Following a storm of protest, the Indian government has withdrawn its ill-conceived draft National Encryption Policy proposals within 24 hours of them being published. Telecoms minister Ravi Shankar Prasad explained the move,
“I personally feel that some of the expression used in the draft are giving rise to uncalled-for misgivings. Therefore, I have written to DeitY to withdraw that draft, rework it properly and thereafter put in the public domain.”
Like many governments, that of Prime Minister Narendra Modi’s is worried about the rise of secure end-to-end encrypted apps such as WhatsApp, Google Hangouts, and iMessage. Because these apps encrypt and decrypt users’ communications on their phones and computers, with messages stored locally and not on any central servers, the Indian government has become alarmed by its inability to access this data.
The draft National Encryption Policy was aimed at overcoming this problem by effectively undermining all meaningful encryption. The proposals included:
- That all citizens who use encryption “shall reproduce the same Plain text and encrypted text pairs using the software/hardware used to produce the encrypted text from the given plain text. All information shall be stored by the concerned B/C (business/citizen) entity for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country.” Deleting messages or refusing to hand over key pairs to the government when requested could result in jail terms
- Foreign companies should comply with Indian laws, and store communications in plain text and provide the Indian government with access to these
- E-commerce websites should keep transaction details in plaintext for 90 days
- “Encryption algorithms and key sizes will be prescribed by the Government”
These proposals would have made using many encrypted products and services effectively illegal, and made encryption so weak, and data so vulnerable to hacking, as to be pointless. Furthermore, the practical issue of how to enforce such rules either on international companies (over 80 percent Internet users in India regularly use overseas services such as Facebook, Gmail, Skype, etc.,) or on private citizens was not answered in the draft.
Unsurprisingly, public and industry reaction to the proposals was highly critical, leading to their rapid withdrawal. It is likely, however, that amended proposals will be pushed through by the government at some point future in the future, and although these might attempt to tackle the most glaring problems present on the aborted draft, we don’t hold much hope of the government changing its basic misguided stance towards encryption.