Friends and fellow members,
This is discussion and news about the National Encryption Policy Draft. The union government has put up a draft National Encryption Policy document online seeking to prescribe the methods of encryption of data and communications used by the government, businesses, and even citizens. The document has been formulated by an "expert group" set up under the Department of Electronics and Information Technology (DeitY) which comes under the union ministry of communications and information technology.
As per news published in leading news papers, the draft policy has been introduced under Section 84 A of the Information Technology Act (2000). Once finalized, rules for encryption of electronic information and communication will be introduced under the policy. The draft document is open to public comment until October 16.
Now if you are concerned what exactly is the purpose of this POLICY , it says, the policy's mission is to "provide confidentiality of information in cyber space for individuals, protection of sensitive or proprietary information for individuals & businesses, ensuring continuing reliability and integrity of nationally critical information systems and networks."
So, far looks promising but if you read it right, it speaks otherwise, to explain, as per this draft, citizens may use encryption technology for storage and communication. However, encryption algorithms and key sizes will be prescribed by the government through Notification from time to time. This means that the government will determine the encryption standards for all and entities like Google and WhatsApp will have to follow the encryption standards prescribed by the Indian government.
And what is interesting that this may imply that you'll have to store your WhatsApp , FB messengers , Gplus messages for 90 days or face action in case asked to reproduce. Its because almost all messaging services uses encryption and as per this draft you are required to retain copy of data in plain text upto 90 days. This further implies that e-commerce websites will have to keep a plain-text copy of user details leaving their information vulnerable to hackers.
To explain further:
"All citizens including personnel of Government / Business (G/B) performing non-official / personal functions, are required to store the plaintexts of the corresponding encrypted information for 90 days from the date of transaction and provide the verifiable Plain Text to Law and Enforcement Agencies as and when required as per the provision of the laws of the country."
More interesting is that the government expects all citizens to be aware of encrypted communication and the way to store messages in plain text securely. A large number of users may in fact not even know that WhatsApp and iMessage use encryption.
The policy also mentions that Service Providers located within and outside India, using encryption technology for providing any type of services in India must enter into an agreement with the government for providing such services in India. .. Now what this means, Govt. is going to have agreement with thousands of firms worldwide as almost all sincere website, products and services uses encryption. And moreover, this will make negative impact on Indian IT scene as there will unwanted interference of bureaucracy and thus corruption.
All vendors of encryption products shall register their products with the designated agency of the government. While seeking registration, the vendors shall submit working copies of the encryption software / hardware to the Government along with professional quality documentation, test suites and execution platform environments. The vendors shall work with the designated Government Agencies in security evaluation of their encryption products," the draft adds.
However, mass use products like SSL/TLS that are used for financial transactions are exempted from registration. Users in India are allowed to use only the products registered in India though. So using a service not registered with the government will be illegal. "Government reserves the right to take appropriate action as per Law of the country for any violation of this Policy," the draft categorically states.
This doesn't make sense at all, what kind of policy it is, I wonder who are those experts drafted this policy ? Or it is intentionally made this way to become NSA of India ? I don't see how these policy are practical , moreover if they are implemented the way Govt. suggested in draft, will it not be an abuse of democracy ?
Apparently all citizens can send their comments on the draft policy to [email protected] by October 16 and give suggestions.
Advert.