The experts sitting at Department of Electronics and Information Technology (DeitY) have come up with a draft encryption policy that should put some serious fear in your mind if you are a user of various messaging apps like WhatsApp, Viber, Hike and others. Not only messaging, but if you use any applications that use secure method of communication, this encryption policy could really be the nail in the coffin.
/READ MORE // One Researcher just made 10 million UserNames and Passwords Public
The encryption Policy was released with a vision to ”enable information security environment and secure transactions in Cyber Space for individuals, businesses, Government including nationally critical information systems and networks.” However, the regulations that policy document comes up with look like they have not been thought through thoroughly. How else can you explain a sentence like this:
“All citizens (C), including personnel of Government / Business (G/B) performing non-official / personal functions, are required to store the plaintexts of the corresponding encrypted information for 90 days from the date of transaction and provide the verifiable Plain Text to Law and Enforcement Agencies as and when required as per the provision of the laws of the country”
What this means is that any message that you have sent or received through an app will need to be saved with you – Not doing so may put you in legal soup!
We could have understood if this statement was applicable to only to a selected section of society (criminals etc) – but the policy enforces it on each and every individual, which is ridiculous.
And that’s not all – The policy also prescribes various other solutions that may not even be possible.
For example – the encryption algorithm will be provided only by the Government along with exact key sizes for secure communication between devices in India. Vendors and businesses providing such services will need to use those encryption algorithms only. Violation of this will attract legal action! Instead, the policy should have only suggested how strong the encryption should be rather than asking specific algorithms and key lengths to use.
Apart from this, businesses will also have to keep the encrypted data for a period of 90 days and will be made available to Law enforcement agencies as and when the demand is made.
All vendors of encryption products need to register their products with the designated agency of the Government. While seeking registration, the vendors will need to submit working copies of the encryption software / hardware to the Government along with 4 professional quality documentation, test suites and execution platform environments.
Overall, the suggestions made in Draft Encryption policy are not only difficult to implement, but may also put user privacy at risk.
Check the Draft Encryption Policy here.