnerable to fraudulent access from nation-state adversaries.

Prior communication systems that have been altered to comply with similar government requirements have turned out to be insecure—to the extent that vulnerabilities have been exploited for years before being discovered.98 And, so far, no systems designed to enable exceptional access for surveillance and law enforcement have been able to avoid introducing significant vulnerabilities.99 Access for legitimate actors creates access opportunities for bad actors too.

This risk is significant, since India fares poorly in global rankings on cybersecurity aptitude.100 In addition, rapid digitalization exacerbated by the coronavirus pandemic has forced large segments of India’s population to transact online for the first time, making them more susceptible to malicious online behavior. Any vulnerability in the security of online communications that becomes a feature of an encryption-based system could therefore increase the risk of harm to vulnerable groups.

Beyond these increased risks, requiring a system of exceptional access would significantly increase the costs of development for small entities for whom “the law enforcement access mechanism could be expected to represent almost as much design and development effort as the underlying function of the software itself.”101

Even if the Indian government could design regulations to help incentivize technological developments that could overcome these challenges, the encryption debate is a policy issue, not just a technological one. Any system that enables access to encrypted information would have to be rooted in the specific due-process provisions of the Indian Constitution.

Breaking encryption raises concerns about the misuse of official powers and violations of civil liberties. One safeguard for ensuring due process in existing Indian law is prior authorization for encryption breaks by a judge or an otherwise independent official or body.102 However, the current procedures for lawful access, decryption, and wiretapping under India’s Information Technology Act (2000) and Telegraph Act (1885) do not require prior authorization by an independent authority.103 Such procedures are authorized by the central government or the state authorities in question, creating the potential for the misuse of power.

For example, this power could be used to target political opponents. Last year, in the state of Rajasthan, phone conversations between a union minister, a state minister, and another political representative were leaked, causing a huge political stir.104 The ruling government later admitted to ordering the phone tapping “in the interest of public security and order.” India’s Central Bureau of Investigation is currently examining a similar case in the state of Karnataka, where the phones of political leaders were allegedly tapped illegally without any written instructions.105 Given this history, concerns about the misuse of power are well founded, especially considering that, under the new rules, interception and decryption can be ordered on broad grounds with little to no independent oversight. The recent revelations about the widespread use of the Pegasus spyware is a prime example of the potential for the misuse of such technologies including backdoors.

A WAY FORWARD: A POLICY FRAMEWORK FOR BALANCING PRIVACY AND NATIONAL SECURITY

Solving the encryption issue is not merely a question of seeking the right balance. Past and existing efforts to facilitate access to encrypted information have all resulted in systemic vulnerabilities. The weakening of encryption generates externalities that are sometimes not well understood until much later. The solution also does not lie in adopting extreme positions: either weakening encryption to meet broad security and LEA objectives or providing no pathway to accessing encrypted information.

The right approach involves answering a series of difficult questions on the appropriate policy design for the Indian context. These questions are based on those framed in a 2018 report by the U.S. National Academies of Sciences, Engineering, and Medicine.106 Answers to these questions will be explored in Carnegie India’s next paper in this series. The following questions have been adapted from that report:
Will the proposed alternative effectively allow LEAs and intelligence agencies to access information with the scale, timeliness, and reliability that proponents seek?

(In the United States, the demands from LEAs and intelligence agencies have centered around access to plaintext information that is encrypted. In India, however, the government has clearly stated that it seeks the originator of a message rather than the content. This objective requires evaluating traceability specifically, in addition to other technical alternatives examined in existing literature).
How will the proposed approach affect the security of encrypted information?

(The Indian government is not seeking access to content data. However, there is a legitimate concern that implementing traceability mechanisms or other alternatives for providing originator information could weaken encryption).

To what extent will the alternatives considered affect the privacy and civil liberties of India’s population?

To what extent will the proposed approach affect India’s economic competitiveness?

What will the direct financial costs of the proposed alternatives be?

Will the proposed approach improve, or at least maintain, existing legal protections against the misuse of surveillance powers?

No comments:

Post a Comment