A new draft National Encryption Policy put out by the Department of Electronics and Information Technology seeks to define the various encryption standards allowable on data originating from the country, and does so in its traditional ham-handed way. In an abridged version of the document, put out by DEITY, the department proposes some practices that effectively run counter to the philosophy of encryption – of data as well as devices.
For example, it specifies that the government will suggest which encryption algorithms can be used from time to time, what keys are used to secure the data, and what key lengths should be used to go with them. Keys are bits of data used that work to legitimately seal and unseal an encryption algorithm, and it’s unclear why the government insists on being able to decide how long or short the keys will be. But demanding to know what they keys are at all times signals the government intends to have unrestricted access to all data passing through servers in Indian territory.
Update: after an uproar on the social media over the document’s specifying that users will have to be able to preserve each digital message in their possession – received on services like WhatsApp or GMail – for 90 and produce it in plain-text (i.e. decrypted) to law-enforcement authorities on request, DEITY issued an addendum exempting “mass-use encryption products” from its proposed regulation. Such products would include communication services like WhatsApp, GMail, Skype, etc. At the same time, communications between businesses and consumers have been left out of the exemptions, in effect leaving them more vulnerable to being spied on.
Another particularly disturbing line in the document goes: “All vendors of encryption products shall register their products with the designated agency of the Government. While seeking registration, the vendors shall submit working copies of the encryption software / hardware to the Government along with 4 professional quality documentation, test suites and execution platform environments”.
Vendors of encryption products could also include vendors of products in which encryption is built-in – ranging from messaging apps to Internet browsers to full-blown operating systems. In effect, they will be required to register themselves with the government before they can access the market. The implication is that the government could also revoke registrations as a way to exert influence over the vendors. Further, saying “Government may review this policy from time to time and also during times of special situations and concerns” suggests products and services will have to be retooled to fit the government’s changing standards, which can be cost-intensive and detrimental to the user.
It will be far easier for the government as well as consumers if the former sticks to defining standards and not insist on participating in their specific implementation by the latter. For example, the widely used OpenPGP protocol is not recognised by Indian law. For another, DEITY could do better to distinguish between products and protocols themselves: at one point, the document says the product called SSL is exempt from its requirements; SSL however is an encryption standard. Another way the policy itself could be benefited is by having a standalone privacy law that provide the safeguards that protects user rights downstream, instead of defining them from one application to another.
Comments on the document can be emailed to firstname.lastname@example.org by October 16, 2015.
Note: This article was updated on September 22, 2015, at 8.53 am to include new developments.