Decryption

Russia’s Yarovaya Law, passed in 2016 as anti-terrorism legislation, imposes extensive surveillance requirements. Communications providers must retain the content of all communications (voice, text, images, video) for 6 months and metadata for 3 years. When requested, providers must assist the FSB with decrypting communications. Messaging services using encryption must provide the government with decryption keys or face blocking. Several services including LinkedIn and Telegram have been blocked for non-compliance (Telegram was later unblocked after cooperation). The storage requirements are massive, requiring providers to build significant infrastructure. Combined with SORM and data localization requirements, the Yarovaya Law ensures Russian authorities have comprehensive access to communications occurring within Russia.

Australia’s Assistance and Access Act 2018 is among the most far-reaching encryption legislation in democratic countries. It allows authorities to issue: Technical Assistance Requests (TARs) asking for voluntary help; Technical Assistance Notices (TANs) compelling specific assistance within existing capabilities; and Technical Capability Notices (TCNs) requiring companies to build new capabilities. Critically, TCNs can require companies to create technical means for accessing encrypted communications. While the law technically prohibits requiring ‘systemic weaknesses’ in encryption, the definition is ambiguous and companies cannot publicly discuss what they’ve been compelled to do due to secrecy provisions. This creates uncertainty about whether Australian-linked technology products contain mandated vulnerabilities. The law applies to Australian companies and foreign companies with Australian nexus, raising concerns for any software or service developed or operated from Australia.

India’s Information Technology Act 2000 (amended 2008) provides the legal framework for government access to digital information. Section 69 empowers the central or state government to direct interception, monitoring, or decryption of any information in a computer resource for sovereignty, security, friendly relations with foreign states, public order, or investigating offenses. Section 69A enables blocking access to information. Section 79 establishes intermediary liability and safe harbors. The IT Rules 2021 imposed significant requirements on social media intermediaries including content takedown, user traceability (requiring messaging services to identify message originators), and compliance officer appointments. Combined with the new DPDP Act, India has both data protection and broad government access powers. The lack of independent judicial oversight for interception orders raises civil liberties concerns.