The policy aims to regulate the way we use modern communication platforms like WhatsApp or BBM.

Indian govt now wants to control WhatsApp texts here is how dangerous and daft it is
news Tech policy Monday, September 21, 2015 - 18:12

After the government’s face-off with the online civil-society , now observers, activists and journalists keeping a watch on cyber-policy have slammed the “Draft National Encryption Policy” released by the Department of Electronics & Information Technology. Going by the draft, it appears that the department has taken its acronym, DeitY, a little too seriously by seeking unbridled powers.

The draft note, which you can read here, aims to regulate the way we use modern communication platforms like WhatsApp or BBM. Among the various complaints with it, what seems to have attracted the ire of observers the most is this part of the draft,

All citizens (C), including personnel of Government / Business (G/B) performing non-official / personal functions, are required to store the plaintexts of the corresponding encrypted information for 90 days from the date of transaction and provide the verifiable Plain Text to Law and Enforcement Agencies as and when required as per the provision of the laws of the country.

What it basically means is that you cannot delete your WhatsApp messages for 90 days and you have to share it with the authorities if the law demands it. If you don’t, then you can be booked.

Writing in MediaNama, Nikhil Pahwa says that this policy is “totalitarian” in nature and “seems to hold every individual in the country as a potential criminal”.

Nikhil asks,

How exactly does the government of India expect users to know:
1. About all the communication taking place from their devices, given all the communication that takes place via apps
2. Whether their communication is encrypted or not
3. How to store plaintext version of encrypted communication for 90 days, given that much of the information is transient.
4. Know whether the law enforcement agency is seeking data as per the laws of the country
5. Keep this plaintext data secure

Speaking to NDTV Gadgets 360, Pranesh Prakash, Policy Director at the Centre for Internet said, "Would OpenPGP, a commonly-used standard for encryption of email, fall under 'mass use'? Because if it doesn't, I am prohibited from using it. But if it does, I am required to copy-paste all my encrypted mails into a separate document to store it in plain text, as required by the draft policy. Is that what it really intends? Has the government thought this through?"

The problem does not just end there. The policy also states that only the government of India will define how encryption should be carried out and that private entities which have encrypted communication with foreign entities shall keep plain-text copies of it with them for authorities to access it within 90 days of the communication if required. This basically defeats the purpose of encryption and makes all communications to be susceptible to hacks.

Quite expectedly, the policy not got roasted online, being tagged with #daftnationalpolicy.