Obama administration has decided not to seek a legislative remedy now

Obama administration has decided not to seek a legislative remedy now

FBI Director James Comey told a congressional panel that the Obama administration won’t ask Congress for legislation requiring the tech sector to install backdoors into their products so the authorities can access encrypted data.

Comey said the administration for now will continue lobbying private industry to create backdoors to allow the authorities to open up locked devices to investigate criminal cases and terrorism.

“The administration has decided not to seek a legislative remedy now, but it makes sense to continue the conversations with industry,” Comey told a Senate panel of the Homeland Security and Governmental Affairs Committee on Thursday.

Comey’s comments come as many in the privacy community were awaiting a decision by the administration over whether it would seek such legislation. Many government officials, including Comey himself, have called for backdoors. All the while, there’s been intense lobbying by the White House to guilt the tech sector for a backdoor. And Congress has remained virtually silent on the issue that resembles the so-called Crypto Wars.

The president’s public position on the topic, meanwhile, has been mixed. Obama had said he is a supporter and “believer in strong encryption” but also “sympathetic” to law enforcement’s need to prevent terror attacks.

The government’s lobbying efforts, at least publicly, appear to be failing to convince tech companies to build backdoors into their products. Some of the biggest names in tech, like Apple, Google, and Microsoft, have publicly opposed allowing the government a key to access their consumers’ encrypted products. All the while, some government officials, including Comey, have railed against Apple and Google for selling encrypted products where only the end-user has the decryption passcode.

According to a letter to Obama from the tech sector:

Obama administration has decided not to seek a legislative remedy now

The government cannot force the tech sector to build encryption end-arounds. The closest law on the books is the Communications Assistance for Law Enforcement Act of 1994, known as CALEA. The measure generally demands that telecommunication companies make their phone networks available to wiretaps.

Obama administration opts not to force firms to decrypt data — for now

Obama administration opts not to force firms to decrypt data — for now

After months of deliberation, the Obama administration has made a long-awaited decision on the thorny issue of how to deal with encrypted communications: It will not — for now — call for legislation requiring companies to decode messages for law enforcement.

Rather, the administration will continue trying to persuade companies that have moved to encrypt their customers’ data to create a way for the government to still peer into people’s data when needed for criminal or terrorism investigations.

“The administration has decided not to seek a legislative remedy now, but it makes sense to continue the conversations with industry,” FBI Director James Comey said at a Senate hearing Thursday of the Homeland Security and Governmental Affairs Committee.

The decision, which essentially maintains the status quo, underscores the bind the administration is in — between resolving competing pressures to help law enforcement and protecting consumer privacy.

The FBI says it is facing an increasing challenge posed by the encryption of communications of criminals, terrorists and spies. A growing number of companies have begun to offer encryption in which the only people who can read a message, for instance, are the person who sent it and the person who received it. Or, in the case of a device, only the device owner has access to the data. In such cases, the companies themselves lack “backdoors” or keys to decrypt the data for government investigators, even when served with search warrants or intercept orders.

The decision was made at a Cabinet meeting Oct. 1.

“As the president has said, the United States will work to ensure that malicious actors can be held to account – without weakening our commitment to strong encryption,” National Security Council spokesman Mark Stroh said. “As part of those efforts, we are actively engaged with private companies to ensure they understand the public safety and national security risks that result from malicious actors’ use of their encrypted products and services.”

But privacy advocates are concerned that the administration’s definition of strong encryption also could include a system in which a company holds a decryption key or can retrieve unencrypted communications from its servers for law enforcement.

“The government should not erode the security of our devices or applications, pressure companies to keep and allow government access to our data, mandate implementation of vulnerabilities or backdoors into products, or have disproportionate access to the keys to private data,” said Savecrypto.org, a coalition of industry and privacy groups that has launched a campaign to petition the Obama administration.

To Amie Stepanovich, the U.S. policy manager for Access, one of the groups signing the petition, the status quo isn’t good enough. “It’s really crucial that even if the government is not pursuing legislation, it’s also not pursuing policies that will weaken security through other methods,” she said.

The FBI and Justice Department have been talking with tech companies for months. On Thursday, Comey said the conversations have been “increasingly productive.” He added: “People have stripped out a lot of the venom.”

He said the tech executives “are all people who care about the safety of America and also care about privacy and civil liberties.”

Comey said the issue afflicts not just federal law enforcement but also state and local agencies investigating child kidnappings and car crashes— “cops and sheriffs … [who are] increasingly encountering devices they can’t open with a search warrant.”

One senior administration official said the administration thinks it’s making enough progress with companies that seeking legislation now is unnecessary. “We feel optimistic,” said the official, who spoke on the condition of anonymity to describe internal discussions. “We don’t think it’s a lost cause at this point.”

Legislation, said Rep. Adam Schiff (D-Calif.), is not a realistic option given the current political climate. He said he made a recent trip to Silicon Valley to talk to Twitter, Facebook and Google. “They quite uniformly are opposed to any mandate or pressure — and more than that, they don’t want to be asked to come up with a solution,” Schiff said.

Law enforcement officials know that legislation is a tough sell now. But, one senior official stressed, “it’s still going to be in the mix.”

On the other side of the debate, technology, diplomatic and commerce agencies were pressing for an outright statement by Obama to disavow a legislative mandate on companies. But their position did not prevail.

Daniel Castro, vice president of the Information Technology & Innovation Foundation, said absent any new laws, either in the United States or abroad, “companies are in the driver’s seat.” He said that if another country tried to require companies to retain an ability to decrypt communications, “I suspect many tech companies would try to pull out.”

Risk Analysis, Encryption Stressed in HITECH Act Final Rules

Risk Analysis, Encryption Stressed in HITECH Act Final Rules

Two final rules for the HITECH electronic health record incentive program strongly emphasize the value of risk assessments and encryption as measures for safeguarding patient information.

A new rule establishing requirements for proving a provider is a “meaningful user” for Stage 3 of the incentive program requires protecting patient data through the implementation of appropriate technical, administrative and physical safeguards and conducting a risk analysis that includes assessing encryption of ePHI created or maintained by a certified electronic health record.

A companion final rule setting 2015 standards for certifying EHR software as qualifying for the program requires the software to be capable of creating a hashing algorithm with security strength equal to or greater than SHA-2.

The Department of Health and Human Services’ Centers for Medicare and Medicaid Services says the Stage 3 requirements are optional in 2017. Providers who choose to begin Stage 3 in 2017 will have a 90-day reporting period. However, all providers will be required to comply with Stage 3 requirements beginning in 2018 using EHR technology certified to the 2015 Edition requirements.

When it comes to privacy and security requirements included in the final rules, versus what was in the proposed rules, there were “no significant changes, no surprises,” says John Halamka, CIO of Beth Israel Deaconess Medical Center.

Some privacy and security experts, however, point out the rules spotlight the importance of safeguarding electronic protected health information through measures such as risk analysis, encryption and secure data exchange. But some observers criticize HHS for not offering more detailed guidance on risk assessments.

Risk Analysis

While conducting a risk analysis was also a requirement in Stages 1 and 2 of the meaningful use program, the final rule for Stage 3 requires that healthcare providers drill down further by “conducting or reviewing a security risk analysis … including addressing the security – to include encryption – of electronic protected health information created or maintained by certified electronic health record technology … and implement security updates as necessary and correct identified security deficiencies.”

The objective of that requirement is to protect electronic health information through the implementation of “appropriate technical, administrative and physical safeguards,” the rule states. Rulemakers stress assessing the data created or maintained by an electronic health record system, versus conducting a more comprehensive security risk assessment as required under the HIPAA Security Rule.

“Although [HHS’] Office for Civil Rights does oversee the implementation of the HIPAA Security Rule and the protection of patient health information, we believe it is important and necessary for a provider to attest to the specific actions required to protect ePHI created or maintained by CEHRT in order to meet the EHR incentive program requirements,” the rule notes. “In fact, in our audits of providers who attested to the requirements of the EHR Incentive Program, this objective and measure are failed more frequently than any other requirement.

“This objective and measure are only relevant for meaningful use and this program, and are not intended to supersede what is separately required under HIPAA and other rulemaking. We do believe it is crucial that all [eligible healthcare providers] evaluate the impact CEHRT has on their compliance with HIPAA and the protection of health information in general.”

New to the risk analysis requirement is the addition of assessing administrative and technical safeguards. “This measure enables providers to implement risk management security measures to reduce the risks and vulnerabilities identified. Administrative safeguards – for example, risk analysis, risk management, training and contingency plans – and physical safeguards – for example, facility access controls, workstation security – are also required to protect against threats and impermissible uses or disclosures to ePHI created or maintained by CEHRT.”

Missed Opportunity?

HHS should have used the final rule to offer even more helpful guidance about risk assessments, says privacy attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek.

“CMS focused significant attention to the role of risk analysis in safeguarding the privacy and security of health information created or maintained in an EHR,” he says. “However, they missed an important opportunity to … ensure that administrative and physical safeguards requirements of the HIPAA Security Rule are assessed in any security risk analysis.”

To guide healthcare providers, including smaller doctors’ offices, in conducting the Stage 3 risk analysis, the rule makes note of free tools and resources available to assist providers, including a Security Risk Assessment Tool developed by ONC and OCR.

But the use of that tool is daunting for some smaller healthcare entities, contends Keith Fricke, principal consultant at consulting firm tw-Security.

“The SRA tool is too overbearing for any organization to use, let alone small healthcare organizations, including small provider offices,” he says.

Secure Data Exchange

Besides a renewed focus on risk analysis, other privacy and security related enhancements to the meaningful use Stage 3 final rule include an emphasis on encryption and secure messaging.

“More than half of the objectives in Stage 3 starting in 2017 require EHRs to have interoperable exchange technology that is encrypted and offered to relying parties with strong identity assurance,” said David Kibbe, M.D., CEO of DirectTrust, which created and maintains a framework for secure e-mail in the healthcare sector.

“DirectTrust’s work can and will be relied upon for multiple Stage 2 and 3 objectives and criteria announced by CMS in the new rule,” he says.

For instance, secure electronic messaging to communicate with patients on relevant health information is an objective in Stage 3, with a series of measurements.

Software Certification Rule

While privacy and security are weaved through the final rule for Stage 3 of the meaningful use program for healthcare providers, HHS’ Office of the National Coordinator for Health IT also raised the bar on requirements in the final rule for 2015 Edition health IT software certification. That includes phasing in requirements for more robust encryption.

“Given that the National Institute of Standards and Technology, technology companies, and health IT developers are moving away from SHA-1, we believe now is the appropriate time to move toward the more secure SHA-2 standard,” ONC wrote in its rulemaking.

The rule also states: “We note that there is no requirement obligating health IT developers to get their products certified to this requirement immediately, and we would expect health IT developers to not begin seeking certification to this criterion until later in 2016 for implementation in 2017 and 2018. We further note that certification only ensures that a health IT module can create hashes using SHA-2; it does not require the use of SHA-2. For example, users of certified health IT may find it appropriate to continue to use SHA-1 for backwards compatibility if their security risk analysis justifies the risk.”

Some other safeguard features, such as data segmentation for privacy of sensitive health information, are included in the software certification rule as optional, Halamka notes. “That’s appropriate for immature standards,” he says.

Public Input

CMS is continuing to seek public comment on the “meaningful use” rule for 60 days. This input could be considered by CMS for future policy developments for the EHR incentive program, as well as other government programs, the agency says.

However, this additional public comment period could become problematic, Holtzman contends. “The adoption of the changes in the objective and measures as a ‘final rule with comment’ could cause delays in EHR vendors and developers in producing upgrades to their technology. The uncertainty in that CMS could make further changes in the months ahead might encourage these industry partners to hold off in their production process.”

CHK File Recovery Has Been Updated to Version 1.09

CHK File Recovery is an excellent recovery tool specialized in recovering CHK files in a quick and easy way, which has been updated to version 1.09 recently. In this new version, we fixed a bug which disabled to identify one file type, also we added one recoverable file type.

Change Log of CHK File Recovery 1.09:

File Name: CHK File Recovery

Version: 1.09

File Size: 2.64MB

Category: CHK File Recovery Software

Language: English

License type: Trial Version

OS Support: Win2000/XP/VISTA/Win 7/Win 8

Released on: Sept.30, 2015

Download Address: http://www.dogoodsoft.com/chk-file-recovery/free-download.html

What’s New in This Version:

* Improved the accuracy of judgement on Office file types.

+ Added 55 recoverable file types.

Why Choose CHK File Recovery:

CHK File Recovery Has Been Updated to Version 1.09

CHK File Recovery is an excellent recovery tool specialized in recovering CHK files in a quick and easy way. CHK File Recovery can accurately and quickly recover more than 180 common file types, such as mp3, mp4, jpg, bmp, gif, png, avi, rm, mov, mpg, wma, wmv, doc, docx, xls, xlsx, ppt, pptx, zip, rar, exe, dll, sql, mdb, psd.

CHK File Recovery can determine file type automatically by default. However, for file types that cannot be recognized automatically, manual identification is used to confirm file type, which can check the content of an unknown file through 4 methods and recover it afterwards.

The interface of CHK File Recovery is simple and clear. It is easy to use. You only need to select a drive and click Search, then CHK File Recovery starts to scan the whole drive automatically. Afterwards, the CHK files found are shown in the list at the left of the application by their original file type. Besides, you can choose to search and scan a folder you specify.

National Encryption Policy: Not just privacy, but also feasibility and security are at risk

National Encryption Policy: Not just privacy, but also feasibility and security are at risk

Encryption is an important aspect which governs not just the communications but also the storage. When data is in motion there are some methods/ protocols which facilitate end-to-end encryption:

1. VPN

2. Remote Server Connectivity viz. RDP, SSH

3. Internet based Voice/ Messaging Communications

4. email communication

5. Communications between Wearables and their Host devices

6. Web-Services providing encryption services viz. Etherpad, Gist

However, when it concerns data at rest ie. data stored on the disk, there are numerous scenarios which fall under the purview of encryption:

1. On the Fly Disk Encryption which may also include the entire OS

2. Password protection of files

3. email Message Encryption

4. Full disk-encryption by Smartphones

Recently, Government of India released its version of Draft for National Encryption Policy and within 24 hours of releasing it, they have withdrawn it, however with a promise the policy will be re-drafted and re-released.

In these 24 hours, all those involved in IT security of the Indian Internet Security forum took up the cause of protecting user privacy, reprimanding the government for ill conceived draft of National Encryption Policy. Their efforts resulted in forcing the government to revoke the draft proposal and contemplate on a better proposal.

According to the draft, B2B/ B2C and C2B, sector shall use encryption algorithms and key sizes as prescribed by the government, moreover, according to the draft:

“On demand, the user shall be able to reproduce the same Plain text and encrypted text pairs using the software/ hardware used to produce the encrypted text from the given plain text. Such plain text information shall be stored by the user/ organization/ agency for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country.”

Furthermore, the draft also issued guidelines for communication with foreign entity, “the primary responsibility of providing readable plain-text along with the corresponding Encrypted information shall rest on entity (B or C) located in India.”

The draft policy requires service providers whether irrespective of their country of origin to enter into an agreement with the Government of India and the consumers of these services (Government/ Business/ Citizens) are expected to provide the pain-text/encrypted datasets.

The question is not why, but how would it be technically feasible for a customer to maintain this information, given the fact that encryption was used to secure the data from rogue entities. Storing anything in plain-text for any amount of period, defeats the entire purpose of using encryption except with a solace that the channel used for transmission of data is secured. The draft has set very high and impossible to achieve expectations from every citizen and organization, irrespective of their field of expertise to have knowledge about the internal working of these third party applications, also at the same time they are expected to have knowledge about maintaining the two different data-sets.

Furthermore, the draft also requires anything that has been encrypted by an individual be it his personal documents or communication between two individuals, which interestingly is considered to be a private affair by the rest of the world, to be made available for scrutiny as and when demanded.

Expecting a consumer of various services, irrespective of the fact whether the consumer is an organization or an individual, to understand the internal functionality of each and every service / software and take a conscious decision of maintaining the two separate data-sets is simply not feasible and virtually impossible.

Even though a clarification was issued by the government that

The mass use encryption products, which are currently being used in web applications, social media sites, and social media applications such as Whatsapp, Facebook, Twitter etc.
SSL/TLS encryption products being used in Internet-banking and payment gateways as directed by the Reserve Bank of India
SSL/TLS encryption products being used for e-commerce and password based transactions.

It still raises quite a few eyebrows especially about the intention of the drafting of this National Encryption Policy. Not just the privacy, but also the feasibility and the security are at risk.

The argument until now was about data which resides on your disk, and using these very standards what can we say about the encrypted communication channels/ services? One word summarizes it all “Impossible”. Over the network encryption like VPN/ SSH or to put it simply cloud based services be it of any-type, which lately have made inroads into our lives would be rendered useless and their very existence in India is at risk, not just because it would have been mandatory for all of them to enter into an agreement with the Government of India, but the consumers of these services will also have to maintain a separate copy of the content.

Applications and Service providers who provide Secure Messaging ie, encrypting the voice channels or self-destructing messages, in order to provide better privacy and discourage eavesdropping, would in all probability get banned or might have to remove these features so as to cater to Indian audience. Over and above, how do the policy-makers expect the consumers to comply?

What happens when a person from a different country uses these services in India? Wouldn’t this person be violating the Indian Law and in all probability be considered a criminal?

The draft also requires all the stakeholders to use Symmetric Cryptographic/Encryption products with AES, Triple DES and RC4 encryption algorithms and key sizes up to 256 bits.

Way back in 2011 when Microsoft Researchers discovered a way to break AES based encryption, Triple DES is considered weak, while RC4 is simply not acceptable as an encryption algorithm to any organization. These are age-old encryption algorithms and are never/rarely considered when organizations are drawing up their own encryption policies.

In this age of competition, organizations have their own trade secrets to be guarded, not just from competitors but also from rogue governments. A weakened encryption schema and mandatory storage of encrypted data in its plain text form is nothing less than committing a Harakiri for these organizations. Moreover, by way of an agreement that draft expects the software/ hardware vendors to comply with these encryption restrictions, thereby weakening the overall security of India’s IT infrastructure.

National Encryption Policy should be about setting up of minimum encryption standards for data protection, penalization organizations and institutions for not implementing high encryption standards and protecting the data from pilferage and leakage.

Encryption policy has always had a direct impact on the privacy of an individual and when it used by corporations/ organization, it affects their business/ trade secrets; hence Government should also consider thinking about the various means and ways of implementing/ strengthening the non-existent privacy laws.

As we have been promised that the policy would be re-drafted, let us keep our fingers crossed and hope that better sense prevails.

Data encryption policy blamed on lack of talent, key changes: Report

Data encryption policy blamed on lack of talent, key changes: Report

The whole draft encryption policy episode has left netizens with a bitter-sweet taste. And now, the blame game has begun.

Soon after the government retracted the policy and said it was simply wrongly worded which led to the confusion, it has blamed a junior scientist for the fiasco. An official now told The Economic Times that ‘you think anything in the government moves without due procedure? All I can tell you is that all rules and regulations were followed.’

The report adds that some officials said that the junior officer didn’t seek advice of higher-ups while some other said they were out of the country.

Citing an official of a Big Four consultancy firm who didn’t want to reveal his identity, the report adds that DeitY has undergone several changes and this could have affected the function and decision making.

Director general of the National Informatics Centre (NIC) responsible to manage the technology of the entire government machinery has been vacant for more than a year now. However, a senior officer said there are many competent people who can take on additional responsibilities.

The government had released a draft encryption policy aimed at keeping a tab on the use of technology by specifying algorithms and length of encryption keys used by ‘all’. It wanted businesses, telcos and Internet companies to store all encrypted data for 90 days in plain text which should be presented before the law enforcement agencies whenever asked to. Moreover, failing to do so would mean legal action as per the laws of the country.

After a huge outcry, the government put out an addendum clarifying the exempted products such as social media sites including WhatsApp, Facebook and Twitter; payment gateways; e-commerce and password based transactions and more from the draft policy. The outcry finally led the government to withdraw the draft policy.

Draft encryption policy: Frequent changes in key positions & talent crunch in DeitY led to the debacle

Draft encryption policy: Frequent changes in key positions & talent crunch in DeitY led to the debacle

As the blame game for the fiasco created by the draft National Encryption Policy plays out, experts are asking if frequent changes in key positions and a talent crunch in the Department of Electronics and Information Technology (DeitY) led to the debacle.

After the government held a junior scientist responsible, officers in the department are now pointing fingers at each other, while maintaining all along that due procedure was followed.

“You think anything in the government moves without due procedure? All I can tell you is that all rules and regulations were followed,” said an official who requested anonymity. The draft policy, which proposed that social media text messages be stored for scrutiny by the government, was withdrawn after a public outcry.

Another set of officials alleged that the junior officer did not seek the advice of higher-ups before making the policy public. Some officials said they were out of the country when the policy was released online and others said they were not involved in framing it, laying the blame squarely on the junior official.

The episode has led experts to ask whether organisational instability in DeitY over the past few months led to the embarrassment. The department, which is part of the Ministry of Communications and IT, has the mandate of running the government’s ambitious Digital India project. However, several key posts have been lying vacant for many months. DeitY has also seen several changes, including that of the secretary, additional secretary and joint secretary, over the last one month.

“Unfortunately, DeitY has gone through a number of changes very frequently. Every change affects function and decision making,” said an official of a Big Four consultancy firm, who requested not to be identified.

While the position of the director general of the National Informatics Centre (NIC), which manages technology of the entire government machinery, has been lying vacant for over a year, the key post of director general of the Computer Emergency Response Team (CERT) has not been filled after Gulshan Rai was appointed national cyber security chief under the PMO in March.

CERT is responsible for warding off and fighting cyber attacks. While ministry officials have been given additional ge of these positions, it may be adding to instability and workloads. Nodal officer for the encryption policy is supposed to be the group coordinator for cyber law — but there is confusion in the ministry on who holds that post after Rai moved to the PMO.

Even the National e-Governance Division and the Controller of Certifying Authorities are being run by acting chiefs for months now. Appointments to the position of additional secretary (egovernance) and joint secretary (electronics) are also awaited.

“Though vacancies and frequent changes are routine in the government, the secretary, additional secretary and joint secretary, all in charge of the same function – e-governance – should not have been changed at the same time, especially with all the focus on Digital India,” said another technology consultant. The person added that because of these vacancies, several key initiatives such as restructuring of NIC have been stuck.

Ministry officials, while conceding that there are vacancies, countered by saying that business in the government never stops. “There are lots of competent people in the department to take on additional responsibilities,” said a senior official of the department.

The first consultancy official said there is a vacuum in the department in terms of the second rung of leadership.

Encryption policy poorly worded by officer: Telecom Minister Ravi Shankar Prasad

Encryption policy poorly worded by officer: Telecom Minister Ravi Shankar Prasad

The government has blamed a junior official – a scientist — for the encryption policy fiasco, saying he was responsible for the poor and confusing wording of the document and failed to seek advice from his higher ups before making it public.

Several officials in the communications and IT Ministry that ET spoke to admitted that the timing of the release of the draft policy – just before Prime Minister Narendra Modi’s US visit — couldn’t have been worse, prompting its immediate withdrawal.

Speaking exclusively to ET, telecom minister Ravi Shankar Prasad, however, blamed poor wording for directing withdrawal of the policy, which gave an impression that subscribers could become legally liable to store messages exchanged throug WhatsApp, Facebook and Google among other social media platforms for up-to 90 days, and produce them before authorities if asked. The intent of the government was to make the social media and messaging companies liable to store information for the 90 day period.

“I read the draft. I understand that the manner in which it is written can lead to misconceptions. I have asked for the draft policy to be withdrawn and reworded,” Prasad said. “There was a misuse of word ‘users’ in the draft policy, for which the concerned officer has been taken to task.”

He explained that the wrong use of the phrase ‘users of encryption’ instead of ‘creators of encryption’ had led to all the confusion. Prasad added that the ‘scientist’, who was part of the expert committee under the Department of Information and Technology (Dei-TY), was responsible for the confusion. The expert panel had been tasked with framing of a national policy on ‘encryption’ which is crucial for the national policy on cyber security.

Internally, senior officials in the ministry admitted the timing of the draft policy release was all wrong with Modi set to travel to the US and meet, among others, Facebook CEO Mark Zuckerberg and other tech giants as well as many from the Indian diaspora.

“This is bad timing for sure. Modi would have surely have faced very uncomfortable questions at what is expected to be very high profile visit,” one of the officials told ET. Another official said the official tasked with coordinating and putting the policy together should have shown either the joint secretary, secretary or someone in the minister’s office before releasing it for public consultation. “This is the basics, especially for something which could be controversial.

But it was messed up,” he said, adding that reworking the policy and putting it in the public domain could take around three weeks.

The government Tuesday was forced to withdraw the controversial ‘draft encryption policy’ just over 12 hours after making it public after it came under severe criticism, especially on social media, for its move to make individuals legally bound to retain personal chats/messages on social networking sites for 90 days and provide to law authorities, if asked.

The draft policy was met with severe criticism, citing invasion of privacy, forcing DeiTY to clarify within a few hours on Monday that chats on popular social networking sites like Whatsapp and Facebook were exempted. And Tuesday it withdrew it in its entirety.

Prasad urged citizens not to misunderstand the policy. “Firstly this is a draft policy not the final policy and we have sought the comments of all stakeholders. There has always been a need for a policy on encryption given the spurt in online transactions through net banking, ecommerce, and so on,” Prasad said.

“However, no attempt will ever be made to jeopardize the rights of netizens and this government’s commitment to social media and the rights of netizens is unwavering,” he added. Dismissing speculation that the government had withdrawn the policy owing to severe media backlash or political pressure, Prasad said the country needed a robust encryption policy for security reasons.

One of the officials cited above said that the essence of the reworked draft policy will remain same, but it will be reworded. “The final policy could also require the companies to set up servers in India,” he added.

According to sources, the Intelligence Bureau (IB) had demanded that government make it mandatory for all the companies to make keep data for up-to one year, but the ministry of communications and IT had brought it down to just 90 days.

The policy seeks to bring all creators of ‘encryption codes’ to register with the government. Secondly the department of IT will from time to time notify standardized algorithms which could be used by companies. “We will only standardize the algorithms based on global practices, the formula of encryption codes will remain with the creators only,” the official said.

At present, an internet service provider licence allows for encryption of only up-to 40 bits but banks, e-commerce companies and communication services use much higher levels of encryption codes.

National Encryption Policy: Government Issues Clarification on WhatsApp, Social Media

National Encryption Policy: Government Issues Clarification on WhatsApp, Social Media

The government issued an addendum to clarify that “mass use encryption products, which are currently being used in web applications, social media sites, and social media applications such as WhatsApp, Facebook, Twitter etc.” While that language is vague in itself, you can rest easy without needing to worry about having to store your WhatsApp messages for 90 days. The original text continues below.

The DeitY has posted a draft National Encryption Policy on its website inviting comments from the public on its mission, strategies, objectives, and regulatory framework, which you can send to akrishnan@deity.gov.in, until 16th October 2015. A lot of the details mentioned in the draft guidelines are worrying, and this is a topic that concerns every consumer.

While the draft encryption policy’s preamble starts by talking about improving e-governance and e-commerce through better security and privacy measures, it very quickly brings up national security as well, and that’s where things get worrying from a consumer’s perspective. It’s very reminiscent of when the Indian government was thinking about banning BBM in India unless BlackBerry (then Research in Motion) gave security agencies access to snoop on emails. The two would eventually reach an arrangement that allowed the government to intercept email.

The language of the new draft policy is quite clear on one thing – businesses and consumers may use encryption for storage and communication, but the encryption algorithms and key sizes will be prescribed by the Indian government. What’s more, vendors of encryption products would have to register in India (with the exception of mass use products, such as SSL), and citizens are allowed to use only the products registered in India.

“Would OpenPGP, a commonly-used standard for encryption of email, fall under ‘mass use’?” asks Pranesh Prakash, Policy Director at the Centre for Internet and Society, speaking to Gadgets 360. “Because if it doesn’t, I am prohibited from using it. But if it does, I am required to copy-paste all my encrypted mails into a separate document to store it in plain text, as required by the draft policy. Is that what it really intends? Has the government thought this through?”

National Encryption Policy: Government Issues Clarification on WhatsApp, Social Media

Most people don’t explicitly use encryption, but it’s built into apps they use every day. Do the draft guidelines also extend to products and services with built-in encryption like WhatsApp? If yes – and the language certainly suggests it does – then combine them with governments requirements for its citizens, as proposed in the draft guidelines, and we could have very worrying scenarios.

The draft guidelines read “All citizens (C), including personnel of Government/ Business (G/B) performing non-official/ personal functions, are required to store the plaintexts of the corresponding encrypted information for 90 days from the date of transaction and provide the verifiable Plain Text to Law and Enforcement Agencies as and when required as per the provision of the laws of the country.”

WhatsApp messages are now encrypted end-to-end. So do the draft guidelines mean you have to store a copy of all your WhatsApp messages for 90 days? What about Snapchat? Or any other form of ephemeral messaging that is automatically deleted after being read? The consumer is expected to maintain plain text copies of all communications for 90 days – so that these can be produced if required by the laws of the land – so, will it even legal to read a message that deletes itself, if and when the draft guidelines become law?

The draft policy document states that the vision is to create an information security environment, and secure transactions. But the actual details mentioned in the draft appear to do the opposite, and put a focus more on the lines of limiting encryption only to technologies that likely could be intercepted by the government, when required.

This is in many ways similar to the Telecom Regulatory Authority of India’s draft letter on Net Neutrality, which instead talked about issues like cyberbullying and ‘sexting’. In the feedback period, Trai received over 1 million emails. but the Department of Telecom report on Net Neutrality also went against public sentiment on certain things, suggesting that telcos should be allowed to charge extra for specific services, such as Skype or WhatsApp voice calls in India, showing that calls for feedback aren’t necessarily being taken seriously.

And, with the draft National Encryption Policy, another problem that is shared with the Net Neutrality discussions, is the use of vague language. The result is that there is very little clarity at this point on what will and will not be permitted by the government if the draft guidelines are adopted. We’re living in a time when the government talks about how WhatsApp and Gmail may be used by “anti-national elements”, and even considered requiring Twitter and Facebook to establish servers in India.

With that in mind, you have to ask, will it be even legal to use WhatsApp if these guidelines are implemented? After all, WhatsApp messages have end-to-end encryption and if this service does not register in India, and comply with the algorithms prescribed by the government, then as a citizen of India, you won’t be allowed to use it because “users in India are allowed to use only the products registered in India,” as per the draft guidelines.

These are questions that don’t just affect a few people, but just about every Indian who is using the mobile Internet. In its present form, the draft actually severely limits what you can do online, and could hobble the push for a digital India. There’s almost a full month to give our feedback, but is anyone listening?

Best Disk Lock Has Been Updated to Version 2.60

Best Disk Lock, which can completely hide the disk partitions, has been updated to the version 2.60. In this new version, we have improved the stability of disk advanced-lock, added the judgement for the disks unsuitable for lock when locking disks, also fixed a BUG that an error occurred in software uninstallation.

Change Log of Best Disk Lock 2.60:

File Name: Best Disk Lock

Version: 2.60

File Size: 3.38MB

Category: System Security Software

Language: English

License type: Trial Version

OS Support: Win2000/XP/VISTA/Win 7/Win 8

Released on: Sept.21, 2015

Download Address: http://www.dogoodsoft.com/best-disk-lock/free-download.html

What’s New in This Version:

* Improved the stability for disk advanced-lock.

+ Added the judgement for the disks unsuitable for lock when locking disks.

– Fixed a BUG that an error occurred in software uninstallation.

Why Choose Best Disk Lock:

Best Disk Lock Has Been Updated to Version 2.60

Best Disk Lock is a powerful utility that can completely hide disk partitions and CD-ROM drives on your PC, and disable USB storage devices or set them as read-only. A hidden partition cannot be found in any environment by anyone else, so the security and confidentiality of your data on this partition can be ensured.