The Government recently released a draft of National Encryption Policy which has got a lot of coverage in the press over the last few days. Very few people actually agree with the purpose of this policy since it threatens to leave hordes of personal user data vulnerable to spying by hackers and other malicious parties. Amidst all the hue and cry, there are some people who are still unclear about what this policy actually signifies, so in this post we will attempt to clarify the meaning of this policy.
What is the DeitY policy all about?
Released by the Department of Electronics and Information Technology (DeitY), this policy regards the use of encryption for the data stored by various web services. As per the policy:
All citizens (C), including personnel of Government / Business (G/B) performing non-official / personal functions, are required to store the plaintexts of the corresponding encrypted information for 90 days from the date of transaction and provide the verifiable Plain Text to Law and Enforcement Agencies as and when required as per the provision of the laws of the country.
The policy also states that only the Government of India shall define the algorithms and key sizes for encryption in India. You can view the full original copy of this policy here.
What does this policy mean exactly?
In effect, what this means is that everyone who communicates online needs to store the plaintext version of encrypted communications for a period of 90 days. This policy is applicable to individuals and businesses equally.
What has been the reaction to this policy online?
Understandably, the reaction to the release of this policy has not been positive. Firstly, the general consensus is that the terms of the policy are vague and confusing. It is still not entirely clear who the policy applies to and what apps/services come under its purview.
Secondly, this also means that businesses and services that store user information and messages in an encrypted format will have to mandatorily store the data in plain text for 90 days. This leaves the communication open to hacks and attacks for this time period and completely kills the purpose of encryption in the first place.
Lastly, many feel that this policy runs AGAINST the very idea behind encryption, of data and devices. It specifies that the Government will effectively decide which encryption algorithms can be used, what keys are used to secure data, and what key lengths should go with them. A simple way to understand this policy is that users would be expected to store their communications, WhatsApp chats for instance, for 90 days in case a law enforcement agency wishes to view them. In effect, deleting your WhatsApp chats could become an illegal offence.
Can users send in their comments to DeitY?
Moreover, user comments are also invited so that people can share their opinions on the same. The last date for sending these comments is 16th October. These comments need to be sent to firstname.lastname@example.org.
UPDATE – The following categories of encryption products are being exempted from the purview of this national encryption policy, as per the latest addendum:
- Mass use encryption products used in web apps, social media sites, and social media apps such as WhatsApp, Facebook Twitter etc.
- SSL/TLS encryption products used in Internet banking and payment gateways
- SSL/TLS encryption products used for e-commerce and password-based transactions
UPDATE AS ON 23 SEPTEMBER – The Government has withdrawn this policy due to the uproar and backlash that it has received in the media and over social channels. It remains to be seen what their next step is with regards to the national encryption policy.
We would like to know what our users think about this draft policy. Share your comments with us below and stay tuned for more information on this topic.