India encryption policy draft faces backlash

The article by Moulishree Srivastava was published in Livemint on September 22, 2015. Pranesh Prakash gave inputs.

While the draft policy aims to enable a secure environment for both information and transactions in cyberspace for individuals, businesses and government, experts are concerned over privacy and outdated standards prescribed in the policy, among other things.

The policy puts the onus to produce encrypted information when demanded by government agencies on Indian citizens as well as on all the online service providers including instant messaging and e-commerce services that use encryption technology (to convert plain information to an unreadable format).

The department put the policy online late last week and it came on the radar of industry watchers and experts over the weekend. The policy is open for comments from the public till 16 October.

The policy, in its current form, is poorly drafted and the measures listed in it make Indian information systems vulnerable to cyber attacks, experts say.

For instance, the policy has mandated the use of specific standards and algorithms for encryption.

Encryption can be compared to the process of translating information in one language into a foreign language.

“Specifying certain algorithms to be used for encryption, and restricting the key sizes is same as saying that you are only allowed to communicate using a language from a given set of government-specified languages and no other language can be used,” said Pranesh Prakash, policy director at the Centre for Internet and Society.

However, the ones mentioned in the draft policy are outdated and unsafe to use, experts say. Another thing that weakens the security considerably is the req-uirement for businesses and citizens to keep the information (that was encrypted and sent over) for 90 days, in case law en-forcement agencies demand it. But that also means that for those 90 days, cyber criminals, too, can access it, warn experts.

Another big gap in the policy is that it leaves out “sensitive departments/agencies of the government designated for performing sensitive and strategic roles”, said Prakash.

“When the policy states its mission to be the enhancing of confidentiality of information and of security of critical networks by laying out information security best practices, how does it make any sense to keep sensitive or strategic government department and agencies outside its purview?” he asked. “After all, these are the organizations that most need to be kept secure to enhance national cybersecurity.”

The draft is also ambiguous on which online services—be it shopping online or accessing email—people can use (in compliance with the law) and which online service providers will have to be registered with the government.

The policy states that “service providers located within and outside India, using encryption technology for providing any type of services in India, must enter into an agreement with the government for providing such services in India”. Users can only use the services that are registered with the government.

“This is the first time when users are actually being told what are the things they can and cannot do,” said Prakash.

“The government must take note that the knowledge and expertise of common citizens may be inadequate to understand the nuances of encryption,” said cyber law expert Na Vijayashankar on his blog. “For example, if a citizen uses a service available on the Internet which uses, say, a higher level of encryption than what is appro-ved, then this policy may make him liable for the violation.”

The problem is enhanced because all online services use some encryption technology. This means that practically all online activity will fall under this new policy.

For instance, companies like Apple or Microsoft use encryption technologies at various levels of their operating systems; e-commerce services like Flipkart, Amazon and Snapdeal; web browsers like Mozilla Firefox and Google Chrome and mail services like Gmail, Yahoo and Rediff may be required to register with the government. The only way they may escape this requirement is if there is an exemption for products that are in use at a large scale. Network security service providers like Cisco Inc. will also need to comply. (Cisco declined to respond to a query.) Snapdeal said it is still examining the draft policy, while Amazon, Google, Microsoft did not reply to emails sent by Mint. Yahoo said its spokesperson was unavailable.

One clause that is drawing a lot of ire from industry veterans and technology enthusiasts requires individual users and businesses to store all information that was sent in an encrypted form for 90 days from the date of transaction. The users would also be required to reproduce the plain text and the encrypted text, if demanded by law enforcement agencies.

The draft policy also overlooks the privacy concerns of citizens and businesses. “It is clearly a violation of freedom of speech. A large part of the policy states how the government can interfere with users, like, by demanding their private messages. The policy is anti-privacy law,” said Prakash. “Privacy and security go hand in hand. So, as this policy weakens the security of the information, it puts the privacy at greater risk.”