Recently in news you must have heard about the National Encryption Policy. What is this policy? Why government is implementing this policy? How this policy is going to affect you? I know you want the answers to all these questions. I’ll explain to you everything you need to know about the National Encryption Policy and why the government withdrew the draft of this Encryption Policy on 22-09-2015.
The department of electronics and information technology (DeitY) recently released the draft of the National Encryption Policy. The policy aims to “enable an information security environment and secure transactions in cyberspace for individuals, businesses and government including nationally critical information systems and networks.” Data Encryption means conversion of data into a form, called a ciphertext, which helps avoid unauthorised access. The encryption is used by banks and other online service providers to protect your financial and private data, online government sites and several other messaging platforms like whatsapp, viber, hike etc. use encryption to protect your personal data. While encryption was originally used mainly in military and diplomatic communications, with the coming of web based services like e-commerce and online communication has escalated the use of encryption. At the outset, this draft proposal does call out the inherent advantage of cryptography. But as the clauses of the draft are unfolded, you’ll see that government wants to include pretty much every other human being in the country under the internet scrutiny. From central and state government departments to academic institutions to businesses to all citizens. This is a straight attack on our privacy.
The draft policy is introduced under section 84 A of the Information Technology Act 2000, according to which all the electronic information and communication will be covered under the policy. Hence, this draft is applicable to all citizens including ‘you’, so if you think that this wouldn’t impact you directly, then you need to rethink as it is going to impact the way you use whatsapp and other messaging apps because these service providers use encryption communication as well. The draft also puts the user in a position of responsibility, according to a part of the draft, a company will have to keep passwords in plain text for 90 days i.e. your data will remain unencrypted and hence in danger of being misused for this period. Hence, your vulnerable data might be attacked during this period of 90 days. The things start to get ugly when the draft proposes that the use of encryption technology for storage and communication within government, businesses and citizens with protocols and algorithms for encryption, key exchange, digital signature and hashing will be as specified through notification by the government from time to time. So the government is going to standardise as to what type of encryption you use. Also, there is a watchdog clause according to which service providers located within and outside India, using Encryption technology for providing any type of services in India must enter into an agreement with the government for providing such services in India. Government will designate an appropriate agency for entering into such an agreement with the service provider located within and outside India and if you want to use an encryption product, you can only use one that is registered in India. Hence, you can’t choose your own encryption application. Lastly, the draft proposes that any creator or developer of encryption products – software or hardware- is required to make the inner workings of their encryption products known to the government.
Now, it is not that the entire policy is dangerous to our privacy. The draft document does mention some positive measures such as promotion of cryptography research and development in the country. Overall, the draft proposal has some parts which are completely ridiculous and equally dangerous. Moreover, storing all the data may not be possible for all and entering into so many agreements won’t be a smooth process either.
This draft encryption policy and the struggle for net neutrality makes us feel that we are heading back to the pre-independence era and this time we’ve to fight for our digital freedom. It’s a good thing that the government has withdrawn this draft encryption proposal. Even the Union Minister for Communication and IT Ravi Shankar Prasad said that some of the expressions used in the draft are giving rise to uncalled-for misgivings. Hence, he has written to DeitY to withdraw the draft and rework it properly and thereafter put it in the public domain. The government agency has invited public feedback and comments by 16 October. The draft of the policy is available in public domain and you are free to give feedback for it. So, as netizens, you have until 16 October to send in your opinion and comments to firstname.lastname@example.org