The draft proposes that users of encrypted messaging service on demand should reproduce same text.

The government has kicked up another controversy by proposing that every citizen should keep a copy of all their communications in the cyber space, including emails and chats, for a period of 90 days and be able to make it available to security agencies when demanded, under the Draft National Encryption Policy.

However, IT Ministry sources told The Hindu that “this policy initiative will not impact the common man.”

According to the proposed policy, citizens as well as business may use encryption technology for storage of data and communication. However, all citizens “are required to store the plaintexts of the corresponding encrypted information for 90 days” and provide verifiable plain text to law enforcement agencies as and when required.

Feedback sought

The government has invited public feedback and comments on these guidelines till October 16. The draft was formed by an ‘expert group’ set up by the Department of Electronics and Information Technology.

The draft covers all messaging, email services and ecommerce websites (such as Whatsapp, WeChat, Gmail and Yahoo Mail) as each of them uses some form of encryption.

Cyber law expert Pawan Duggal said the policy is not only draconian, but also misplaced. “Almost everyone using the Internet will find themselves in violation of these rules. This policy is detached from the ground realities… they do not take into consideration the mobile revolution in the country,” he said.

Calling the draft policy “vague” and “ambiguous,” Mr. Duggal said in the current form it criminalises people who delete data, which is less that 90 days old, from their phone or personal computer. He added that draft was also in contrast to the objectives of the IT Act under which it has been framed.

Most experts were of opinion that this policy in the current form cannot work simply because end consumers do not have any idea what encryption is and in most cases the encryption of data is done by applications. Users can not decrypt that, application providers could.

“The first question to ask is this really feasible, particularly for the end consumers. Would they even know what is encryption… are they savvy enough to understand this policy. Secondly, keeping a copy of the data will require huge storage and that will come at a cost,” Shree Parthasarthy, Senior Director at Deloitte in India said.

Saket Modi, CEO of Lucideus, a cyber security services and solutions provider, said the guidelines need to be more articulate.

“The Internet is too big and global in nature. The policy generalises it. The good thing is that the process has been initiated. India needs an encryption policy. In the policy the government recommends use of DES, AES and RC4 as encryption standards which are globally accepted. It’s a good law, especially for businesses, but the government has tried to make it universal. These recommendations need to be fine-tuned as on the consumer side the Internet needs to remain free,” he said.