The Indian government has made a fool of itself and caused anxiety among citizens with a woefully misguided proposal for a national encryption policy that it’s just released to the public for feedback.
While its mission is to “provide confidentiality of information” and ensure “protection of sensitive or proprietary information”, the policy essentially calls for online services operating in India to hand over their encryption keys to the government — similar to what the NSA wants for spying on US citizens.
An ‘expert’ group set up by the Department of Electronics and Information Technology (DeitY) has proposed a framework that requires every citizen to store plain text versions of all encrypted data from their devices for 90 days and produce it upon request from law enforcement agencies.
Most people wouldn’t even know which parts of their correspondence, login details across several services, software downloads and other data are encrypted, much less be able to capture and store it. That’s just not how things work.
Other gems from the draft include:
Service Providers located within and outside India, using Encryption technology for providing any type of services in India must enter into an agreement with the Government for providing such services in India. Government will designate an appropriate agency for entering into such an agreement with the Service provider located within and outside India.
and my personal favorite:
Encryption algorithms and key sizes will be prescribed by the Government.
There are thousands of services based outside the country that encrypt users’ data. DeitY expects them all to play ball and offer the government backdoors into their secure data.
By attempting to prescribe a limited set of encryption technologies, the proposal could make things easier for potential attackers and put service providers and their users at risk.
With that, the Indian government has once again proven itself to be out of touch with issues of privacy and online security.
Pranesh Prakash, Policy Director at Center for Internet and Society in Bangalore, told The Times of India he found it strange that ‘sensitive departments’ of the government are exempt from the policy. “What the government ought to be doing is setting minimum standards for encryption for governmental use. But here, they are doing the opposite,” he said.
Update:DeitY has released an addendum that exempts “Mass use encryption products, which are currently being used in Web
applications, social media sites, and social media applications such as WhatsApp, Facebook, Twitter, etc.”
It’s clearly a ploy to avoid backlash from citizens who will likely hear about the policy in relation to its power to block messaging services and social networks. Unfortunately, all it does is further prove that DeitY’s proposal is poorly thought out.
Image credit: Shutterstock