encryption policy – DoGoodSoft's Official Blog

Users’interest should drive encryption policy: IAMAI

Encryption is a fundamental and necessary tool to safeguard digital communication infrastructure but the interests of Internet users should be foremost in framing any policy, the Internet and Mobile Association of India (IAMAI) said here on Tuesday.

“Trust, convenience and confidence of users are the keywords to designing an ideal encryption policy that will help in getting more people online with safe and secured internet platforms,” said IAMAI president Subho Ray.

The association, which has published a discussion paper on encryption policy, suggests that a broad-based public consultation with all stakeholders including users groups should precede making of an encryption policy.

According to the paper, the foundation of a user centric encryption policy consists of freedom of encryption, strong encryption base standard, no plaintext storage and mandatory legal monitoring or no backdoor entry.

An essential element in the suggestion that support for strong encryption is critical to counter cyber security issues around the globe, but also pitches for the importance of freedom of encryption for the users, organisations and business entities.

Data encryption policy blamed on lack of talent, key changes: Report

The whole draft encryption policy episode has left netizens with a bitter-sweet taste. And now, the blame game has begun.

Soon after the government retracted the policy and said it was simply wrongly worded which led to the confusion, it has blamed a junior scientist for the fiasco. An official now told The Economic Times that ‘you think anything in the government moves without due procedure? All I can tell you is that all rules and regulations were followed.’

The report adds that some officials said that the junior officer didn’t seek advice of higher-ups while some other said they were out of the country.

Citing an official of a Big Four consultancy firm who didn’t want to reveal his identity, the report adds that DeitY has undergone several changes and this could have affected the function and decision making.

Director general of the National Informatics Centre (NIC) responsible to manage the technology of the entire government machinery has been vacant for more than a year now. However, a senior officer said there are many competent people who can take on additional responsibilities.

The government had released a draft encryption policy aimed at keeping a tab on the use of technology by specifying algorithms and length of encryption keys used by ‘all’. It wanted businesses, telcos and Internet companies to store all encrypted data for 90 days in plain text which should be presented before the law enforcement agencies whenever asked to. Moreover, failing to do so would mean legal action as per the laws of the country.

After a huge outcry, the government put out an addendum clarifying the exempted products such as social media sites including WhatsApp, Facebook and Twitter; payment gateways; e-commerce and password based transactions and more from the draft policy. The outcry finally led the government to withdraw the draft policy.

Encryption policy poorly worded by officer: Telecom Minister Ravi Shankar Prasad

The government has blamed a junior official – a scientist — for the encryption policy fiasco, saying he was responsible for the poor and confusing wording of the document and failed to seek advice from his higher ups before making it public.

Several officials in the communications and IT Ministry that ET spoke to admitted that the timing of the release of the draft policy – just before Prime Minister Narendra Modi’s US visit — couldn’t have been worse, prompting its immediate withdrawal.

Speaking exclusively to ET, telecom minister Ravi Shankar Prasad, however, blamed poor wording for directing withdrawal of the policy, which gave an impression that subscribers could become legally liable to store messages exchanged throug WhatsApp, Facebook and Google among other social media platforms for up-to 90 days, and produce them before authorities if asked. The intent of the government was to make the social media and messaging companies liable to store information for the 90 day period.

“I read the draft. I understand that the manner in which it is written can lead to misconceptions. I have asked for the draft policy to be withdrawn and reworded,” Prasad said. “There was a misuse of word ‘users’ in the draft policy, for which the concerned officer has been taken to task.”

He explained that the wrong use of the phrase ‘users of encryption’ instead of ‘creators of encryption’ had led to all the confusion. Prasad added that the ‘scientist’, who was part of the expert committee under the Department of Information and Technology (Dei-TY), was responsible for the confusion. The expert panel had been tasked with framing of a national policy on ‘encryption’ which is crucial for the national policy on cyber security.

Internally, senior officials in the ministry admitted the timing of the draft policy release was all wrong with Modi set to travel to the US and meet, among others, Facebook CEO Mark Zuckerberg and other tech giants as well as many from the Indian diaspora.

“This is bad timing for sure. Modi would have surely have faced very uncomfortable questions at what is expected to be very high profile visit,” one of the officials told ET. Another official said the official tasked with coordinating and putting the policy together should have shown either the joint secretary, secretary or someone in the minister’s office before releasing it for public consultation. “This is the basics, especially for something which could be controversial.

But it was messed up,” he said, adding that reworking the policy and putting it in the public domain could take around three weeks.

The government Tuesday was forced to withdraw the controversial ‘draft encryption policy’ just over 12 hours after making it public after it came under severe criticism, especially on social media, for its move to make individuals legally bound to retain personal chats/messages on social networking sites for 90 days and provide to law authorities, if asked.

The draft policy was met with severe criticism, citing invasion of privacy, forcing DeiTY to clarify within a few hours on Monday that chats on popular social networking sites like Whatsapp and Facebook were exempted. And Tuesday it withdrew it in its entirety.

Prasad urged citizens not to misunderstand the policy. “Firstly this is a draft policy not the final policy and we have sought the comments of all stakeholders. There has always been a need for a policy on encryption given the spurt in online transactions through net banking, ecommerce, and so on,” Prasad said.

“However, no attempt will ever be made to jeopardize the rights of netizens and this government’s commitment to social media and the rights of netizens is unwavering,” he added. Dismissing speculation that the government had withdrawn the policy owing to severe media backlash or political pressure, Prasad said the country needed a robust encryption policy for security reasons.

One of the officials cited above said that the essence of the reworked draft policy will remain same, but it will be reworded. “The final policy could also require the companies to set up servers in India,” he added.

According to sources, the Intelligence Bureau (IB) had demanded that government make it mandatory for all the companies to make keep data for up-to one year, but the ministry of communications and IT had brought it down to just 90 days.

The policy seeks to bring all creators of ‘encryption codes’ to register with the government. Secondly the department of IT will from time to time notify standardized algorithms which could be used by companies. “We will only standardize the algorithms based on global practices, the formula of encryption codes will remain with the creators only,” the official said.

At present, an internet service provider licence allows for encryption of only up-to 40 bits but banks, e-commerce companies and communication services use much higher levels of encryption codes.