Online outcry forces government to withdraw draft encryption policy
The article by Naina Khedekar discussing encryption policy was published in First Post on September 23, 2015. Pranesh Prakash has been quoted.
Read the original published by First Post here.
Yesterday, the government released a draft encryption policy aimed at keeping a tab on the use of technology by specifying algorithms and length of encryption keys used by ‘all’. It wanted businesses, telcos and Internet companies to store all encrypted data for 90 days in plain text which should be presented before the law enforcement agencies whenever asked to. Moreover, failing to do so would mean legal action as per the laws of the country.
After a huge outcry, most of us woke up to the new proposed addendum this morning wherein the government has clarified to exempt products such as social media sites including WhatsApp, Facebook and Twitter; payment gateways; e-commerce and password based transactions and more from the draft policy.
Finally, the government has decided to withdraw the draft encryption policy.
I have written for that draft to be withdrawn, made changes to and then re-released: RS Prasad : ANI pic.twitter.com/W2IP4meEGb
— Firstpost (@firstpost) September 22, 2015
Some sort of encryption policy is there all over the world: Ravishankar Prasad pic.twitter.com/cDvsOWtjcM
— Firstpost (@firstpost) September 22, 2015
What’s fascinating is how the whole process felt like déjà vu. Haven’t we seen the drama unfold before. While the dust on the net neutrality sage has barely settled, we’re already facing newer issues related to encryption and privacy. We never learn from our mistakes, do we? A new draft policy, public outcry, and then comes the much-needed changes.
The Indian government hasn’t just caused anxiety and chaos among the netizens, but the initial draft completely misguided people. According to TheNextWeb, “The Indian government has made a fool of itself and caused anxiety among citizens with a woefully misguided proposal for a national encryption policy that it’s just released to the public for feedback.”
While we sit back and talk about Digital India, smarter cities and so on, the makers of the law seem to be clueless about some major by-products concerning these initiatives such as security, privacy and likewise. Each time the government talks about a new initiative meant to bring in some law and order pertaining to digital rights, it somehow manages to come up with implications that could affect us far worse.
In this case, the Indian government is trying to ensure that its law enforcement agencies have easy access to encrypted information whenever required, but this could easily compromise security and privacy in the process.
Moreover, each time the government releases a proposal for our digital lives, it’s people who remind the government about the adverse implications it could have. Does the expert panel writing these reports know nothing about privacy and how it possibly works? Or is the government simply looking at a trial balloon policy to gauge reactions by people. So, next time we don’t react, a draconian rule might just be governing our digital lives.
The whole net neutrality saga continued for months with assurance from the government on how it supports free and equal Internet, and eventually made ‘certain changes’. This seems headed on a similar path. Though the new addendum comes with changes, it still leaves us as muddled as before.
Pranesh Prakash of the CIS has tweeted out how the new clarification clarifies nothing.
This clarification by the govt does not clarify anything, but further muddles the encryption policy. pic.twitter.com/1KK8AFRp6Q
— Pranesh Prakash (@pranesh_prakash) September 22, 2015
All OSes will be illegal in India (IV.6 + V.3 of draft encryption policy) unless Microsoft, Apple, Red Hat, etc, sign agreement w/ govt.
— Pranesh Prakash (@pranesh_prakash) September 21, 2015
If India enacts that National Encryption Policy, their global back-end and support business will be drastically reduced. If it survives.
— Lin S (@Just_this_time) September 21, 2015
A new Medianama report also points out loopholes in the changes announced. The report adds how any encrypted service would have to sign an agreement with the government. With the heavy mobile penetration and increasing number of encrypted mobile services that people use, it is really feasible for the government to ink an agreement with all the services that are based outside the country.
Problems with the update to India's draft anti-privacy policy http://t.co/gKus1o3uaC pic.twitter.com/adqVJTedFI
— Nikhil Pahwa (@nixxin) September 22, 2015
In the past, we’ve seen the blame game around the laws, usually the ‘hurriedly’ changed laws passed (after the inability to monitor encrypted messages during the Mumbai terrorist attacks) in the winter session of 2008 without any debate or discussion by bears the brunt. Earlier this year, we saw the government crack down the Section 66A of the 2008 Information Technology Act describing it “unconstitutional” and “hit at the root of liberty and freedom of expression, the two cardinal pillars of democracy.”
Why can’t all the thinking be done before drafts are penned down for public review. A well thought out report would help avoid retractions later.