National Encryption Policy: Not just privacy, but also feasibility and security are at risk

National Encryption Policy: Not just privacy, but also feasibility and security are at risk

Encryption is an important aspect which governs not just the communications but also the storage. When data is in motion there are some methods/ protocols which facilitate end-to-end encryption:

1. VPN

2. Remote Server Connectivity viz. RDP, SSH

3. Internet based Voice/ Messaging Communications

4. email communication

5. Communications between Wearables and their Host devices

6. Web-Services providing encryption services viz. Etherpad, Gist

However, when it concerns data at rest ie. data stored on the disk, there are numerous scenarios which fall under the purview of encryption:

1. On the Fly Disk Encryption which may also include the entire OS

2. Password protection of files

3. email Message Encryption

4. Full disk-encryption by Smartphones

Recently, Government of India released its version of Draft for National Encryption Policy and within 24 hours of releasing it, they have withdrawn it, however with a promise the policy will be re-drafted and re-released.

In these 24 hours, all those involved in IT security of the Indian Internet Security forum took up the cause of protecting user privacy, reprimanding the government for ill conceived draft of National Encryption Policy. Their efforts resulted in forcing the government to revoke the draft proposal and contemplate on a better proposal.

According to the draft, B2B/ B2C and C2B, sector shall use encryption algorithms and key sizes as prescribed by the government, moreover, according to the draft:

“On demand, the user shall be able to reproduce the same Plain text and encrypted text pairs using the software/ hardware used to produce the encrypted text from the given plain text. Such plain text information shall be stored by the user/ organization/ agency for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country.”

Furthermore, the draft also issued guidelines for communication with foreign entity, “the primary responsibility of providing readable plain-text along with the corresponding Encrypted information shall rest on entity (B or C) located in India.”

The draft policy requires service providers whether irrespective of their country of origin to enter into an agreement with the Government of India and the consumers of these services (Government/ Business/ Citizens) are expected to provide the pain-text/encrypted datasets.

The question is not why, but how would it be technically feasible for a customer to maintain this information, given the fact that encryption was used to secure the data from rogue entities. Storing anything in plain-text for any amount of period, defeats the entire purpose of using encryption except with a solace that the channel used for transmission of data is secured. The draft has set very high and impossible to achieve expectations from every citizen and organization, irrespective of their field of expertise to have knowledge about the internal working of these third party applications, also at the same time they are expected to have knowledge about maintaining the two different data-sets.

Furthermore, the draft also requires anything that has been encrypted by an individual be it his personal documents or communication between two individuals, which interestingly is considered to be a private affair by the rest of the world, to be made available for scrutiny as and when demanded.

Expecting a consumer of various services, irrespective of the fact whether the consumer is an organization or an individual, to understand the internal functionality of each and every service / software and take a conscious decision of maintaining the two separate data-sets is simply not feasible and virtually impossible.

Even though a clarification was issued by the government that

The mass use encryption products, which are currently being used in web applications, social media sites, and social media applications such as Whatsapp, Facebook, Twitter etc.
SSL/TLS encryption products being used in Internet-banking and payment gateways as directed by the Reserve Bank of India
SSL/TLS encryption products being used for e-commerce and password based transactions.

It still raises quite a few eyebrows especially about the intention of the drafting of this National Encryption Policy. Not just the privacy, but also the feasibility and the security are at risk.

The argument until now was about data which resides on your disk, and using these very standards what can we say about the encrypted communication channels/ services? One word summarizes it all “Impossible”. Over the network encryption like VPN/ SSH or to put it simply cloud based services be it of any-type, which lately have made inroads into our lives would be rendered useless and their very existence in India is at risk, not just because it would have been mandatory for all of them to enter into an agreement with the Government of India, but the consumers of these services will also have to maintain a separate copy of the content.

Applications and Service providers who provide Secure Messaging ie, encrypting the voice channels or self-destructing messages, in order to provide better privacy and discourage eavesdropping, would in all probability get banned or might have to remove these features so as to cater to Indian audience. Over and above, how do the policy-makers expect the consumers to comply?

What happens when a person from a different country uses these services in India? Wouldn’t this person be violating the Indian Law and in all probability be considered a criminal?

The draft also requires all the stakeholders to use Symmetric Cryptographic/Encryption products with AES, Triple DES and RC4 encryption algorithms and key sizes up to 256 bits.

Way back in 2011 when Microsoft Researchers discovered a way to break AES based encryption, Triple DES is considered weak, while RC4 is simply not acceptable as an encryption algorithm to any organization. These are age-old encryption algorithms and are never/rarely considered when organizations are drawing up their own encryption policies.

In this age of competition, organizations have their own trade secrets to be guarded, not just from competitors but also from rogue governments. A weakened encryption schema and mandatory storage of encrypted data in its plain text form is nothing less than committing a Harakiri for these organizations. Moreover, by way of an agreement that draft expects the software/ hardware vendors to comply with these encryption restrictions, thereby weakening the overall security of India’s IT infrastructure.

National Encryption Policy should be about setting up of minimum encryption standards for data protection, penalization organizations and institutions for not implementing high encryption standards and protecting the data from pilferage and leakage.

Encryption policy has always had a direct impact on the privacy of an individual and when it used by corporations/ organization, it affects their business/ trade secrets; hence Government should also consider thinking about the various means and ways of implementing/ strengthening the non-existent privacy laws.

As we have been promised that the policy would be re-drafted, let us keep our fingers crossed and hope that better sense prevails.

National Encryption Policy: Government Issues Clarification on WhatsApp, Social Media

National Encryption Policy: Government Issues Clarification on WhatsApp, Social Media

The government issued an addendum to clarify that “mass use encryption products, which are currently being used in web applications, social media sites, and social media applications such as WhatsApp, Facebook, Twitter etc.” While that language is vague in itself, you can rest easy without needing to worry about having to store your WhatsApp messages for 90 days. The original text continues below.

The DeitY has posted a draft National Encryption Policy on its website inviting comments from the public on its mission, strategies, objectives, and regulatory framework, which you can send to akrishnan@deity.gov.in, until 16th October 2015. A lot of the details mentioned in the draft guidelines are worrying, and this is a topic that concerns every consumer.

While the draft encryption policy’s preamble starts by talking about improving e-governance and e-commerce through better security and privacy measures, it very quickly brings up national security as well, and that’s where things get worrying from a consumer’s perspective. It’s very reminiscent of when the Indian government was thinking about banning BBM in India unless BlackBerry (then Research in Motion) gave security agencies access to snoop on emails. The two would eventually reach an arrangement that allowed the government to intercept email.

The language of the new draft policy is quite clear on one thing – businesses and consumers may use encryption for storage and communication, but the encryption algorithms and key sizes will be prescribed by the Indian government. What’s more, vendors of encryption products would have to register in India (with the exception of mass use products, such as SSL), and citizens are allowed to use only the products registered in India.

“Would OpenPGP, a commonly-used standard for encryption of email, fall under ‘mass use’?” asks Pranesh Prakash, Policy Director at the Centre for Internet and Society, speaking to Gadgets 360. “Because if it doesn’t, I am prohibited from using it. But if it does, I am required to copy-paste all my encrypted mails into a separate document to store it in plain text, as required by the draft policy. Is that what it really intends? Has the government thought this through?”

National Encryption Policy: Government Issues Clarification on WhatsApp, Social Media

Most people don’t explicitly use encryption, but it’s built into apps they use every day. Do the draft guidelines also extend to products and services with built-in encryption like WhatsApp? If yes – and the language certainly suggests it does – then combine them with governments requirements for its citizens, as proposed in the draft guidelines, and we could have very worrying scenarios.

The draft guidelines read “All citizens (C), including personnel of Government/ Business (G/B) performing non-official/ personal functions, are required to store the plaintexts of the corresponding encrypted information for 90 days from the date of transaction and provide the verifiable Plain Text to Law and Enforcement Agencies as and when required as per the provision of the laws of the country.”

WhatsApp messages are now encrypted end-to-end. So do the draft guidelines mean you have to store a copy of all your WhatsApp messages for 90 days? What about Snapchat? Or any other form of ephemeral messaging that is automatically deleted after being read? The consumer is expected to maintain plain text copies of all communications for 90 days – so that these can be produced if required by the laws of the land – so, will it even legal to read a message that deletes itself, if and when the draft guidelines become law?

The draft policy document states that the vision is to create an information security environment, and secure transactions. But the actual details mentioned in the draft appear to do the opposite, and put a focus more on the lines of limiting encryption only to technologies that likely could be intercepted by the government, when required.

This is in many ways similar to the Telecom Regulatory Authority of India’s draft letter on Net Neutrality, which instead talked about issues like cyberbullying and ‘sexting’. In the feedback period, Trai received over 1 million emails. but the Department of Telecom report on Net Neutrality also went against public sentiment on certain things, suggesting that telcos should be allowed to charge extra for specific services, such as Skype or WhatsApp voice calls in India, showing that calls for feedback aren’t necessarily being taken seriously.

And, with the draft National Encryption Policy, another problem that is shared with the Net Neutrality discussions, is the use of vague language. The result is that there is very little clarity at this point on what will and will not be permitted by the government if the draft guidelines are adopted. We’re living in a time when the government talks about how WhatsApp and Gmail may be used by “anti-national elements”, and even considered requiring Twitter and Facebook to establish servers in India.

With that in mind, you have to ask, will it be even legal to use WhatsApp if these guidelines are implemented? After all, WhatsApp messages have end-to-end encryption and if this service does not register in India, and comply with the algorithms prescribed by the government, then as a citizen of India, you won’t be allowed to use it because “users in India are allowed to use only the products registered in India,” as per the draft guidelines.

These are questions that don’t just affect a few people, but just about every Indian who is using the mobile Internet. In its present form, the draft actually severely limits what you can do online, and could hobble the push for a digital India. There’s almost a full month to give our feedback, but is anyone listening?