MUMBAI, INDIA: This is a classic case of state paranoia.
The latest encryption policy draft by the Department of Electronics and Information Technology (DeitY) on information security has raised more concerns rather than build a general positive consensus about the outcomes.
The expert group set up by DeitY has thrown all sense of individual rights and privacy to the wind to make encryption and thereby, personal and business security weaker via the draft policy on encryption.
Here are 3 reasons that prove the point:
1. DeitY wants all the citizens (C) including personnel of Government / Business (G/B) performing non-official / personal functions to store the plaintexts of the corresponding encrypted information for 90 days from the date of transaction and provide the verifiable plaintext to law and enforcement agencies as per the provision of the laws of the country.
2. Only the government of India shall define the algorithms and key sizes for encryption in India, and it reserves the right to take action for any violation.
3. Entities in India are responsible for providing unencrypted details of communication with foreign companies in readable plaintext.
4. Also, service providers that provide encryption in will have to register with the government. Not only that the vendors shall submit working copies of the encryption software/hardware to the government along with professional quality documentation, testsuites and execution platform environments.
5. Encryption products may be exported but with prior intimation to the designated agency of Government of India. Users in India are allowed to use only the products registered in India.
But what will the government do about:
1. The communication taking place from various devices with different operating systems given all the communication that takes place via apps
2. Ensure whether the communication is encrypted or not, and keep this plaintext data secure.
3. Teach users how to store plaintext version of encrypted communication for 90 days, given that much of the information is transient.
4. Know whether the law enforcement agency is seeking data as per the laws of the country
What does the government want to achieve?
Objectives of this policy:
To synchronize with the global usage of encryption for ensuring security and data confidentiality without unduly affecting public safety and national security.
To encourage wider usage of digital signatures.
To encourage the adoption of information security best practices by all entities and stakeholders in the government, public & private sector and industry.
While CIOL believes that every government must keep itself updated with developments in latest technologies, we feel that the state machinery should also be practical and engage with the concerned stakeholders or field experts before publicly launching important policy drafts as the one on encryption.
Do you believe that the government has acted in haste?