Indian draft rules on encryption could compromise privacy, security

“All information shall be stored by the concerned B / C entity for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country”. The document might as well have said the messages shouldn’t be encrypted at all. The proposed encryption policy is already under fire from online activists and internet experts, who claim that it provides for backdoor access to government, which can potentially be exploited by hackers and spies. The draft doc is open to public remark till October sixteen. Here are some implications for citizens and companies if the policy is implemented in its current form…

If the government has its ways, internet users will have to store all their messages sent through encrypted messaging services such as WhatsApp and iMessage for at least 90 days.

The encryption Policy was released with a vision to “enable information security environment and secure transactions in Cyber Space for individuals, businesses, Government including nationally critical information systems and networks“.

For instance, one part reads, “user shall reproduce the same Plain text and encrypted text pairs using the software/hardware used to produce the encrypted text from the given plain text”.

Once finalised, rules for encryption of electronic information and communication will be introduced under the policy. Another thing that weakens the security considerably is the requirement for business and citizens to keep the information (that was encrypted and sent over) for 90 days, in case law enforcement agencies demand it. But that also means that for those 90 days, cyber criminals, too, can access it, point out experts. Moreover, service providers offering encryption will have to register with the Indian government. “What the government ought to be doing is setting minimum standards for encryption for governmental use”. “In fact, the policy will be counter productive and will only discourage people from using encryption”, he said, adding that draft was also in contrast to the objectives of the IT Act under which it has been framed.

The preamble of the draft says “the cryptographic policy for domestic use supports the broad use of cryptography” in ways that facilitate privacy and global economic competitiveness. “Does the federal government have the capability to enter into these many agreements?” asks Prakash.

The proposal from a department of the IT Ministry states this: “Service Providers located within and outside India, using encryption technology for providing any type of services in India must enter into an agreement with the Government for providing such services in India”. “Users in India are allowed to make use of exclusively the merchandise registered in India”, says the draft coverage doc, obtainable on the DeitY web site.

It will be far easier for the government as well as consumers if the former sticks to defining standards and not insist on participating in their specific implementation by the latter. Another way the policy itself could be benefited is by having a standalone privacy law that provide the safeguards that protects user rights downstream, instead of defining them from one application to another.

Cyberlaw expert Pawan Duggal says the policy is not only dacronian, but also misplaced.