Experts pick big holes in India’s encryption policy

India’s proposed encryption policy has come under heavy fire with internet experts and online activists alleging that it provides blanket backdoors to law enforcement agencies to access user data, which could be abused by hackers and spies.

Experts pick big holes in India's encryption policy

The Department of Electronics and Information Technology ( DeitY) has asked for public comments on the ‘Draft National Encryption Policy’ on its website until October 16. The stated mission of the policy on encryption -or, the practice of scrambling data to make it unintelligible for even the service providers -is to “provide confidentiality of information in cyber space for individuals, protection of sensitive or proprietary information for individuals & businesses, (and) ensuring continuing reliability and integrity of nationally critical information systems and networks”.

However, almost all the experts ET spoke to, while agreeing that a policy for encryption is a welcome move, felt that the policy document in its current form is not well thought-out and makes suggestions that could harm businesses and individuals, and thwart research and development in the field of encryption. The most contentious provision in the draft policy document is perhaps the one requiring businesses and individuals to keep a plain text copy of the data they encrypt for storage and communication, for 90 days, and make it available to law enforcement agencies “as and when demanded in line with the provisions of the laws of the country”.

“The mission of the policy is to promote national security and in crease confidentiality of information, but it specifically excludes `sensitive departmentsagencies’, which most need such protection.The content of the policy shows why they have been excluded: the policy, in fact, decreases security and confidentiality of information,” said Pranesh Prakash, policy director at the Centre for Internet and Society. “If our emails, for example, are required to be kept in plain text rather than in encrypted form, then that makes it easier for hackers and foreign agencies to spy on our government, businesses, and on all Indian citizens,” he said.

Raman Jit Chima, policy director at digital rights organisation Access, said that instead of promoting the use of encryption, the policy draft “appears to seek to heavily regulate encryption and the rules it proposes will likely impede its usage by Indian developers and startups”. “By trying to restrict and weaken the everyday usage of encryption in order to facilitate tapping demands, the everyday communications of all Indians will likely become less secure,” Chima said.

The policy seeks to promote R&D in the field of cryptography by public and private companies, government agencies and academia, but it requires all vendors of encryption products to register their products with the government and re-register when their products are upgraded.

Arun Mohan Sukumar, cyber initiative head at Observer Research Foundation, said, “The government has finally realised the need to protect its communications infrastructure from cyber intrusions. But creating a `license raj’ of encrypted products and services, as this draft policy aims to, will only stunt cyber security research.”