Author: Pallavi Anant Indulkar, New Law College, University of Mumbai

The rapid evolution and adoption of the latest encryption technology have significantly impacted the digital environment by improving the privacy and security of individual information. The encryption technology plays a significant role in safeguarding the private information of individuals, as well as protecting trade secrets. On the other hand, the same technology has emerged as a significant challenge for law enforcement agencies in accessing digital evidence in cases of intellectual property infringement. This paper will examine the issue of imbalance between the encryption policies and the current procedures for enforcing intellectual property rights, with a focus on the growing problem of accessing digital evidence for law enforcement agencies without violating individual constitutional rights.

Using a methodology of doctrinal and comparative research, this paper critically analyses the legal regimes and judicial approaches in different countries, including the United States of America, the European Union, and India. It analyses how the judiciary and legislatures have addressed the conflicts arising from encrypted communication services, cloud storage services, and digital devices in the context of lawful access. This paper argues that the current legal regime is still ad hoc and inadequate to achieve a balance between the competing interests of privacy, innovation, cybersecurity, and effective IP protection. Finally, it concludes by proposing policy recommendations using the principles of procedural justice, proportionality, judicial review, and international cooperation to address the evidentiary challenges posed by encryption while remaining within the bounds of constitutional and human rights laws.

KEYWORDS 

Encryption, Intellectual Property Enforcement, Digital Evidence, Privacy, Law Enforcement, Regulatory Gap

Digital technologies have become an integral part of the modern economy and society, and intellectual property is the foundation of innovation-driven economies. With the increasing trend of commercial, communication, and creative activities moving to digital platforms, the enforcement of intellectual property rights is largely dependent on access to electronic data and digital evidence. At the same time, the use of strong encryption, especially end-to-end encryption, has changed the landscape of digital services due to the growing threat of cybersecurity attacks and surveillance.

Although encryption increases user trust and protects sensitive data, it also poses significant difficulties to law enforcement agencies in their investigation of IP-related crimes like online copyright infringement, theft of trade secrets, and counterfeiting carried out using digital technology. Law enforcers may come across encrypted devices, secure messaging applications, or cloud storage that are technically incapable of granting access to data, even when faced with a legal request. This has further fuelled the debate over the so-called “going dark” problem, where the effectiveness of legal investigative powers is compromised by technology.

The conflict between encryption policies and IP enforcement has become particularly visible in recent years through high-profile litigation and policy debates. Courts and regulators worldwide have struggled to determine whether compelling service providers or individuals to assist in decryption violates constitutional protections such as the right to privacy, freedom of expression, and the privilege against self-incrimination. These tensions are further complicated by international human rights obligations and data protection regimes, which impose strict limitations on state interference with private communications.

This paper will examine the regulatory gap that exists at the intersection of encryption policies and IP enforcement. The research question is: Can the current legal frameworks be said to strike a balance between the need for effective access to digital evidence and the protection of fundamental rights? The objectives of this paper are threefold: first, to examine the current legal frameworks on encryption and lawful access; second, to examine the current case law on IP enforcement; and third, to make recommendations on how the regulatory gap can be filled. This paper will proceed to examine the literature review, methodology, analysis, policy discussion, and conclusions.

The literature on encryption and law enforcement has been primarily concerned with criminal justice and national security issues, and relatively little attention has been devoted to intellectual property enforcement. Researchers such as Orin S. Kerr have explored the conflict between the traditional legal framework for searches and seizures and the reality of digital evidence. Kerr has argued that encryption fundamentally changes the investigative landscape. Others have noted that encryption is a critical component of cybersecurity.¹³

From an IP perspective, it is submitted that the following are important points raised by scholars: Anonymisation and encrypted communication are increasingly being used by online infringement, making it difficult to identify the perpetrators and obtain admissible evidence. Copyright scholars have argued that peer-to-peer networks and encrypted streaming platforms make it difficult to rely on notice-and-takedown provisions. The trade secret literature also identifies encrypted exfiltration of trade secrets as a challenge.

Cases also reflect that there are various methods. In the United States, there have been debates about whether forced decryption is in violation of constitutional rights, particularly with regard to the Fifth Amendment. The European model, which is driven by the European Convention on Human Rights and the General Data Protection Regulation (GDPR), is more concerned with the principles of proportionality and necessity. In India, the courts have gradually recognized the right to privacy while also expanding surveillance powers.

Reports on regulations and policies confirm that the current lawful access is insufficient in the presence of robust encryption. Nevertheless, opponents contend that exceptional access or backdoors carry unacceptable risks to cybersecurity and the protection of rights. The literature, therefore, indicates a conflict between the effectiveness of enforcement and the protection of rights. It is pertinent to note that the lacuna in the integration of these debates, specifically within the context of IP enforcement, still exists. This paper aims to fill this gap by contextualizing debates on encryption policies within the broader context of IP law.

The methodology of this research is doctrinal and comparative. The primary sources of this research are statutes, court decisions, constitutional provisions, and international treaties that relate to encryption, digital evidence, privacy, and IP enforcement. The secondary sources of this research are academic articles, policy documents, and regulations that relate to lawful access and technological change.

The methodology of this research is comparative in nature. This is because this research will analyse how different countries, such as the United States, the European Union, and India, address issues related to encryption in digital evidence. The case selection of this research is based on relevance to digital evidence and IP enforcement. This methodology is appropriate because it enables the researcher to analyse legal rules systematically and apply them, and also enables normative evaluation and reform.

Encryption technologies are used to render information unreadable unless it is accessed by authorized parties using the corresponding cryptographic keys. End-to-end encryption also prevents service providers from accessing the content of communications. In terms of legal frameworks, encryption is inextricably connected to the right to privacy, data protection, and freedom of expression.

In most countries, there are some exceptions to the right to privacy and data protection that require lawful access to encrypted information for investigative purposes, but judicial oversight is required. The lack of harmonized standards is a source of uncertainty. While some countries require data retention or technical assistance, others ban mandates that undermine encryption. This is particularly problematic in cross-border IP investigations involving global service providers.

The enforcement of IP rights in the digital environment is highly dependent on digital evidence in the form of server logs, user information, and digital files. Encryption limits the availability of content-based evidence, creating doubts about the sufficiency and admissibility of evidence. Rights owners depend on third parties to obtain information, but encrypted architecture limits the availability of information.

Civil enforcement through injunctions and compensation may be made impossible by the use of encrypted systems by infringers. Criminal enforcement is also hampered, especially when evidence of intention and the extent of infringement is needed. This creates a large enforcement gap.

A review of the judicial treatment of encrypted digital evidence shows the extent of the regulatory gap between encryption policy and enforcement practice. In Apple Inc. v. FBI, U.S. authorities sought to compel decryption, intermediary liability, and the constitutional boundaries of lawful access, even in cases where the dispute does not involve intellectual property litigation per se. However, the precedents established in these cases have important implications for IP enforcement.

In the United States, the judicial treatment of encryption has been primarily focused on constitutional issues, specifically the privilege against self-incrimination under the Fifth Amendment and the reasonableness requirement of the Fourth Amendment. Courts have struggled with the question of whether it is constitutional to compel a person to reveal a password or decrypt a computer. Although some courts have made a distinction between biometric access and password knowledge, the general relevance to IP enforcement is clear: when infringing content or evidence of commercial-scale infringement is stored on encrypted devices or in encrypted accounts, constitutional obstacles may preclude effective access.

The European courts have dealt with disputes involving encryption using the prism of human rights law, specifically the European Convention on Human Rights and the General Data Protection Regulation. The courts have focused on necessity, proportionality, and the existence of sufficient guarantees against abuse. The measures for surveillance and access should be limited in scope, in time, and subject to independent review. Although this rights-focused approach offers high privacy protection, there are also concerns about the adequacy of existing enforcement mechanisms to deal with complex, encrypted IP infringement networks operating in multiple jurisdictions.

In the Indian judicial system, there has been a marked shift after the establishment of the right to privacy as a fundamental right. The courts have accepted the validity of state interests in investigation and enforcement but also demanded procedural rationality and proportionality. In IP infringement investigations, this has played out as a challenge in obtaining encrypted communications or data to prove infringement, especially when there is no clear statutory provision to compel assistance or decryption. The absence of specific jurisprudence on encryption in IP infringement investigations also underscores the regulatory gap.

The nature of intellectual property infringement in the digital age is, by definition, cross-border, with a high likelihood of the infringing party, server, and/or platform being based in different countries. Encryption further clouds the issue by introducing a technological element that is often beyond the reach of traditional cross-border cooperation tools. Law enforcement and rights holders are left to contend with the conflicting legal obligations placed on service providers by different countries, especially when data protection and privacy laws differ.

Mutual Legal Assistance Treaties are currently the only official tool available for facilitating cross-border access to digital evidence. Unfortunately, these treaties have been widely condemned as being too slow, too bureaucratic, and simply not equipped to handle the speed and fluidity of digital information. Encrypted communication and cloud storage only add to this problem, as service providers may not have the technological capability to honor requests even if they are legally bound to do so. This means that important evidence can be lost, delayed, or made inaccessible, making it impossible to effectively enforce IP rights.

However, recent legislative efforts to make cross-border data access easier have been controversial because they could conflict with data protection laws. The conflict between unilateral data access systems and regional data protection laws shows that there are no harmonized international standards for encrypted digital evidence. This lack of harmonization poses a problem for IP protection, as it provides an opportunity for violators to engage in jurisdictional arbitrage by operating in regions with robust encryption laws and poor enforcement cooperation.

In order to solve these problems, there is an increasing need for multilateral approaches that can strike a balance between enforcement efficiency and rights protection. International treaties that set up common standards for lawful access and cooperation between states and private entities could fill the existing gap. If not, cross-border IP enforcement will continue to fall behind technological progress, and encrypted infringement will continue to thrive.

Moving beyond the doctrinal and comparative aspects of the conflict between encryption and IP enforcement, it is important to frame this conflict within a more general theoretical and rights-based framework. At the heart of this conflict is the need to reconcile the clash of two fundamental rights: the right to privacy and data protection, and the right to property protection and access to justice.

The principle of proportionality is a useful lens through which to analyze lawful access policies. Under this approach, any restriction on encrypted communications must have a legitimate purpose, be necessary to achieve that purpose, be the least restrictive alternative, and ensure a fair balance between competing interests. When applied to IP enforcement, proportionality ensures that access to encrypted information is restricted to serious and large-scale infringement and is strictly judicially authorized.

In procedural justice, the need for transparency, accountability, and due process in enforcement actions related to encryption is further supported. The rights holders and investigators must work within established legal parameters, and the affected individuals should have available avenues for redress. The integration of procedural justice into the enforcement structures may help to improve legitimacy and public acceptance, thereby reducing opposition to lawful access.

Lastly, a rights-centric approach acknowledges that intellectual property has constitutional and human rights protection in many countries. The enforcement of rights is not simply an economic issue but also a matter of enforcing legal rights. A balanced regulatory environment must take into account the protection of encryption and privacy rights.

IP infringement often goes beyond national boundaries, and this requires international collaboration. Encryption further complicates jurisdictional disputes, as service providers are faced with conflicting legal obligations. The existing mutual legal assistance framework has been criticized for being inefficient and not suited to the realities of encrypted cloud data.

The analysis above shows that there is a regulatory gap between encryption policies and the need for IP enforcement. Although encryption is a critical component of cybersecurity, its indiscriminate use can create a challenge for legal recourse in IP infringement cases. The regulatory challenge is to develop lawful access policies that maintain cybersecurity and human rights while facilitating the enforcement of IP rights.

Some of the proposed solutions to the regulatory gap include developing legal standards for compelled cooperation, judicial review, and international cooperation agreements for encrypted digital evidence. The proposed solutions must be guided by the principles of legality, necessity, and proportionality to prevent systemic weaknesses and human rights violations.

This paper has examined the complex interplay between encryption policies and IP enforcement and indicated the regulatory gap that hinders the availability of digital evidence. The current legal framework is still patchy and lacks the ability to effectively balance the competing interests of privacy, security, and enforcement. The regulatory gap can only be filled by reforms that are well-thought-out and friendly to rights in order to balance the need for effective encryption and the need for IP enforcement.

In order to progress towards a more harmonious regulatory environment, it is essential that legislatures and courts understand that the enforcement of IP and encryption are not necessarily competing priorities. One area where a positive change can be brought about is through the creation of narrowly focused lawful access solutions that are technology agnostic and strictly proceduralized. These solutions should specify the conditions under which access to encrypted information is permissible, the authorities with the power to authorize such access, and the remedies that exist in the event of an abuse of process.

Another area where a positive change can be brought about is through the involvement of intermediaries. Technology firms and service providers are at the heart of the online environment and are best placed to help with IP enforcement in a manner that does not compromise encryption.

However, international cooperation must also be strengthened. In view of the transnational character of IP crimes and data storage, there is a need for standardized approaches to cross-border access to digital evidence. This can be achieved through the updating of mutual legal assistance treaties, the conclusion of fast-track data access agreements, and the promotion of international dialogue among states, industry, and civil society organizations to help close the current enforcement gap.

Finally, it is important that the judiciary continues to stay abreast of the technical realities of encryption to ensure that the law keeps pace with technological innovation. The judiciary can play a critical role in this regard through principled judicial interpretation and rights-based reasoning in shaping a balanced and future-proof approach to encryption and intellectual property enforcement.

1. Orin S. Kerr, The Fifth Amendment and Encrypted Devices, 134 Harvard Law Review (2019).

2. Orin S. Kerr, Executing Warrants for Digital Evidence: The Case for Use Restrictions on Nonresponsive Data, 48 Texas Tech Law Review (2015).

3. Pamela Samuelson, Encryption and the Balance between Privacy and Law Enforcement, Journal of Law & Technology.

4. General Data Protection Regulation (GDPR), Regulation (EU) 2016/679.

5. Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS), WTO.

6. Apple Inc. v. FBI (2016) – Encryption and compelled assistance debate.

7. Justice K.S. Puttaswamy v Union of India (2017) 10 SCC 1.

8. Information Technology Act, 2000 (India), ss. 69 & 69A.

9. Indian Copyright Act, 1957.

10. Personal Data Protection Bill / Digital Personal Data Protection Act (India).

11. Law Commission of India, Report on Privacy and Data Protection.

12. OECD, Encryption Policies and Lawful Access.

13. WIPO, Intellectual Property Enforcement in the Digital Environment.

14. OECD, Trade Secrets and Cybersecurity.