Naina Khedekar

After a huge outcry over the union government's new draft encryption policy making it mandatory to store data in plain text (unencrypted) format for 90 days, the government has now confirmed some exemptions.

A new proposed addendum to the draft encryption policy clarifies that 'encryption products' that have been exempted from the policy include social media sites like WhatsApp, Facebook, Twitter, payment gateways, e-commerce and password based transactions and more.

The following categories of encryption products are being exempted from the purview of the draft national encryption policy:

1. The mass use encryption products, which are currently being used in web applications, social media sites, and social media applications such as Whatsapp, Facebook, Twitter, etc.

2. SSL/TLS encryption products being used in Internet-banking and payment gateways as directed by the Reserve Bank of India.

3. SSL/TLS encryption products being used for e-commerce and password based transactions.

The Union government had released a draft National Encryption Policy document online seeking methods of data encryption of data and communications used by the government, businesses, and even citizens. So, an 'expert panel' from the Department of Electronics and Information Technology (DeitY) was set up to prepare the draft. Looks like the experts got it all wrong about the importance of data encryption. According to the draft, encrypted messaging service on demand should reproduce same text in plain format before the law enforcement agencies whenever asked to. On failing to do so, the government can even take legal action as per the laws of the country.

Data encryption means conversion of data into a form, called a ciphertext, which helps avoid unauthorised access. Banks and e-commerce sites use encryption to protect your financial and private data, online government sites and several other messaging platforms use encryption to protect your personal data and so on.

It would impact the way you use WhatsApp and Apple's iMessage service since these use encryption for communication as well. Since the earlier draft also put the user in a position of responsibility, it could potentially have an effect on WhatsApp and other popular messaging services that use encryption. However, looks like the outcry has led the government to add the exemptions that include the social and messaging services that we use in our daily lives.

You can read the complete report below:

http://www.scribd.com/doc/282239916/DRAFT-NATIONAL-ENCRYPTION-POLICY

According to the draft, the government wants to 'provide confidentiality of information in cyber space for individuals, protection of sensitive or proprietary information for individuals & businesses, ensuring continuing reliability and integrity of nationally critical information systems and networks, which is great, but some parts of the documents simply say otherwise.

https://twitter.com/thej/status/645449704168230912

Hey GOI, does anyone of you understand privacy, security & internet? Is this how #DigitalIndia is supposed to work? https://t.co/djuA6uNR4X — Deepak Gupta (@deepakgupta1) September 21, 2015

https://twitter.com/pranesh_prakash/status/645872731985195008

Now, that's not all. For instance, one part reads, "user shall reproduce the same Plain text and encrypted text pairs using the software/hardware used to produce the encrypted text from the given plain text. All information shall be stored by the concerned B/C (business/citizen) entity for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country."

This means, a company will have to keep passwords in plain text, which means your data will remain unencrypted and hence vulnerable, with them for 90 days. Now, this is where the problem lies. It gives attackers good 90 days to get to the plain text or your vulnerable data.

Considering the penetration of Internet and how we are vying for smart cities and getting the country online, this move would simply defeat the purpose.

The draft policy introduced under Section 84 A of the IT Act 2000, says all the electronic information and communication will be introduced under the policy. Now, this draft is applicable to all citizens including 'you', and also personnel of government and businesses engaging in non-official or personal functions. All of them are required to store the information as plain text for 90 days.

https://twitter.com/makash/status/645469153638219777

https://twitter.com/makash/status/645471920679317504

The new policy also states, "Only the government of India shall define the algorithms and key sizes for encryption in India, and it reserves the right to take action for any violation of this Policy." Businesses will have to keep all encrypted data and also make it available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country. Yes, we are talking about your private date here. Moreover, service providers offering encryption will have to register with the Indian government.

"Service Providers located within and outside India, using Encryption technology for providing any type of services in India must enter into an agreement with the Government for providing such services in India. Government will designate an appropriate agency for entering into such an agreement with the Service provider located within and outside India," the draft reads.

This means practically every company will have to get into an agreement with the government.

What the government is really missing is the knowledge a common man has about encryption and its nuances. Once it is implemented by the government or businesses, it will automatically start impacting citizens. Now, aren't we trying to thwart cyber attacks in India? This will only make it easier for malicious minds to start with notorious activities.

Overall, expecting everyone to store the plain text for 90 days is completely ridiculous and equally dangerous. Moreover, storing all the data may not be feasible to all and inking tens of thousands of agreements won't be a smooth process either.

Now, we aren't saying the entire policy is dangerous to our privacy. Raman Jit Singh Chima, lawyer and policy director at Access, a digital rights organisation told TOI, "The government can work with technologists towards that goal. The draft document does mention positive measures such as promotion of cryptography research and development in the country."

https://twitter.com/pranesh_prakash/status/645474876304678912

As netizens, you have until 16 October to send in your opinion and comments to akrishnan@deity.gov.in.