After the government’s face-off with the online civil-society , now observers, activists and journalists keeping a watch on cyber-policy have slammed the “Draft National Encryption Policy” released by the Department of Electronics & Information Technology. Going by the draft, it appears that the department has taken its acronym, DeitY, a little too seriously by seeking unbridled powers.
The draft note, which you can read here, aims to regulate the way we use modern communication platforms like WhatsApp or BBM. Among the various complaints with it, what seems to have attracted the ire of observers the most is this part of the draft,
All citizens (C), including personnel of Government / Business (G/B) performing non-official / personal functions, are required to store the plaintexts of the corresponding encrypted information for 90 days from the date of transaction and provide the verifiable Plain Text to Law and Enforcement Agencies as and when required as per the provision of the laws of the country.
What it basically means is that you cannot delete your WhatsApp messages for 90 days and you have to share it with the authorities if the law demands it. If you don’t, then you can be booked.
Writing in MediaNama, Nikhil Pahwa says that this policy is “totalitarian” in nature and “seems to hold every individual in the country as a potential criminal”.
Nikhil asks,
How exactly does the government of India expect users to know:
1. About all the communication taking place from their devices, given all the communication that takes place via apps
2. Whether their communication is encrypted or not
3. How to store plaintext version of encrypted communication for 90 days, given that much of the information is transient.
4. Know whether the law enforcement agency is seeking data as per the laws of the country
5. Keep this plaintext data secure
Speaking to NDTV Gadgets 360, Pranesh Prakash, Policy Director at the Centre for Internet said, "Would OpenPGP, a commonly-used standard for encryption of email, fall under 'mass use'? Because if it doesn't, I am prohibited from using it. But if it does, I am required to copy-paste all my encrypted mails into a separate document to store it in plain text, as required by the draft policy. Is that what it really intends? Has the government thought this through?"
The problem does not just end there. The policy also states that only the government of India will define how encryption should be carried out and that private entities which have encrypted communication with foreign entities shall keep plain-text copies of it with them for authorities to access it within 90 days of the communication if required. This basically defeats the purpose of encryption and makes all communications to be susceptible to hacks.
Quite expectedly, the policy not got roasted online, being tagged with #daftnationalpolicy.
The "DRAFT NATIONAL ENCRYPTION POLICY" of India is as good as saying "DONT ENCRYPT" pic.twitter.com/RV71wk7mxw
— Thejesh GN (@thej) September 20, 2015
If you are a startup "MAKING IN INDIA" with any cloud vendor buy storage & prepare to write cipher text to disk+ sending it over the wire.
— Akash Mahajan (@makash) September 20, 2015
It makes little sense to exclude sensitive security agencies unless you know you're in fact DECREASING security by this regulation.
— Pranesh Prakash (@pranesh_prakash) September 20, 2015
#daftnationalencryptionpolicy will ensure that attackers have 90 days to get plain text without attacking your keys or algos.
— Akash Mahajan (@makash) September 20, 2015