Government invites comments on Draft National Encryption Policy, attracts controversy
The Department of Electronics & Information Technology (DeitY) has posted a Draft National Encryption Policy on its website inviting comments from the public. The purpose of the policy is to frame rules under Section 84A of the Information Technology Act, 2000, regarding use of encryption methods.
You can access the full text of the Draft National Encryption Policy on the DeitY website. The blog post by Soumyadip Choudhury was published by IBN Live on September 20, 2015. Pranesh Prakash was quoted.
However it is interesting to note that, apart from the document itself, there are no other easily accessible mentions of the draft policy on the DeitY website or other related government websites.
The vision of the draft policy is "to enable information security environment and secure transactions in cyber space for individuals, businesses, government including nationally critical information systems and networks." And the mission is "to provide confidentiality of information in cyber space for individuals, protection of sensitive or proprietary information for individuals and businesses, ensuring continuing reliability and integrity of nationally critical information systems and networks."
While the premise of the draft policy appears to be widely acceptable, it is in the details that discontent lurks.
Pranesh Prakash, policy director at the Centre for Internet and Society calls the policy "monumentally misguided."
In addition to government agencies, public sector undertakings, academic institutions and businesses the draft policy also brings in common citizens under its purview.
"Government must take note that the knowledge and expertise of common citizens may be inadequate to understand the nuances of encryption," says cyber law expert Na Vijayashankar. "Though the citizens will be indirectly impacted by the policy as implemented by the government or business users, citizens cannot at this point of time assume the responsibility for direct compliance of this policy since their ignorance would be exploited by intermediaries for business gain."
According to the draft policy, the government would require users and companies to store plain text and encrypted text pairs for at least 90 days and make them available to law enforcement agencies when they are legally asked to.
"Expecting users and companies to store plaintext/ciphertext combination is equal parts ridiculous and dangerous," observes Sandesh Anand, a software security professional. "Ridiculous because this means terabytes of data has to be stored and retrieved on request. Dangerous because the point of encryption (sometimes) is to ensure the 'plaintext' is not accessible, unless decryption is performed. Hence, in cases where encryption is used to store sensitive data securely, the terms of this policy weakens the security."
The proposal says that service providers using encryption technology or those providing such services in India "must enter into an agreement with the government for providing such services in India."
This means thousands of companies around the world providing such services will be required to enter into an agreement with the Indian government, something that experts think is unrealistic.
"The provision to require service providers using encryption technology to register and enter into an agreement with a body of the Government of India is redundant and unenforceable as a part of this policy," says Vijayashankar. "Since there is a large number of services today which use encryption (even accepting the fact that SSL/TLS users are exempted), this policy may require thousands of websites to enter into agreement with the Government. Already there is a provision in Section 69 of ITA 2008 which is a statutory law."
Also all encryption products need to be registered with the government and Indian users will be allowed only to use encryption products registered in India and violation of this, according to the draft policy, can attract "appropriate action as per law of the country."
The encryption algorithms and key sizes prescribed by the government have also met with criticism.
"India wants to become a police state," says a Reddit thread discussing the draft policy.
Mahendra Palsule, an editor at Techmeme, a popular technology new aggregator, feels that "India's draft National Encryption Policy could very well be a draft of the NSA/GCHQ vision statement."
But not everyone is in opposition to the proposals. "The government is not asking you to unconditionally handover all your private info. If there is any suspicion, it will ask you to produce unencrypted content," tweets software engineer Krupakar Manukonda. "Can government decide encryption rules? Yes, as per IT Act it can. I don't see how security agencies can function without some control over communication," he says.
The draft policy also seeks to encourage "development of indigenous algorithms and manufacture of indigenous products for encryption, hashing and other cryptographic functions."
Comments on the Draft National Encryption Policy have to be sent in by October 16, 2015.