Looking at too much of outrage and objection, the government finally withdrew a contentious draft encryption policy. It will come later in public domain again after reworking on some of the clauses which are giving rise to “misgivings”. The telecom minister had ensured people that his government fully supported the freedom on social media and has in fact promoted social media activism. However, the regulation of encryption technologies was the need of the hour. Some sort of encryption policy is being followed all over the world, particularly in free democratic societies. The cyber space interaction, commercial, official and private, is on the rise. Many of these come in an encrypted form. Obviously, the concerns of security are certainly there. India was lacking in having any sound policy on encryption. A proper expert committee was constituted. But when Government noted the concerns of the public and some expressions that were avoidable, they thought of reworking on it, and give a clear roadmap to (state) which category of services, creators (of encryption) it applies (to) and for which (categories) which doesn’t apply. The DeitY website has removed the two PDF files of the draft and its addendum. The department of electronics and information technology (DeitY) recently released the draft of the National Encryption Policy. The policy aims to enable (an) information security environment and secure transactions in cyberspace for individuals, businesses and government including nationally critical information systems and networks.
The draft National Encryption Policy that had been released on Monday evening was not the final view of the government and it was placed in public domain just to seek comments and suggestions from the people. The provisions of the draft policy that was put on the website of Department of Electronics and Information Technology (DeitY) would ensure that the government will have access to all encrypted information stored on computer servers in India, including personal emails, messages or even data. The policy also wanted users to store all encrypted communication for at least 90 days and make it available to security agencies, if required, in text form.
The rapid rate of growth of internet-based service delivery has made it necessary to put in place standards that protect privacy and increase the security of the internet and associated information systems.
In our day-to-day activities, we frequently use internet in our devices. If the website we are accessing begins with HTTPS, instead of HTTP, it is using a secure channel to transmit data. Similarly, websites store user information in an encrypted format, like a user name and passwords. Cryptography initially had application in military and diplomatic communications, but is now used widely in Virtual Private Networks (VPNs), secure email, electronic fund transfers, secure messaging applications to name a few. The information technology act has provisions for such guidelines to be issued for encryption (Sec 84A) and decryption (Sec 69). Most of the technical terms like Hashing Algorithms (used to map digital data of arbitrary size to digital data of fixed size), keys (used to encrypt and decrypt communication), digital signatures (used to ensure confidentiality, integrity and authenticity of communication), etc have been explicitly defined in the IT Act. Further, the policy aims to promote the use of digital signatures by all entities, including the government, for trusted communication, transactions and authentication. And lastly, it envisages adoption of information security best practices by all entities and stakeholders in the government, public and private sector enterprises and citizens at large.
The policy categorises users in three types of groups – government (G), which would include all central and state government departments (including sensitive departments/agencies while performing non-strategic and non-operational role). Business (B), that includes all statutory organisations, executive bodies, business and commercial establishments, including all PSUs and academic institutions. As also a category for citizens (C) that includes all citizens (including personnel of government/business (G/B) performing non-official/personal functions). It then mandates that use of encryption technology for storage and communication within G group of users and technology for communications between G group and B/C groups will be done as per standards specified through notification by the government from time to time.
For the users of groups B/C it mandates that such users should not only adhere to standards notified by the government but also produce plain text and encrypted copies of communications if demanded by law enforcement agencies for up to 90 days from the date of transaction. The onus to store this plain text communication lies with end user of each category, and if the entity is based out of India then the responsibility of providing the plain text communication lies with the corresponding entity based in India. The primary area of concern is the insistence on storage and provisioning of plain text communication by end user entities. The notion is antithetical to the idea of promoting encryption practices. While it will add to the infrastructure costs of businesses to maintain such databases, the general public is practically unaware of most of these practices. The original proposal said that apps and platforms would need to either register the sort of encryption service they use with the government, or sign up to use government-approved encryption services.
In 2010, the UPA government said it would ban BBM (Blackberry Messenger Service) in India unless BlackBerry (then Research in Motion) gave security agencies access to snoop on emails. The two would eventually reach an arrangement that allows the government to intercept messages sent on Blackberry’s platform. Now, the government has bowed down to the pressure created by people and taken the draft back, meanwhile National Encryption Policy is issued without the knowledge of the IT Minister – let the government take responsibility and take action against whosoever has authorized to issue the same – even as a draft. If not, in future, there may be several such draconian laws may come up without the knowledge of the ministers in the government which will hurt common people.