Draft National Encryption policy plays a damper on Digital India

Good old homing pigeons – the new Whatsapp

Before we start, there is something that needs to be said. Laws restricting internet freedom are prevalent around the world. So while the current topic focuses on India, internet freedom or the lack of it is a problem plaguing numerous countries.

In fact, as per the report ‘Freedom on the Net 2014’ from the Freedom House, an independent watchdog organization dedicated to the expansion of freedom and democracy around the world, India register the biggest improvement in Internet freedom that year compared to its global counterparts. It rose from position 47 to 42. This happened when authorities relaxed restrictions on access and content that had been imposed in 2013 to help quell rioting in north- eastern states. On a global scale, internet freedom actually declined for the fourth consecutive year!

On the side

Last month, Google has finally spoken in the matter of net neutrality in India and it seems to be a stern no. It has asked Internet and Mobile Association of India (IAMAI), which regulates Internet companies, to oppose zero rating. Zero Rating is a plan conceived by (cash rich) Internet operators in collaboration with telecom providers to offer apps and websites for free.

Draft National Encryption Policy – what is it?

On September 21, 2015, the government let out a draft National Encryption Policy that mandates people as well as businesses to keep a record of their Whatsapp or Google Hangout or Apple’s iMessage for 90 days (not delete) and hand them over when asked for security reasons

The Department of Electronics and Information Technology (DeitY) which comes under the union ministry of communications and information technology offered the draft to introduce the New Encryption Policy under section 84A of Information Technology Act 2000. This section was introduced through amendment in 2008.

Online businesses too would need to keep your sensitive information including passwords in plain text for the same period of time, thus exposing your information to potential hacking attacks.

If this policy becomes active, government will have access to all kinds of encrypted information – personal emails, chats, SMS, etc., used by all messaging services – FB chat, BBM, SMS, etc.

What happened to the draft policy?

The government had published a draft of the policy document online to seek feedback from citizens and organizations. And they got a lot of it – mostly bad and fiery!

Check tweets with #mylibertymyright , #myprivacymyright, #ModiDon’tReadMyWhatsApp, #NationalEncryptionPolicy.

On September 22, 2015, Union Minister for Communications and IT Ravi Shankar Prasad announced that the Government would withdraw the ‘Draft National Encryption Policy.’

DEITY issued an addendum to the draft encryption policy stating that mass encryption products currently used in web applications, social media sites and apps like Whatsapp, Facebook, Twitter were exempt from the purview of the draft policy.

Mass use products like SSL/TLS that are used for financial transactions are exempted from registration.

Speaking to the press, Ravi Shankar Prasad distanced the government from the draft saying that, “I wish to make it clear that it is just a draft and not a view of the government.” The minister added that citizens’ concerns were noted that he had written to DEITY to withdraw the draft.

What was wrong with the National Encryption Policy draft?

According to the draft, citizens may use encryption technology for storage and communication. However, encryption algorithms and key sizes will be prescribed by the government through Notification from time to time. This means that the government will determine the encryption standards for all and entities like Google and WhatsApp will have to follow the encryption standards prescribed by the Indian government.

This will lead to more bureaucratic processes, lack of transparency, and corruption. Furthermore, the red tape and lag will kill innovation, cause undue lags and reduce business agility.

What’s bizarre is that the draft listed specific guidelines for all citizens who use encryption services including instructions that individuals should store plain text versions of communication for 90 days.

Nowhere in the world is the onus on citizens so that governments can track what private messages husbands are sending wives and friends are sending each other. In other words, the government is saying we don’t have the technology to unencrypt your messages, therefore we want you to keep it in unscrambled text form for us to snoop on. – Zakka Jacob, IBN Live.

With online businesses having to keep your sensitive information including passwords in plain text for the same period of time, it would expose your information to potential hacking attacks.

For service providers located within and outside India, using encryption technology, the government will designate an appropriate agency for entering into such an agreement with the service provider located within and outside India.

This means more bureaucratic and roadblocks for app providers to circumvent before taking their product or service to market.

More loopholes

Other problems with the draft that worry us (and a large percentage of the country):

  • The draft has contradictory implications for Digital India
  • It’s an invasion of privacy
  • The whole idea of encryption is to prevent hacking of network messages. When you have everything out there in plain text, it’s pretty much like locking your house and then giving away the key.
  • E-commerce websites will have to keep a plain-text copy of user details leaving their information vulnerable to hackers. What is the point of encryption?
  • B2B businesses would need to keep a lot of information in text as well as risk customer data.
  • What about apps like Snapchat? Or Periscope? These apps have self-destructive content. Would these need plain text versions as well? And if so, how?
  • The draft uses vague language & conflicting messages – will Whatsapp usage even be legal because it uses end-to-end encryption?
  • Let’s say you want to avail some service – say run an email campaign- and the provider is based out of India and does not use the same encryption policy as that defined by the government of India, you can’t use it, never mind how popular it is across the globe.
  • Mass use products like SSL/TLS that are used for financial transactions are exempted from registration. However, users in India are allowed to use only the products registered in India. So using a service not registered with the government will be illegal.

Public slammers of the draft policy

  • Internet Service Provider Association Of India (ISPAI) President Rajesh Chharia said putting responsibility on customers is not acceptable.
  • Details on encryption and loop holes in this policy explained by Pranesh Prakash, Policy Director at the Centre for Internet and Society.
  • Derek O Brien on Twitter: First you issue a draft encryption policy. Then you realize it is a daft encryption
  • Much more across digital media – just do a Google Search

Send feedback to DeiTY

All citizens can send their comments on the draft policy to akrishnan@deity.gov.in by October 16 and give suggestions.

History of internet freedom chokes in India

About Monica

Monica is a digital marketer, blogger and technical writer. She’s helped small businesses with content strategy and development since 6+ years and is now extending the value with online marketing. Her goal is to introduce more businesses to this exciting and profitable marketing medium. She is a regular blogger for WMA. Connect with her on Linkedin or Twitter for digital marketing assistance or to say hello!

WhatsApp chat