The Draft National Encryption Policy
The Draft National Encryption Policy
The draft was formulated by an expert group set up by the Department of Electronics and Information Technology (DeitY) under Section 84A of the Information Technology Act, 2000.
The Draft National Encryption Policy wants users to store all encrypted communication for at least 90 days and make it available to security agencies, if required, in text form. It also wants everyone to hand over their encryption keys to the government.
Government will have access to all encrypted information, including personal emails, messages or even data stored on a private business server.
Since every messaging service and email, including WhatsApp and Gmail, use some form of encryption, this draft would cover almost all instant messages and emails.
Although it exempted SSL/TLS encryption products used in Internet-banking and payment gateways as well as SSL/TLS encryption products being used for e-commerce and password based transactions.
All vendors of encryption products shall register their products with the designated agency of the Government.
Objectives of the national encryption policy
- It aims to promote the use of encryption for ensuring the security and confidentiality of data and to protect privacy in information and communication infrastructure without unduly affecting public safety and national security.
- It also aims to synchronize with the global standards that are emerging in the era of digitised economy and networked society.
- To promote the use of digital signatures by all entities, including the government, for trusted communication, transactions and authentication.
- And lastly, it envisages adoption of information security best practices by all entities and stakeholders in the government, public and private sector enterprises and citizens at large.
Criticisms of the policy
- This policy has included, From Central and State Government departments involved in non-strategic roles to academic institutions to businesses to all citizens. Which repudiate individual’s right to privacy.
- Government wants to specify what type of encryption citizens and their business use, and wants to notify to use its approved standards when as deems fit.
- Policy demands that user shall be able to reproduce the same plain text and encrypted text pairs using the software / hardware used to produce the encrypted text from the given plain text.This suggestion entirely defeat the purpose of encryption.
- A person’s personal data–even if encrypted using their encryption program of choice–should be made available to the government as and when they need it. Access to such information, when required, should be sought through a court of law, as is the norm.
- Service Providers located within and outside India, using Encryption technology for providing any type of services in India must enter into an agreement with the Government for providing such services in India. Government will designate an appropriate agency for entering into such an agreement with the Service provider located within and outside India.
- Finally, they propose that any creator or developer of encryption products–software or hardware–is required to make the inner workings of their encryption products known to the government.
What is cryptography?
Defined as the practice and study of techniques for secure communication in the presence of third parties, cryptography encompasses a wide spectrum of applications that include encrypting communication sent in plain text and decrypting it on receipt or using a secure channel of communication within which data can be sent in plain text.
If the website you are accessing begins with HTTPS, instead of HTTP, it is using a secure channel to transmit data. Similarly, websites store user information in an encrypted format, like a user name and passwords. Cryptography initially had application in military and diplomatic communications, but is now used widely in Virtual Private Networks (VPNs), secure email, electronic fund transfers, secure messaging applications to name a few.