Looks like, we are heading back into the pre-independence era, only this time we have to fight for our digital rights. While we continue to struggle for net neutrality, here’s a new problem around encrypting our data.
Now, the union government has released a draft National Encryption Policy document online seeking methods of data encryption of data and communications used by the government, businesses, and even citizens. So, an ‘expert panel’ from the Department of Electronics and Information Technology (DeitY) is set to have prepared the draft. Looks like the experts have got it all wrong about how importance of data encryption.
What’s the problem?
Data encryption means conversion of data into a form, called a ciphertext, which helps avoid unauthorised access. Banks and e-commerce sites use encryption to protect your financial and private data, online government sites and several other messaging platforms use encryption to protect your personal data and so on.
And if you felt it wouldn’t impact you directly, then you need to consider that this could impact the way you use WhatsApp and Apple’s iMessage service since these use encryption for communication as well. Since the draft also puts the user in a position of responsibility, it could potentially have an effect on WhatsApp and other popular messaging services that use encryption.
You can read the complete report below:
According to the draft, the government wants to ‘provide confidentiality of information in cyber space for individuals, protection of sensitive or proprietary information for individuals & businesses, ensuring continuing reliability and integrity of nationally critical information systems and networks, which is great, but some parts of the documents simply say otherwise.
The "DRAFT NATIONAL ENCRYPTION POLICY" of India is as good as saying "DONT ENCRYPT" pic.twitter.com/RV71wk7mxw
— Thejesh GN ⏚ ತೇಜೇಶ್ ಜಿ.ಎನ್ (@thej) September 20, 2015
Hey GOI, does anyone of you understand privacy, security & internet? Is this how #DigitalIndia is supposed to work? https://t.co/djuA6uNR4X
— Deepak Gupta (@deepakgupta1) September 21, 2015
Surely a govt that wants to promote Digital India doesn't intend these as unintended consequences of an ill-thought-out encryption policy.
— Pranesh Prakash (@pranesh) September 21, 2015
For instance, one part reads, “user shall reproduce the same Plain text and encrypted text pairs using the software/hardware used to produce the encrypted text from the given plain text. All information shall be stored by the concerned B/C (business/citizen) entity for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country.”
This means, a company will have to keep passwords in plain text, which means your data will remain unencrypted and hence vulnerable, with them for 90 days. Now, this is where the problem lies. It gives attackers good 90 days to get to the plain text or your vulnerable data.
Considering the penetration of Internet and how we are vying for smart cities and getting the country online, this move would simply defeat the purpose.
Why should it bother you and what you can do
The draft policy introduced under Section 84 A of the IT Act 2000, says all the electronic information and communication will be introduced under the policy. Now, this draft is applicable to all citizens including ‘you’, and also personnel of government and businesses engaging in non-official or personal functions. All of them are required to store the information as plain text for 90 days.
#daftnationalencryptionpolicy will ensure that attackers have 90 days to get plain text without attacking your keys or algos.
— Akash Mahajan (@makash) September 20, 2015
If #daftnationalencryptionpolicy becomes a reality, Mozilla Firefox, Google Chrome etc. browser vendors can't offer you secure updates.
— Akash Mahajan (@makash) September 20, 2015
Medianama explains, “All citizens (C), including personnel of Government / Business (G/B) performing non-official / personal functions, are required to store the plaintexts of the corresponding encrypted information for 90 days from the date of transaction and provide the verifiable Plain Text to Law and Enforcement Agencies as and when required as per the provision of the laws of the country.”
The new policy also states, “Only the government of India shall define the algorithms and key sizes for encryption in India, and it reserves the right to take action for any violation of this Policy.” Businesses will have to keep all encrypted data and also make it available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country. Yes, we are talking about your private date here. Moreover, service providers offering encryption will have to register with the Indian government.
“Service Providers located within and outside India, using Encryption technology for providing any type of services in India must enter into an agreement with the Government for providing such services in India. Government will designate an appropriate agency for entering into such an agreement with the Service provider located within and outside India,” the draft reads.
This means practically every company will have to get into an agreement with the government.
What the government is really missing is the knowledge a common man has about encryption and its nuances. Once it is implemented by the government or businesses, it will automatically start impacting citizens. Now, aren’t we trying to thwart cyber attacks in India? This will only make it easier for malicious minds to start with notorious activities.
Overall, expecting everyone to store the plain text for 90 days is completely ridiculous and equally dangerous. Moreover, storing all the data may not be feasible to all and inking tens of thousands of agreements won’t be a smooth process either.
Now, we aren’t saying the entire policy is dangerous to our privacy. Raman Jit Singh Chima, lawyer and policy director at Access, a digital rights organisation told TOI, “The government can work with technologists towards that goal. The draft document does mention positive measures such as promotion of cryptography research and development in the country.”
It makes sense for the govt to prescribe minimum encryption *strength* for some uses. But NOT for it to prescribe algorithms and key length!
— Pranesh Prakash (@pranesh) September 20, 2015
As netizens, you have until 16 October to send in your opinion and comments to akrishnan@deity.gov.in.