## Thursday, May 27, 2021

### An analysis of the SEBI WhatsApp Orders: Some observations on regulation-making and adjudication

by Rajat Asthana and Renuka Sane and S. Vivek.

The idea of company insiders making huge profits on the basis of non-public information has always elicited a rich discussion on the regulation of insider trading. If the goal of regulation is to craft market participants' behaviour, both, the text of the regulations, and the subsequent enforcement actions of regulators should support this objective. When these are unclear or contradictory, merely having regulations on the book, is unlikely to help. At worst, this may even hinder market efficiency. It is important, therefore, to look at how regulations have been drafted, and to see whether there is a consistent communication of what the regulations mean. This includes questions on the clarity of the regulations, the process of regulation-making, as well as the predictability in enforcement.

In this article we use the example of recent orders in the "WhatsApp case" to demonstrate the problems in: (1) the process of regulation-making, and (2) adjudication, in the context of insider trading regulations. The orders raise several substantive questions. These relate to the scope of the term 'insider', meaning of Unpublished Price Sensitive Information (UPSI), and use of messaging platforms. However, in this article, we mainly focus on the issue of the working of the regulator.

India may have formal provisions against insider trading, and satisfy international standards in that regard. However, the substantive content of the regulations, the rationale for these regulations, the manner of prosecution by the regulator, and the imposition of penalties have all raised concerns on the clarity, consistency and predictability in the regulatory process. This may impose significant costs on regulated entities, and consequently, on cost of capital.

### Background: The WhatsApp case

Insider trading in India comprises two types of offences: trading with unpublished price sensitive information ("UPSI") and communication of UPSI (even in the absence of trading). In November 2017, Reuters reported that information about financial results of listed companies was being exchanged on WhatsApp groups, in advance of such results being announced publicly. The news report identified 12 companies where the messages proved to be "prescient" - i.e., they appeared to accurately predict the actual results. Based on this news report, the Securities and Exchange Board of India (SEBI) initiated an investigation into the matter. Basis this investigation, separate showcause notices were issued to certain individuals who are part of the WhatsApp group, and it was alleged that the noticees had communicated UPSI, which even in the absence trading, constituted a violation of provisions of the Securities and Exchange Board of India Act, 1992 (SEBI Act) and the SEBI (Prevention of Insider Trading) Regulations, 2015 (Insider Trading Regulations).

The noticees set up a defense on the basis that the information that they shared on the WhatsApp group was not UPSI. The information had not been sourced from the relevant company or any insider. Further, the messages were not 'price sensitive information' or 'financial results' but in the nature of gossip or 'Heard on the Street'. Additionally, messages were exchanged about several companies - a few of which were consistent with the actual financial results, and many others which were not - and accordingly, the allegations were based on cherry-picked messages. It was also argued that the source of the messages on the WhatsApp group could be analyst reports which had predicted similar results, and therefore should be considered as generally available information (and not UPSI).

The SEBI Adjudicating Officer (AO) dismissed these defenses and held that the messages were UPSI. The AO reasoned that while the source could not be identified because the messages were being shared on WhatsApp, they were UPSI because: (1) the messages were shared just prior to the results being released publicly, and (2) they were so similar to the actual financial results, that it was unlikely to be a coincidence. Further, since the noticees did not clearly establish the analyst reports as the source of the messages, they are not entitled to the 'benefit of doubt' that the messages were in fact sourced from such reports. Accordingly, a penalty of Rs.15 lakh was imposed on the noticees.

On appeal, the Securities Appellate Tribunal (SAT) set aside the SEBI order. It held that SEBI had not given adequate consideration to some of the defences. It also held that for information to be UPSI, the recipient had to know that it was UPSI. The evidence available did not establish the state of mind of the recipients and accordingly, the SEBI order was set aside.

### Standard-setting Choices

Standards for insider trading are not uniform across jurisdictions. For example, in the US, liability arises only if the person owes a fiduciary duty to the company or its shareholders or the source of the UPSI. Other jurisdictions such as the UK and Singapore, have adopted the 'parity of information' approach where the emphasis is on the information with the person trading, and not on how it was obtained or whether there was an intention to violate the law (Varottil, 2016).

In India, the language of Regulations 3 and 4 of the Insider Trading Regulations indicates a strict liability regime, where the focus is on the UPSI, and not on the intention behind the trade or the source of the information. Regulation 3(1) prohibits communication of UPSI and Regulation 4 prohibits trading when in possession of UPSI.

Committee reports on insider trading have recommended that communication of UPSI by itself should be an offence. While the offence is drafted broadly, the interpretive note provided in regulations appears to indicate that the emphasis is on the company to ensure that UPSI is not leaked. The High Level Committee to Review the SEBI (Prohibition of Insider Trading), 1992 under the chairmanship of Justice N.K. Sodhi dated December 7, 2013 (Sodhi Committee Report), observed that 'to maintain hygiene' and to 'ensure that UPSI is not handled lightly... and is not communicated except where necessary', communication of UPSI is to be prohibited (Sodhi Committee Report, 2014). The report of the Committee on Fair Market Conduct under the chairmanship of T.K. Viswanathan dated August 8, 2018 (TK Viswanathan Committee Report), observed that UPSI may be communicated for legitimate purposes. The report clarified the meaning of the term 'legitimate purpose', and also recommended maintaining a database of persons to whom such UPSI is being communicated, to prevent misuse.

However, neither the Insider Trading Regulations nor the committee reports distinguish between persons who have a duty to keep the information confidential (such as directors and officers of the company), and outsiders who may chance upon this information but do not have any such obligation. In Singapore, for example, it is presumed that connected persons were aware that the information is UPSI; however, this presumption is not 'available' for others including tippees. In the absence of such guiding principles or specific rules, these critical questions are left entirely to the AO's discretion.

Further, the SEBI Board made certain modifications to the draft regulations suggested by the Sodhi Committee Report, but the reasons for such modifications are not available publicly. One of the changes was to delete the clear language in the draft regulations that research reports should be considered as generally available information. While there may be good reasons for the SEBI Board to have made this modification, the absence of reasons for this choice leads to confusion about how information in research reports should treated. For example, if it were clear that information in research reports is generally available information, then similar numbers appearing in a Whastsapp group should not have raised UPSI concerns.

Lack of clarity on reasons for specific legislative choices could also lead to different views being taken by various adjudication officers and the appellate tribunal.

### Adjudicatory Discipline

There will always be some uncertainty inherent in legal rules, despite best efforts during the standard-setting process. Disagreement among judicial officers on the interpretation of the law is expected to be settled by appeals to higher tribunals/courts. However, for this process to work, judicial officers will have to look to previous interpretations and record reasons if a new interpretation is preferred in a specific case, especially if a higher tribunal has already indicated a particular interpretation. How has uncertainty been resolved in the WhatsApp orders?

The SEBI AO order states that it was not possible to identify the original source of the messages shared on the Whastapp group. Inquiries with the relevant companies also did not establish any leak of the financial information. The noticees were not clear as to how they received the messages, but they suggested that the messages could have been sourced from analyst reports. How should information in the hands of unconnected third parties be evaluated?

The committee reports do not provide an answer in the context of the communication offence. However, in the context of the trading offence, the Sodhi Committee Report states that SEBI will be required to demonstrate that: (1) trading took place, and (2) that there can be a reasonable inference of the person being in possession of UPSI at the time of execution of the trade. If the trade is by an 'outsider' i.e. a person not connected to the company, then SEBI has to further demonstrate a prima facie case that the noticee was in possession of UPSI at the time of trading (Sodhi Committee Report).

The AO order states that since the information is closely aligned to the actual results, and the noticees have not been able to demonstrate how they came to be in possession of the information, it is to be presumed that the information is UPSI. Further, while the source of the information could not be traced, the noticeees cannot be given the 'benefit of doubt' given the 'gravity of consequences' resulting from the sharing of such information.

In terms of the AO's interpretation, the Insider Trading Regulations do not require the source of the information to be identified for a violation to be established. However, this issue has been considered earlier by both - SEBI and the SAT. The SAT has held that the source of the information is an important element in establishing UPSI (Samir Arora v. SEBI). The AO orders have neither accepted that principle nor sought to distinguish that precedent based on specific facts. Further, while there are references in the AO orders to judicial decisions on circumstantial evidence being sufficient in certain cases, this issue was not in dispute. The AO orders do not cite any precedent to justify how mere similarity of some information with the actual results is sufficient for it to be classified as UPSI. Further, while the AO order cites various extracts from the Sodhi Committee Report, there is no reference to the portion, which states (albeit in the context of trading), that it is SEBI's obligation, to prima facie show how an unconnected person was in possession of UPSI.

Additionally, it is worth noting the approach in some other SEBI orders on insider trading issued around the same time: One held that the noticee was not liable for insider trading (even though the noticee had UPSI and had traded) since the intention behind the Insider Trading Regulations is that the person in possession of UPSI should not benefit compared to the general investor. In another, even though a director had access to UPSI and benefited from trading, it was held that although price sensitive, the information was wrongly disclosed by the company and therefore was not UPSI; and that the director's conduct did not indicate that he intended to maximise profits (a defense that the SEBI Board expressly rejected while adopting the other recommendations of the Sodhi Committee Report). In a third case, a company official had traded when the trading window was closed, but it was held not to be in violation of the Insider Trading Regulations as there was no material to show that the trading was on the basis of the UPSI (although this is not the requirement under the Insider Trading Regulations). If any one of these principles had been applied in the WhatsApp orders, the result could have been different.

Further, while the SAT records its earlier judgment emphasizing the importance of the source of UPSI, it sets out a new test for subjective knowledge of the recipient. Again, there is no reference to precedent or to the background reports for setting out this new test. Indeed, the SAT could have set aside the SEBI order by merely reiterating the principle in its earlier judgment and avoided setting out a new test.

### Penalty

The AO's order on penalty also demonstrates that when there are gaps in the law, officials use their discretion completely. Section 15J of the SEBI Act sets out the factors which are to be considered when an AO imposes penalties:

1. Amount of disproportionate gain or unfair advantage, where quantifiable, as a result of the default;

2. Amount of loss caused to investors as a result of the default; and

3. Repetitive nature of the default.

In imposing a penalty on the noticees, the AO is forced to concede that none of these factors apply in this case. By merely communicating UPSI, no loss or advantage had been caused to anyone. The AO then proceeds to impose a penalty of Rs. 15 lakh, as such acts may compromise the confidence of investors in the market.

Evidently, the considerations for imposing the penalty do not relate to the different types of offences. In Adjudicating Officer, SEBI v. Bhavesh Pabari, the Supreme Court held that the factors set out in Section 15J are not exhaustive, particularly in the context of offences such as failure to furnish information and returns, which will typically not involve the factors set out above. It is arguable if this holding entirely applies in the context of insider trading where these factors are typically relevant. In any event, even if these factors do not apply, the order should state what other factors outside of Section 15J have been considered relevant. Without these reasons, it is not clear how the penalty amount of Rs. 15 lakh was calculated. These are concerns not specific to the individual penalty imposed in this case but for the overall design of the regulations.

### Implications for the design of the legal framework

The learnings from the WhatsApp case has implications for the design of the insider trading framework in India:

1. Standard-setting: Lack of clarity on why certain choices were made at the time of standard-setting makes it challenging to interpret the principles inherent in the regulations. Further, even where the SEBI Board has deviated from some recommendations of the expert committee, the reasons for such deviation have not been disclosed. This information is critical, not only from the perspective of transparency, but also as a guide to officials as to the purpose of creating an offence, when they adjudicate cases in connection with such matters.

2. Adjudicatory process: While the common law judicial tradition is well suited to clarify existing principles in light of changes in technology and markets (Report of the Financial Sector Legislative Reforms Commission), this requires officials to record their interpretation of law and explain if that is different from an earlier interpretation. Similarly, while imposing penalties, the factors considered should be made explicit to ensure clear communication to stakeholders and consistency among orders.

3. Taking stock: More than five years have passed since this iteration of the Insider Trading Regulations were issued. It is not possible to think of every situation at the drafting stage, particularly for an area that is constantly changing. Further, there have been changes to some portions of the regulations pursuant to the TK Viswanathan Committee Report. However, a comprehensive review of the effectiveness of the regulations, and a transparent discussion of the various choices made in framing the regulations, will benefit all stakeholders.

### Conclusion

The problems of the insider trading legal framework discussed in this article connect to an emerging literature on the problems of regulatory governance in India. For example, Burman and Zaveri (2018) study the process of public consultation in regulation making across three regulators in India and find that much more needs to bedone. Others have argued that there is little guidance given to regulators on how to translate the principles of law into practice (Burman & Krishnan, 2019; Sundaresan, 2018; Goyal and Sane, 2021). This leads to a situation of weak state capacity in India (Roy et. al., 2019).

Ultimately, if the goal of regulation is to (dis)incentivise market participants from (not) behaving in a particular manner, then the text of the regulations, and subsequent actions of regulators should support such an objective. If the text and the subsequent actions of the legal regime are weak, unclear, confusing, or inconsistent, then the mere existence of a legal framework may at best not help, and at worst, actually hinder the working of the market. It is also important to study how the text of the law was arrived at - whether there is adequate rationale provided on the choices made, whether public consultations have been undertaken, and whether sufficient guidance is provided to both; the regulator, and the regulated entities, so that there is a shared understanding of the objective, and the process of the legal framework. It is also critical to ensure that the regulator moves towards a consistent interpretation of the regulations that allows for predictability, instead of each order interpreting the regulations in their own way.

References

Burman, A., & Krishnan, K. (2019). Statutory regulatory authorities: Evolution and impact.

Burman, A., & Zaveri, B. (2018). [https://bit.ly/32eDCdX]Regulatory responsiveness in India: A normative and empirical framework for assessment. William & Mary Policy Review, 9 (2), 1-26.

Roy, S., Shah, A., Srikrishna, B. N., & Sundaresan, S. (2019). Building state capacity for regulation in India. Devesh Kapur and Madhav Khosla (eds.), Regulation in India: Design, Capacity, Performance, Oxford: Hart Publishing.

Samir Arora v. SEBI, (2004) SCC Online 90.

Sodhi Committee report - Part II, paragraph 43, page 27; SEBI Board Agenda dated November 14, 2014 - paragraph 2.2.

Sundaresan, S. (2018). Capacity building is imperative. Column titled Without Contempt in the editions of Business Standard dated August 2, 2018.

Varottil, U. (2016), "Due Diligence in Share Acquisitions: Navigating the Insider Trading Regime", NUS working paper at page 9 (April 2016).

Rajat Asthana and S. Vivek are researchers with the Regulatory Governance Project at the National Law School of India University, Bengaluru. Renuka Sane is a researcher at NIPFP. Author names are in alphabetical order. We thank two referees for useful comments. Views are personal.

## Wednesday, May 26, 2021

### Litigation in public contracts: some estimates from court data

by Devendra Damle, Karan Gulati, Anjali Sharma and Bhargavi Zaveri.

### Introduction

Public contracts are contracts executed by the government and its agencies to procure goods, services and works. Public contracts in India are perceived to be litigation prone. There is evidence that more than half the road projects awarded by the government of India were the subject matter of litigation before the courts and arbitration tribunals, and that a significantly large value of infrastructure projects are stuck in litigation for prolonged periods. This article seeks to estimate and understand the volume and nature of litigation relating to public contracts by observing litigation in one high court in India.

Understanding the volume, value and nature of litigation arising in public contracts is critical. First, the government is an active procurer of goods, services and works in several large sectors such as natural resources and infrastructure. The state's litigation propensity in contracts is a key factor in the ease of doing business in such sectors. Second, the propensity of each government department and agency, such as the union, states, urban local bodies, CPSEs and SPSEs, to engage in litigation may vary. Assessing the litigation propensity of different government departments and agencies helps contractual counterparties assess the costs of dealing with them. Third, estimating the volume, value, costs and outcomes of government litigation helps understand its impact on the exchequer. It can serve as a useful feedback loop in planning the litigation policy of the government and its agencies.

Our analysis suggests that the government is a counterparty to more than half the civil commercial litigation in the Delhi High Court. However, a small proportion of this litigation can be linked to disputes in public contracts. Second, we find that the government is not a major initiator of, but is a large defender in litigation involving public contracts. However, more than 50% of the cases filed by the government against businesses are of one type, namely, challenges to arbitration awards passed in disputes arising in public contracts. Finally, we find that businesses are not using the standard legal remedy of suits for enforcing contractual claims against the government or its agencies. This suggests that most of this litigation is related to the pre-award stages of the business-government engagement. This could also be attributed to the procedural simplicity of proving claims in writ petitions and the relatively quicker duration within which they get disposed.

The popular discourse on government litigation has focused on the volume and pendency of the litigation to which the government or its agencies are a counterparty. Our findings, although limited to observations to the Delhi High Court, provide a foundation for drawing up data-backed country-level estimates of the government's propensity to litigate, and the time, costs and court capacity consumed in litigation relating to public contracts.

### Data and approach

For our analysis, we start with a dataset of cases filed before the Delhi High Court from 1st January 2007 until 30th September 2020 ("study period"). We select the Delhi High Court for our analysis for two reasons. First, the Delhi High Court is one of the five High Courts in India exercising original jurisdiction over contractual disputes. All High Courts in India, except these five, exercise appellate jurisdiction. This means that they restrict themselves to reviewing the lower courts' orders. The Delhi High Court is the first level dispute redressal forum for disputes within its territorial jurisdiction in commercial contracts exceeding Rs. 2 crores. The second reason is the physical proximity of the Delhi High Court to the central government and its agencies.

The objective of our analysis is to understand litigation in public contracts. The Delhi High Court classifies case-types into 288 categories. During the study period, 5,42,355 cases have been filed before the Delhi High Court across these categories. These categories cover every type of case that the court deals with, ranging from admiralty cases to family disputes. We undertake three rounds of data filtering to arrive at a subset of cases that are the closest proxies of contractual disputes involving the government.

Filtering out cases not involving contractual disputes with the government

In the first instance, we filter out all the case-types which are not related to contracts. For instance, we filter out bail and criminal applications, testamentary and tax matters and matters under the Companies Act and contempt petitions. We filter out all appellate matters and references from lower courts. We filter out cases where either of the parties is unknown or the data is not machine-readable. This gives us a dataset of 2.2 lakh civil cases filed in the study period. Of these, 1,37,734 cases (about 62%) have the government or its agencies as a counterparty (Table 1). This dataset includes completed as well as pending cases. 81% of the cases in our dataset are disposed of.

Sr.No. Party-type As Petitioner As Total (% of government cases) respondent 1. Union of India 8020 58,184 66,204 (48.06) 2. State Government 2443 31,539 33,982 (24.62) 3. Municipal bodies/panchayats 2174 16,121 18,295 (13.28) 4. CPSEs 3908 9021 12,119 (8.79) 5. SPSEs 1161 3427 4,588 (3.33) 6. Court 171 833 1,004 (0.72) 7. Constitutional bodies 189 543 732 (0.53) Total 18,066 1,19,668 1,37,734 (100)

Constitutional bodies in Table 1 refer to constitutional authorities, such as the Comptroller and Auditor and General of India. The Union of India includes the government of India, statutory authorities set up under a central law such as the National Highways Authority of India (NHAI), and statutory regulators such as SEBI and TRAI. Table 1 demonstrates that a bulk of the civil commercial litigation in the Delhi High Court has the government as a counterparty. It also shows that while the state is not responsible for initiating large amounts of civil commercial litigation, the state and its agencies constitute the largest respondent in such litigation.

We classify the Government-cases in Table 1 into five categories: civil writ petition, civil suits (original side and commercial), miscellaneous petitions (original and civil misc main), arbitration petitions and applications and land acquisition-related disputes (Table 2).

Sr.No. Civil writ petitions Govt. as Govt. as Total (% of government cases) Petitioner respondent 1. Writ petitions 10,476 1,06,179 1,16,655 (84.69) 2. Miscellaneous petitions 3,493 5,168 8,661 (6.28) 3. Land Acquisition related cases 3,180 3,663 6,843 (4.9) 4. Arbitration petitions and applications 221 2,837 3,058 (2.54) 5. Civil suits 696 1,818 2,514 (1.8) Total 18,066 1,19,668 1,37,734 (100)

Table 2 shows that civil writ petitions constitute the bulk of the cases involving the government and its agencies. Writ petitions are, by design, cases filed against the government or its agencies for the violation of fundamental rights and not contracts. However, anecdotally, we know that contractual claims against the government and its agencies are often agitated through civil writ petitions. Hence, we retain civil writ petitions for our analysis.

### Findings

While the government is a counterparty to 1.4 lakh or 60% of the civil commercial cases in our data-set, a bulk of these cases are by and against individuals and other types of entities such as trade unions or political parties. These disputes would therefore largely pertain to employment matters such as unfair dismissals, denial of promotion in government service or pension and evictions from public premises. The objective of our study is to understand the litigation arising out of public contracts.

Litigiousness

For our study, we characterise only cases filed by or against businesses (body corporates incorporated as private or public limited companies) as public contracts-related litigation. This is because our data covers public contracts whose value exceeds Rs. 2 crores. Public contracts exceeding this threshold value are awarded through a tender process. The condition that a bidder for public contracts should be incorporated as a company is commonly found in government tender documents.

In the sub-set of writ petitions, we retain writ petitions between businesses and a sub-set of government agencies, such as CPSEs (except banks) and SPSEs, and statutory agencies that are engaged in procurement, such as the National Highways Authority of India (NHAI), Airports Authority of India (AAI), the Delhi Metro Rail Corporation (DMRC) and the National Buildings Construction Corporation Limited (NBCC) in our data.

We exclude writ petitions filed against government owned banks as they largely pertain to debt restructuring and not procurement-related disputes. We also exclude the writ petitions filed by businesses against the government of India, constitutional authorities and State Governments from our analysis as a large percentage of them pertain to tax matters, constitutional challenges to laws enacted by the Parliament and state legislatures respectively, and executive actions, such as notifications and circulars issued by the government and state governments respectively. Similarly, a review of a sample of writ petitions filed by businesses against municipal bodies and panchayats suggests that they largely pertain to matters involving eviction from public premises and violations of licensing norms governing commercial establishments operated by such businesses. We also exclude land acquisition-related matters as they are largely challenges to notifications issued by the government notifying land parcels for compulsory acquisition and other actions undertaken by the government under the land acquisition laws.

This exercise of filtering may exclude some contractual disputes between the government and its contractors or vendors. Our findings are therefore based on a conservative estimate of the volume of litigation in public contracts.

This filtering exercise generates a subset of 9,313 cases between businesses and the government and its agencies (Table 3). We use this subset of cases as a proxy for litigation between the government and businesses in connection with public contracts. Table 3 suggests that such litigation is a small proportion (about 7%) of the overall litigation involving the government. Further, the state is not a major initiator of such litigation. Businesses initiate the bulk of the government-business contractual litigation. The CPSEs account for nearly half of such litigation in the Delhi High Court. This suggests that while CPSEs are a small contributor to the overall commercial litigation involving the government (as shown in Table 1), they are a large contributor to the litigation involving public contracts. The central government and several states have issued policies to manage and curb litigation by the government and its agencies ( example, example and example). These policies have largely taken a top-down approach towards minimising litigation at the level of the union and state governments. Our assessment suggests that there is potential for the government to explore the incentive structures at the level of the departments within the Union government and CPSEs that drive litigation arising from public contracts.

 Business as Business as Respondent Total (% Petitioner share) CPSE 3,329 1,223 4,552 (48.87) Union 2,027 885 2,912 (30.26) State 711 249 960 (10.30) Panchayat/Urban local body 412 124 536 (5.75) SPSE 239 111 350 (3.75) Autonomous constitutional 3 0 3 (0.03) 6,721 (72.16) 2,592 (27.83) 9,313 (100.0)

Case types

Table 4 shows that the bulk of the government initiated litigation is in the 'original miscellaneous petitions' (OMPs) category. Conversations with practitioners and support staff of the judges in the Delhi High Court suggest that as large as 70% of the cases filed as OMPs in the Delhi High court involve challenges to the enforcement of arbitration awards. We also reviewed a small sample of OMPs, which confirmed this perception. Arbitration petitions and applications account for the second-largest type of cases involving the government and businesses. These petitions are generally filed for directions from the court for the appointment of an arbitrator where either party to the dispute fails to appoint one, interim relief during arbitration proceedings and extension of timelines for conducting the arbitration. The high proportion of 'OMPs' and 'arbitration' cases in our data suggests that a significant proportion of government-business contractual litigation is getting resolved by arbitration.

We also find that a bulk of the writ petitions filed by businesses in our dataset (a little more than 84%) are against CPSEs. This pattern holds over the entire window of observation. We estimate that these writ petitions could pertain to disputes in two areas of public procurement. They may pertain to violation by CPSEs of procurement norms in the tendering phase of public procurement. The second possibility is that they could pertain to disputes in the post-award stage, such as delayed payments or other wrongful acts during the term of the contract. This is problematic because writ petitions are a remedy for the enforcement of fundamental rights against the government. Courts have repeatedly denied purely contractual claims against the government through the remedy of writ petitions. However, if the writ petitions against CPSEs indeed pertain to disputes arising post the tender award, it suggests that businesses find it efficient to agitate contractual claims through writ petitions. This may indicate a judicial tendency to prioritise writ petitions over other matters. This could also be attributed to the relatively lower threshold for proving claims in writ petitions.

 WP CS OMP Arbitration Others Total G2B 69 276 1938 152 157 2,592 B2G 932 895 2704 1973 217 6,721 Total 1,001 1,171 4,642 2,124 374 9,313

Time taken

Approximately 1.7 lakh of the 2.2 lakh cases in our dataset are disposed cases. We find that the average disposal period for a case in our data is about one year from its institution. For this subset of disposed cases, we calculate the average duration for disposal in years based on the year of institution to the year of disposal (Table 5). The average duration for the disposal of writ petitions is lower than that for civil suits and lower than the overall average. This reinforces the notion that counterparties to government contracts may be enforcing their contractual claims through writ petitions.

 Case-type Writ petitions (civil) 0.81 Civil suits (original)* 2.30 Civil suits (commercial bench)** 1.01 Miscellaneous petition 1.17 Arbitration petitions, applications, etc. 0.56 Overall 0.98 *Suits disposed of by a regular bench of the court. **Suits disposed of by the commercial division of the High Court set up under the Commercial Courts Act, 2015.

Table 6 shows the number of years for the disposal of cases in the overall data, cases to which the government is a party, and other cases. Table 6 suggests that a bulk of the commercial cases are disposed of by the Delhi High Court within two years from the date of their institution. We also find that a significantly higher number of commercial cases involving the government are disposed of within a year compared to the other cases. This is contrary to the popular perception that delays prolong government litigation. This does not appear to the case for commercial litigation involving the government. In fact, we find that commercial cases involving the government as a respondent and those not involving the government require, on average, the same number of hearings by the court before their disposal. This suggests that a commercial case involving the government does not, on average, consume more resources of the court than regular cases.

 Number of cases (% share) Less than 1 95,962 (54.01) 13,867 (57.75) 19,724 (43.74) [1, 2) 42,931 (24.16) 5,618 (23.4) 13,521 (29.98) [2, 3) 17,064 (9.6) 1,902 (7.92) 4,901 (10.87) [3, 4) 9,475 (5.33) 1,011 (4.21) 2,716 (6.02) [4, 5) 4,682 (2.64) 467 (1.94) 1,414 (3.14) [5, 10) 6,807 (3.83) 993 (4.14) 2,576 (5.71) Greater than 10 745 (0.42) 153 (0.64) 246 (0.55)

### Conclusion

Our findings are limited to our observations on the government litigation in the Delhi High Court.

Some of these observations confirm pre-conceived notions of litigation between the state and businesses in India. For example, data from the Delhi High Court demonstrates that so far as concerns civil commercial cases, the government is a party to more than the popularly cited 46% of the cases in courts. However, very little of this litigation is attributable to public contracts between business and the state. Similarly, the usage of writ petitions to enforce contractual claims against the state is documented to some extent in court judgements. Our data demonstrates a high proportion of writ petitions linked to the enforcement of public contracts. This may be partly attributable to the nature of the claim involved and the relatively higher average duration for the disposal of suits. Some of our findings help dispel some pre-conceived notions. For example, the widely held perception that the government prolongs litigation is not true of commercial cases adjudicated before the Delhi High Court, as shown by the average number of hearings taken for commercial cases involving the government and those not involving the government. This may also be reflective of the capacity of the Delhi High Court itself.

A quantitative assessment of the government's litigation is important for identifying the precise bottlenecks that lead to the government being sued and designing a litigation policy that responds to these considerations. Data backed assessments of the litigation load of the government holds important insights into the costs of doing business with the government and the resources required within the state and in courts to deal with such litigation. This work provides a foundational understanding of commercial litigation involving the government in India. Better and deeper country-level insights can be obtained by expanding the assessment to more courts and potentially undertaking a textual analysis of the final orders in such litigation to identify aspects such as the success ratio and litigation costs.

Bhargavi Zaveri is a researcher at xKDR- Chennai Mathematical Institute. Devendra Damle and Karan Gulati are researchers at the National Institute of Public Finance and Policy. Anjali Sharma is at National eGovernance Services Limited.

### Should consumers be restricted from storing their card data on the internet?

by Renuka Sane, Ajay Shah and Bhargavi Zaveri.

Over the last few months, there have been a number of cases of leaks of personal data from different service providers such as Juspay, MobiKwik, Dominos, and more recently Air India. This has led to concerns about protecting customer data, and calls for better regulation of data storage and cyber security.

One response to the problem of data breaches has been a prohibition imposed in March 2020 by the Reserve Bank of India (RBI) on payment aggregators (PA), payment gateways (PGs) and merchants from storing consumers' card data on their servers. Effectively, this means that every time a consumer uses a merchant's website, such as a food ordering or a taxi-hailing application, she will have to re-enter her 16 digit card number and other payment details to complete the transaction. This also hinders recurring payment transactions, such as subscription based services and automatic debit instructions issued using credit or debit cards.

In a new paper, we argue that a blanket prohibition on the storage of card data by consumers is problematic. We recommend less intrusive approaches to address concerns about breaches of card information stored by consumers on websites, such as better security standards, tokenisation and liability frameworks.

### Why is the current approach problematic?

The card data storage prohibition impacts every consumer who transacts on the internet. It affects every business that accepts payments using a credit card, a debit card or a prepaid instrument (PPI). We estimate that the prohibition affects a transaction value of about Rs.3 billion per month. Customers who make payments using data stored by them on the websites of their merchants, online marketplaces as well as utility bill payment services will be deprived of the ease and convenience of saving detailed information of their payment mechanism and instruments on the websites of merchants. They will now have to invest time and effort in making alternate arrangements in making payments. A few seconds of effort multiplied by millions of transactions adds up to a serious burden upon the economy. Many people will find this additional effort to be too much of a burden, and millions of transactions might be disrupted, which is also a cost to the economy.

Besides the loss to consumers, the prohibition could potentially favour certain technologies in the payments industry, such as the Unified Payments Interface (UPI) and net-banking, since the prohibition does not apply to them. It is one thing for some payment instruments to be preferred by consumers because they are seen to provide better security features (such as non-storage of details). But when state actions tilt the competitive playing field in favour of some players or technologies, or when state actions shape the design of products or processes, this raises concerns about central planning.

The RBI has not demonstrated how the potential benefits of the card data storage prohibition outweigh the costs this imposes on customers and payment intermediaries through direct channels (millions of transactions where additional seconds are spent on supplying information every month) and indirect channels (government influence upon the technological choices of society, and the costs incurred by firms in changing over from one technology to another).

Traditionally, such concerns were a part of the new field of public administration, regulators and state capacity in India, where researchers and thinkers were exhorting regulators to work in better ways and proposing modifications of laws. These concerns now connect into an emerging jurisprudence about the minimum standard of processes that regulators must rise to, before using the coercive power of the state.

The card data storage prohibition does not meet the proportionality test laid down by the Supreme Court for delegated legislation. In Internet Mobile Association of India v. Reserve Bank of India (2018), the Supreme Court struck down the RBI circular that effectively prohibited exchanges facilitating transactions in virtual assets and virtual currencies on the ground of proportionality. The RBI has not demonstrated the manner in which the card data prohibition meets the requirements of this test.

The proposal also did not undergo an open transparent public consultation process. In September 2019, the RBI had issued a Discussion Paper on Guidelines for Payment Gateways and Payment Aggregators. Indeed, in its press release dated 17th March, 2017, issued along with the PA/PG Guidelines, the RBI explicitly stated that the said guidelines were 'based on the feedback received' on this discussion paper. However, the discussion paper did not contain its proposal to impose a complete prohibition on card data storage by merchants. On the contrary, the discussion paper proposed giving consumers a choice to save their card data on the websites of merchants, with a default setting of declining to save such data. The imposition of the card data storage prohibition, despite its exclusion in the discussion paper, is thus presented to the merchants and the consumers as a fait accompli. This violates the norms of a responsive public consultation process emphasised by the Supreme Court in Cellular Operators Association of India vs. TRAI (2016). In this case, the Supreme Court reprimanded the Telecom Regulatory Authority of India for not taking into account the arguments of telecom service providers while making a regulation imposing penalties for dropped calls. The court ultimately struck down the regulation.

The consequences of a deficient consultation process manifest themselves in the form of repeated clarifications on the scope and implementation of the data storage prohibition. As we explain in the paper, the scope and implementation of the card data storage prohibition have undergone revision twice in a span of a year. This reflects the weaknesses of RBI's consultation process conducted in 2019.

### Alternative approaches

We argue that while a payment transaction will always involve a non-zero probability of fraud and data leakage, a prohibition is not the answer to these concerns. The path to sound policy analysis involves the application of data security standards, liability frameworks and tokenisation. Data breaches are largely associated with risks that can be classified as 'operational risk'. Operational risks are best dealt with through technology design by merchants and intermediaries in the transaction cycle. PAs and PGs are already required to abide by higher data security standards, than those applicable to other firms in India. If these standards are found to be inadequate, then the RBI must demonstrate the inadequacies of these standards, instead of resorting to a prohibition. The RBI has the authority to require its regulated entities (such as PAs) to ensure that the merchants connecting to them adhere to higher standards.

Similarly, the regulatory framework must incentivize an efficient and dynamic approach to risk management by firms. The rules governing the allocation of losses between various stakeholders - consumers, merchants, card (or other payment system) operators, and PAs/ PGs, shapes these incentives. The rules should be designed so that they a) minimize inconvenience to the consumer, and b) incentivise payment system operators and PAs/PGs to minimize the risk of loss of consumers' data and money. A stable loss allocation rule creates incentives for a dynamic approach by the firms, who continuously respond to emerging threats, and to the improved possibilities for fraud prevention that are made possible by technological change.

Another way to implement better security is through tokenisation, where the card account number is masked by a single-use randomised number (or character) of the same length. With tokenisation, each card number is now represented by a token. The original number need not be stored in the databases of merchants, PAs or PGs. In January 2019, the RBI permitted card networks to offer tokenisation services to any third party app provider. The RBI should consider expanding the scope of the permitted tokenisation offerings, so that payment system intermediaries can make appropriate choices.

### Conclusion

This paper has engaged in a deep dive into one regulation-making project at the RBI, and argued that there were critical flaws in this work. The RBI has sought to address concerns of data security in payment systems through a regulatory strategy which assumes that it possesses deep knowledge of products, technology and consumer behaviour. Policy analysis works better under a more humble approach, where it is assumed and understood that firms and their customers understand consumer preferences and technology the best.

Regulators in India wield substantial legislative, executive and judicial powers, and a substantial literature has demonstrated the repeated failures of the work taking place in these organisations. An emerging Indian jurisprudence has started questioning the working of regulators and the checks and balances surrounding the powers of officials in regulatory agencies.  These developments require regulators to demonstrate high standards of analysis and evidence before intervening into the working of the economy.  This paper shows one example of these difficulties, and serves as an example in envisioning how better legal foundations would generate improved state capacity.

## Friday, May 21, 2021

### India's supply chain vulnerability with Chinese APIs: Industrial policy vs. sophisticated policy design

by Gautam Bambawale, Vijay Kelkar, Raghunath Mashelkar, Ganesh Natarajan, Ajit Ranade, Ajay Shah.

India has a remarkable drugs industry. This involves a high dependence upon Chinese manufacturers of `active pharmaceutical ingredients' (APIs). Given the willingness of the Chinese state to behave in unusual ways in economic engagement (e.g. rare earths), there is a certain supply chain risk that is faced by Indian firms.

Should state power be used in addressing this problem? And if so, how should this be done? How do we avoid the long decades of failure in industrial policy, i.e. the experiments with policy pathways where a government picks winners, with a government that claims to know the correct ways in which production should be organised? Today we saw a fascinating article: Drugmakers cry ‘monopoly’ as Modi govt picks 1 firm each to make over 20 key raw materials by Himani Chandna in The Print. This narrates the story of a 1960s style Indian industrial policy intervention played out poorly.

Our book Checkmate China: Winning through strategic patience and accelerated economic growth is forthcoming from Rupa Publications later this year. A paper based on this book has been released in the public domain and summarises our strategic thinking for India about the China question. In the book, we have a treatment of the API question. This text is excerpted ahead. It represents our attempt at learning from 75 years of failure with industrial policy. This approach would have likely avoided the difficulties described in Himani Chandna's article.

### Book excerpt: Designing a government intervention to address the supply chain risk faced by Indian firms that import APIs from China

The Indian drugs industry is a heavy user of Active Pharmaceutical Ingredients (APIs) sourced from China. In an environment where we see China as a bad actor in the global economy, where Chinese nationalism can harm counterparties abroad, this presents a risk to the supply chain. It is easy to design Indian economic nationalism which can combat this. However, as with all aspects of industrial policy, such use of state power raises many concerns. It is difficult for a government agency to know whether a certain industry merits subsidies and whether certain firms merit subsidies. There is a long history, in India, of “infant industry” arguments being used for decades, in which some well-connected Indian firms stay infants and continuously collect fiscal subsidies. Similarly, trade barriers in the form of quantity restrictions are prohibited under the WTO and tariffs are harmful and should best be avoided.

Thus, we face a puzzle: How can state intervention be designed, which can make a difference to India’s China problem with the supply of APIs? Given the failures of industrial policy as it was practiced in previous decades, how can this one sharp problem (supply chain risk faced by Indian pharma companies who rely on Chinese producers of APIs) be addressed by state action? How can this state action be done at the minimum fiscal cost, and while imposing the minimum distortions upon the economy? How can the risk of central planning – of officials determining the outcomes of the market-based competitive process – be avoided?

When faced with supply chain risk with a certain API from China, we should not jump to the conclusion that the answer lies in making the API in India. Perhaps the efficient solution is to import the API from a country other than China. Perhaps the efficient solution is to make it in India. Policy makers cannot assume that India has competitive advantage in making the API, when private persons have thus far chosen to not build such factories in India.

The first step in every policy analysis must be a thorough understanding of the behaviour of the private sector assuming there is zero state intervention. When faced with this new supply chain risk, what are Indian drug companies likely to do out of self interest:

1. Customers of these bulk drugs would be conscious about the business risk that they carry. They would watch the rise of nationalism in China with concern.
2. They would increasingly seek to diversify their sourcing. As an example, we are seeing Fortune 500 companies increasingly reduce the share of China in their global production.
3. One important response by the firms will be to buy APIs from countries other than China, e.g. Taiwan or Japan or Brazil. This is perfectly adequate solution, from the viewpoint of an Indian firm, to the threat of Chinese nationalism. Our problems with Chinese nationalism only imply that we should diversify away from China; this does not justify self-reliance.
4. One element of the process of looking for non-China sourcing is higher demand for firms in India that make APIs, which would kick off a supply response. Ordinarily, this market process will work itself out. But it is a difficult and slow journey. A government program can be designed that addresses this problem, which has a few key features: (a) We do not assume that in the long run India will be a successful producer of APIs, but we consider this possible; (b) The intervention is pre-announced and in a few years, liquidates itself; (c) The intervention imposes zero trade barriers upon imports or exports of APIs or drugs with respect to any country.

This proposed intervention would involve the following steps:

• A government agency would identify the top 50 APIs and the quantities $q = (q1, q2, .. q50)$ which are being imported from China.
• We establish the objective of domestic production that comes up to half of the imports from China over a five year period. This suggests escalation of quantities as: $0.1q, 0.2q, 0.3q, 0.4q, 0.5q$ over a period of five years.
• We put out a binding commitment on the part of the state that the government will run procurement restricted to domestic producers only, where there will be purchases over the next five years of these quantities. The government will commit to placing orders with 3 lowest-cost firms that produce in India, in each year’s bidding. The requirement from a bidder should be that production is done in India. Foreign or Indian firms should be permissible, subject to a restriction against firms controlled by the Chinese state e.g. bar a firm where any one member of the board of directors is an employee of the Chinese state or the CCP.
• These commitments about a rising scale of GOI procurement will create incentives for Indian/foreign firms, located in India, to build knowledge and physical capacity to produce APIs at a large scale.
• The government agency has only one objective: to trigger off economies of scale and competition by producers in India. Once the goods are purchased by the Indian government agency, what is it to do with them? Indian firms might not like to buy these APIs at the purchase price, as the purchase price may well be higher than the world price of these APIs. Once the goods are purchased, this agency would run a global auction to sell the same goods off, at the highest possible price. Indian drug companies could potentially choose to buy these goods, but these purchases would be at an import-parity-pricing price. As a consequence, through this program, the Indian government would be drop shipping the goods, purchased in the make-in-India auction to buyers who came into the sell-from-India auction.

This scheme constitutes a promise to buy from Indian firms, at rising quantities over five years, at the lowest prices that Indian firms are able to muster (3 firms for each product in each year). At first, the price in India will be high. Under this proposal, GOI will instantly turn around and sell off the goods at the highest possible price through a global tender. The gap between the two prices will be the fiscal subsidy that is being put down, to spark off API production in India.

At the end of five years, the domestic firms would be on their own. If the theory of change is correct – that there is a fixed cost of building knowledge and facilities to make APIs – then this is the minimum intervention that gets the job done. If the theory of change is incorrect – that India is not actually a good platform for making APIs – then in five years, this fiscal outgo would end, and India would not be a producer of APIs.

There are many strengths of this design:

1. Private persons face no new coercion, other than the coercion implicit in mobilising tax resources which are the source of government spending on this program.
2. There is no tariff; there is no interference in international trade. This program is layered on top of a free trade system.
3. It is a simple and transparent intervention. What it requires is the bureaucratic capability in the Indian state to do procurement: to run these auctions, to buy APIs in India, and to sell the same goods globally, doing high volumes of non-complex commodities. Indian officials are not asked to form a judgement about what APIs are important, about whether an API can efficiently be made in India, about the technology through which an API can be made, about whether public money should be used to build factories to make APIs.
4. There is a lack of fudge factors where there can be lobbying and negotiations.
5. No central planner should ever assume s/he knows the way forward. This design respects the possibility that India might actually have no place in API production. In this case, at the end of this program, there will be no API manufacturing in India. The program would have wasted taxpayer resources, but it would not distort the economy.

However, there are four main difficulties of this design:

1. For the desired impact upon incentives of private firms who should commit themselves to investing in building large scale API production, the private sector would have to believe that the deeds of the government will match the words of the government over the coming five years. If private persons feel that the Indian state cannot be trusted to stay the course for five years, then the incentive impact of the government program would not materialise.
2. The private sector has to feel safe engaging with government procurement; it has to believe that the procurement will be done correctly, that payments will be made on time, that there will be no investigations by agencies.
3. If this works, at the end of five years, Indian API vendors will lobby to not shut this down. Every policy designed to support an infant industry ends up with entrenched infants who like to wield state power in their favour.
4. While the objective of the program should be to foster Indian or foreign firms who choose to produce in India, there is the possibility that this could be skewed to favour Indian firms.

## Tuesday, May 18, 2021

### Notice of Republication

This article was republished on 14th May 2021, to correct an error in Table 2 of the original article. The authors apologize for the errors. The article with the corrections can be accessed here.

## Position for Researchers in Public Policy and Regulatory Governance

The National Law School of India University, Bengaluru (NLS) is a premier legal university in India. NLS, with the support of the Omidyar Network India, has set up the Regulatory Governance Project. The project will generate original research aimed at 'restocking the regulatory toolkit' for India. The research will identify the administrative aspects and norms of regulatory authorities and their parent bodies that can be optimised to create autonomous, accountable and effective institutions. A key goal of the project is to assist policymakers and regulators in shaping specific modifications in regulatory frameworks and practices and make them more contemporary, particularly in the context of the proposed Data Protection Authority.

NLS is seeking a candidate for a full-time or part-time position as a Research Fellow (Economist) in this project. The research fellow will participate in shaping the research questions for the project and undertake original research in answering such questions. The role requires working as a team with the other researchers in the project and at NLS. Key deliverables will be to produce original research, working papers and any assistance to regulators, as may be required. Compensation will be based on terms of engagement and experience of the candidate.

### Requirements for the Research Fellow (Economist)

Candidates should have:

• a Masters degree in economics or statistics;
• a minimum of five years’ experience; and
• strong data analytics, research and writing skills.

### How to Apply

Interested candidates please write to research@nls.ac.in with the subject line "Application for Research Fellow (Economist) in the Regulatory Governance Project".

## Monday, May 10, 2021

### Backdoors to Encryption: Analysing an Intermediary's Duty to Provide 'Technical Assistance'

by Rishab Bailey, Vrinda Bhandari, and Faiza Rahman.

The rising use of encryption is often said to be problematic for law enforcement agencies (LEAs) in that it directly impacts their ability to collect data required to prosecute online offences. While certainly not a novel issue, the matter has risen to global prominence over the last four or five years, possibly due to the increased usage of privacy enhancing technologies across the digital ecosystem.

While there have been a number of policy proposals that seek to address this perceived impasse, no globally accepted best practice or standard has been evolved thus far. In India (as in many other jurisdictions), the government has increasingly sought to regulate the use of encryption. For instance, the recently announced Intermediary Guidelines under the Information Technology Act, 2000, seek to extend the "technical assistance" mandate of certain intermediaries to ensure traceability, by enabling identification of the first originator of the information on a computer resource. The scope of the term "technical assistance" has not been clearly defined. However, the provision appears to go well beyond existing mandates in the law that require holders of encryption keys to provide decryption assistance, when called upon to do so, in accordance with due process, and based on their capability of decrypting the encrypted information. Courts have also weighed in on this debate, with the Madras High Court and the Supreme Court hearing petitions that seek to create mechanisms whereby LEAs could gain access to content protected by end-to-end encryption (E2E), thereby enabling access to user conversations on popular platforms such as WhatsApp. A Rajya Sabha Ad-hoc Committee Report released in 2020 has also recommended that LEAs be permitted to break or weaken E2E to trace distributors of illegal child sexual abuse content.

Against this background, our recently released paper examines the scope of the obligations that ought to be imposed on intermediaries to provide "technical assistance" to LEAs, and whether that should extend to weakening standards of encryption, for instance, through the creation of backdoors. Broadly speaking the term "backdoors" refers to covert methods of circumventing encryption systems, without the consent of the owner or the user. The paper also evaluates, in brief, proposals for alternatives, such as the use of escrow mechanisms and ghost protocols.

We argue that the government should not impose a general mandate for intermediaries to either weaken encryption standards or create backdoors in their products/platforms. This can significantly affect the privacy of individuals and would constitute a disproportionate infringement into the right to privacy. Such a mandate will also likely fail a cost-benefit analysis, not least in view of the possible effects on network security as well as broader considerations such as growth of the Indian market in securities products, geopolitical considerations, etc. This however, does not mean that the law enforcement agencies have no options when faced with the prospect of having to access encrypted digital data. A first step in this regard would be to implement rights-respecting processes to enable law enforcement to access data collected by intermediaries in a timely manner. In addition, there should be greater focus on enhancing government and law enforcement capacities, including by developing hacking capabilities, with sufficient oversight and due process checks and greater funding to research and development efforts in the cybersecurity and crypto spaces.

This post seeks to throw light on the key issues around the encryption debate, and summarises our main arguments and suggestions on how India should address them.

### Understanding the encryption debate

Encryption is the process of using a mathematical algorithm to render plain, understandable text into unreadable letters and numbers (Gill, 2018). Typically, an encryption key is used to carry out this conversion. Reconverting the encrypted text back to plain-text also requires an encryption key. Depending on the manner of encryption, the same encryption key can be used to encrypt or decrypt information, or alternatively, one may require different encryption and decryption keys. Encryption therefore ensures that the message can only be read by the person who has the appropriate decryption key, particularly as newer forms of encryption make it inefficient, if not impossible, to reverse the encryption process (Gill, 2018).

Encryption essentially improves the security of information. It secures information against unwarranted access and ensures the confidentiality and integrity of data, thereby fostering trust in the digital ecosystem and protecting the private information of citizens and businesses alike.

However, the use of encryption can also enable criminals to "go dark", making it difficult for LEAs to carry out their functions. For instance, it is estimated that upwards of 22 percent of global communication traffic uses end-to-end encryption (Lewis et al, 2017). This puts a quarter of communications virtually out of reach for LEAs, not least as the use of modern encryption systems makes it harder for LEAs to use the traditional "brute force" method to access encrypted data (Haunts, 2019). LEAs therefore have increasingly called for limitations to be placed on the use of encryption so as to enable them to have access to information they require to pursue their law enforcement functions. They point to the need to ensure accountability for online harms, and therefore argue that intermediaries must provide them with all data relevant to an investigation.

The concerns with the use of encryption are driven by a number of factors such as the growing instances of cybercrime, the use of data minimisation practices such as disappearing messages and the use of encryption by default in various technology products. For instance, WhatsApp and Signal automatically encrypt communications in transit and also give users the option of automatically deleting their messages. Similarly, Apple uses encryption based authentication on its iPhones (which render the content accessible only if an appropriate passcode is provided. If not, the content on the phone could even be deleted after a certain number of failed attempts) (Lewis et. al, 2017).

These concerns have led to calls for Internet intermediaries to weaken encryption standards or create backdoors in their products/services. These demands are not new. Notably, the 1990s saw the issue being debated in the United States, with the FBI proposing the use of the "Clipper Chip", a mechanism whereby decryption keys would be copied from the devices of users and sent to a trusted third party, where they could be accessed on appropriate authorisation by LEAs. More recently, the FBI has been involved in face-offs with technology companies such as Apple, when it refused to provide exceptional access to an iPhone linked to a terrorist. In India too, the government has encountered similar issues - notably forcing Blackberry manufacturers to relocate their servers to India and hand over plain text of communications. The government also circulated a draft National Encryption Policy in 2015, which sought to implement obligations involving registration of encryption software vendors, and the need for intermediaries to store plain text of user data. The draft was however withdrawn after much criticism.

In response to such proposals, security researchers, cryptographers and service providers, have been near unanimous in pointing out that the creation of backdoors is likely to lead to significant costs to the entire digital ecosystem, especially as it leads to the entire population being exposed to vulnerabilities and security threats. Indeed, the need for stronger encryption and other security standards to protect user data is only heightened by the numerous and frequent data breaches that have been reported in India. Interestingly, even the Telecom Regulatory Authority of India has adopted a similar position in its Recommendations on Regulatory Framework for OTT Communication Services of 2020.

Even two commonly discussed methods of a "balanced solution" to the problem - the use of escrow mechanisms and ghosting protocols - have faced significant criticism. For instance, the use of escrow mechanisms (which, as with the Clipper Chip system described above, involve storage of the decryption key with a trusted third-party, who can then provide the same to LEAs when called upon to do so) is likely to lead to significant vulnerabilities being created in computer systems. Not only will such a system require faith in the integrity of the entity holding the decryption key, such an entity would constitute a single point of failure, which is poor system design (Kaye, 2015). Deployment of complex key recovery infrastructure is also likely to impose huge costs on the ecosystem (Abelson et al., 1997). Similarly, suggestions for using ghost protocols (which would require service providers to secretly add an extra LEA participant to private communications) have also faced significant criticism (Levy and Robinson, 2018). Given that this system would essentially require service providers to convert a private conversation between two individuals into a group chat, with a hidden third participant, critics have argued that it is just another form of a backdoor. It would erode trust between consumers and service providers, and provide for a "dormant wiretap in every user's pocket" that can be activated at will. This would also require fundamental changes in system architecture, thereby introducing vulnerabilities that can create threats for all users on platforms (Access Now et al., 2019).

Thus, while the use of such methods can enable LEAs to access user data more quickly than is currently possible, there are numerous concerns - from a civil liberties, economic and technical perspective. We outline the key concerns in this regard below.

### Concerns with mandating backdoors

• Privacy: In view of the recognition of privacy as a fundamental right, private thoughts and communications are protected from government intrusion subject to satisfaction of tests of necessity and proportionality. Mass surveillance can be considered to be per se disproportionate. It is recognised that government surveillance can lead to unwanted behavioural changes, and create a chilling effect. Encryption therefore serves as a method to protect individual privacy, particularly from government excesses.
• Security: Creating backdoors can weaken network security as a whole since it can be exploited by governments and hackers alike (Abelson et al., 2015). Backdoors can also lead to increased complexity in systems, which can make them more vulnerable to attack (Abelson et al., 2015).
• Right against self-incrimination: Mandating decryption of data can arguably also be seen as violating an individual's right against self-incrimination (Gripman, 1999; ACLU and EFF, 2015).
• Due process requirements: Criminal investigation in general and surveillance in particular is not meant to be a frictionless process. Introducing inefficiencies in the functioning of LEAs is what separates a police state from a democracy (Richards, 2013; Hartzog and Selinger, 2013). As is the case of due process requirements, encryption creates procedural hurdles, ensuring some checks and balances over the functioning of LEAs and the possibility of mass surveillance. It therefore helps re-balance the asymmetric power distribution between the State and citizen.

### Scope of "technical assistance": Should it extend to creating backdoors?

Given the aforementioned concerns, the question arises, should the duty of "technical assistance" that intermediaries are required to provide to LEAs, extend to the creation of backdoors or otherwise weakening encryption systems?

We argue that as far as recoverable encryption is concerned, i.e. encryption where a service provider already has a decryption key in the normal course of service provision, there is no requirement for such a mandate. Indian law already requires service providers to decrypt data in such cases, in addition to providing various other forms of assistance. Here, the need is to focus on implementing proper oversight and other procedural frameworks to ensure that LEAs exercise their powers of surveillance or decryption in an appropriate manner. We find however, that the Indian framework is lacking in this regard. There is no judicial oversight of decryption requests, no proportionality requirements in the law, and no meaningful checks and balances over decryption processes at all. We therefore proposed various changes in order to improve the transparency and accountability of the system. Further, research indicates that the primary problem of LEAs in India may relate to the relatively old and slow processes that must be used by LEAs when accessing data held by intermediaries, particularly those based outside India. This points more to the need for LEA data access processes to be revised/streamlined in accordance with modern needs.

As far as unrecoverable encryption is concerned, i.e. encryption where even the service provider cannot access the content (such as with E2E) as it does not have access to the decryption key, which is retained by the user, the situation is undoubtedly more complex. However, even in such instances, for the reasons elaborated above, we believe that mandating backdoors or weakening encryption is not an appropriate solution.

Moreover, LEAs already have multiple alternatives to collect information, including by accessing metadata and unencrypted backups of encrypted communications. They can also use targeted surveillance methods to conduct investigations (National Academy of Science, Engineering and Medicine, 2018). Indeed, the current Indian framework - governing telecom service providers in particular, but also other intermediaries - already gives significant and arguably excessive powers to the State. It should also be noted that LEAs in India are already using spying technology, as we saw in the Pegasus case. LEAs also have other covert methods of gathering data - from key-stroke logging programmes to exploiting weaknesses in implementation of encryption systems. While one cannot argue against the use of such systems in appropriate cases, it is clear that such powers must only be exercised through institutionalised processes, and importantly, subject to appropriate regulatory oversight. There is therefore a case for formulating a legal framework in India, along the lines of the US vulnerabilities equities process, to ensure due process even when the government resorts to exploitation of vulnerabilities within information systems for national security and law enforcement purposes.

Accordingly, we point to the need to carry out a more detailed cost-benefit analysis before deciding on the need to implement such a mandate (which unfortunately, has not been done in the case of the recent Intermediary Guidelines Rules). We point to how such a cost-benefit analysis should consider:

• Whether the use of unrecoverable encryption is indeed a significant hurdle for LEAs in collecting relevant information. While no data is available in this context in India, data from the US in the period 2012-2015 indicates that of the 14,500 wiretaps ordered under the Communications Assistance for Law Enforcement Act, only about 0.2 percent of wiretaps encountered unrecoverable encryption (Lewis et al., 2017). While this share has likely increased in view of the greater use of unrecoverable encryption in the ecosystem, a similar empirical analysis must be conducted in India to understand the impact of such types of encryption.
• The cost to intermediaries in changing their platform architecture are unlikely to be insignificant. It is also worth keeping in mind that often intermediaries will avoid using certain types of encryption purely to keep in the good books of LEAs in a form of "weakness by design". Notably, companies such as Apple and WhatsApp have dropped plans to encrypt user back-ups stored in the cloud. Such data can therefore be accessed by LEAs without compromising encryption.
• The risk of such laws getting caught up in global geopolitics. This has been the case for example, with Huawei and ZTE, who have faced significant international pressure in view of the Chinese government's purported ability to access data flowing through their networks.
• The possible effectiveness of such laws, considering that many criminals may use open source encryption or encryption from platforms that are not amenable to Indian jurisdiction. Further, the pace of technical development is difficult to keep up with from a regulatory perspective. Notably, institutions such as Europol and Interpol are increasingly concerned about the use of steganography (the technique of hiding the very existence of a message) and open source encryption by international criminals and terrorist groups. Therefore, even if there is a bar on using strong encryption, those who want to break this law, will continue to do so.

We therefore argue that while a mandate for targeted decryption or technical assistance may be constitutional if backed by a law with sufficient safeguards, a general mandate for the creation of backdoors (or an interpretation of the Intermediary Guidelines requirement to provide "technical assistance" to extend to such generic obligations) is unlikely to pass constitutional muster, assuming a high intensity of proportionality review is applied. A higher intensity of review will have to look at not just whether the proposed intervention would substantially improve national security, but would also need to engage with the fact that it would (a) compromise the privacy and security of individuals at all times, regardless of whether there is any evidence of illegal activity on their party, and (b) the existence of alternative means that are available to LEAs to carry out their investigations. Thus, we believe that a general mandate for creating backdoors will not be the least restrictive measure available.

### Conclusions and Recommendations

We argue that a general mandate that requires Internet intermediaries to break encryption, use poor quality encryption, or create backdoors in encryption is not a proportionate policy response given the significant privacy and security concerns, and the relatively less harmful alternatives available to LEAs. Instead, the Indian government should support the development and use of strong encryption systems.

Rather than limiting the use of certain technologies, or mandating significant changes in platform/network architecture of intermediaries that compromises encryption, the government ought to take a more rights-preserving and long-term view of the issue. This will enable a more holistic consideration of interests involved, avoid unintended consequences, and limit costs that come with excessive government interference in the technology space. The focus of the government must be on achieving optimal policy results, while reducing costs to the ecosystem as a whole (including privacy and security costs). A substantive mandate to limit the use of strong encryption would increase costs for the entire ecosystem, without commensurate benefits as far as state security is concerned.

The tussle between LEAs and criminal actors has always been an arms race. Rather than adopting steps that may have significant negative effects on the digital ecosystem, the government could learn from the policies adopted by countries such as Germany, Israel and the USA. This would involve interventions along two axes - legal changes and measures to enhance state capacity.

Legal changes that the government must consider implementing, include:

• Reforming surveillance and decryption processes, to clarify the powers of LEAs, and ensure appropriate transparency, oversight and review. It is also essential to standardise and improve current methods of information access by LEAs at both domestic and international levels. There must be greater transparency in the entire surveillance and information access apparatus, including by casting obligations on intermediaries and the State to make relevant disclosures to the public.
• Adoption of a Vulnerabilities Equities Process, such as that adopted in the United States, which could enable reasoned decisions to be made by the government about the disclosure of software/network vulnerabilities (thereby allowing these to be patched, in circumstances where this would not significantly affect security interests of the State). Such a process, while not without critics, does chart a path forward and must become central to the Indian conversation around due process in LEA access to personal data.
• Amending telecom licenses, which currently give excessive leeway for exercise of executive authority, without sufficient checks or safeguards.

Rather than implement ill-thought out policy solutions that would significantly harm the digital ecosystem and user rights, the government could also focus on enhancing its own capacities. This can include measures such as:

• Developing and enhancing covert hacking capacities (though these must be implemented only subject to appropriate oversight and review processes). To this end, there must be appropriate funding of LEAs, including by hiring security and technical researchers.
• Investing in academic and industry research into cryptography and allied areas. The government should also aid the development of domestic entities who can participate in the global market for data security related products. Enhancing coordination between industry, academia and the State is essential.
• Increasing participation in international standard setting and technical development processes.

To conclude, the crux of this issue can be understood using an analogy. Would it be prudent for a government, engaged in a fight against black money, to require all banks to deposit a key to their customer's safe deposit boxes with it? One would venture that this would be an unworkable proposition in a democracy. It would lead to people looking for alternatives to the use of safe-deposit boxes due to the lack of trust such a system will create. Innocent people will be exposed to increased risks. A preferable solution may be for the government to develop the ability to break into a specific safe deposit box, upon learning of its illegal contents, and subsequent to following due process. This would enable more targeted interventions, that would also preserve the broader privacy interests of innocent customers while protecting banks from increased costs (or loss of business).

### References

Gill, 2018: L Gill, Law, Metaphor and the Encrypted Machine, Osgoode Hall L.J. 55(2) 2018, 440-477.

Lewis et al., 2017: James Lewis, Denise Zheng and William Carter, The Effect of Encryption on Lawful Access to Communications and Data, Center for Strategic and International Studies, February 2017.

Haunts, 2019: Stephen Haunts, Applied Cryptography in .Net and Azure Key Vault: A Practical Guide to Encryption in .Net and .Net Core, APress, February 2019.

Kaye, 2015: David Kaye, Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, United Nations, Human Rights Council, May 2015.

Abelson et al., 1997: Hal Abelson, Ross Anderson, Steven Bellovin, Josh Benaloh, Matt Blaze, Whitfield Diffie, John Gilmore, Peter Neumann, Ronald Rivest, Jeffrey Schiller, and Bruce Schneier, The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption, May 27, 1997.

Levy and Robinson, 2018: Ian Levy and Crispin Robinson, Principles for a More Informed Exceptional Access Debate, LawFare Blog, November 29, 2018.

Cardozo, 2019: Nate Cardozo, Give Up the Ghost: A Backdoor by Another Nam et al.e, Electronic Frontier Foundation, January 7, 2019.

Access Now et al., 2019: Access Now, Big Brother Watch, Center for Democracy and Technology, et al., Open Letter to GCHQ, May 22, 2019.

Gripman, 1999: David Gripman, Electronic Document Certification: A Primer on the Technology Behind Digital Signatures, 17 J. Marshall J. Computer and Info. L. 769 (1999).

ACLU and EFF, 2015: American Civil Liberties Foundation of Massachusetts, the American Civil Liberties Union Foundation, and Electronic Frontier Foundation, Brief for Amici Curiae in Support of the Defendant-Appellee in Commonwealth of Massachusetts v. Leon Gelfgatt, 2015

Richards, 2013: Neil Richards, Don't Let US Government Read Your E-Mail, CNN, August 18, 2013.

Hartzog and Selinger, 2013: Woodrow Hartzog and Evan Selinger, Surveillance as Loss of Obscurity, Washington and Lee L.R. 72(3), 2015.

National Academy of Science, Engineering and Medicine, 2018: National Academy of Science, Engineering and Medicine, Decrypting the Encryption Debate: A Framework for Decision Makers, National Academies Press, Washington DC.

Rishab Bailey is a researcher at NIPFP. Vrinda Bhandari is a practising advocate. Faiza Rahman is a PhD candidate at the University of Melbourne.