New National Encryption Policy doesn't seem to like encryption

Encryption. Credit: yusamoilov/Flickr, CC BY 2.0

A new draft National Encryption Policy put out by the Department of Electronics and Information Technology seeks to define the various encryption standards allowable on data originating from the country, and does so in its traditional ham-handed way. In an abridged version of the document, put out by DEITY, the department proposes some practices that effectively run counter to the philosophy of encryption – of data as well as devices.

For example, it specifies that the government will suggest which encryption algorithms can be used from time to time, and what key lengths should be used to go with them. Keys are bits of data used that work to legitimately seal and unseal an encryption algorithm, and it’s unclear why the government insists on being able to decide how long or short the keys will be. In another example, the government also wants to be able to demand that you, say, be able to preserve each WhatsApp message for at least 90 days and present it in plain-text (i.e. without encryption) to law-enforcement authorities when necessary. The document might as well have said the messages shouldn’t be encrypted at all. It’s akin to what the government demanded BlackBerry do last year, when it wanted to snoop on the encrypted messages passing through its native Messenger app.

Another particularly disturbing line in the document goes: “All vendors of encryption products shall register their products with the designated agency of the Government. While seeking registration, the vendors shall submit working copies of the encryption software / hardware to the Government along with 4 professional quality documentation, test suites and execution platform environments”.

Vendors of encryption products could also include vendors of products in which encryption is built-in – ranging from messaging apps to Internet browsers to full-blown operating systems. In effect, they will be required to register themselves with the government before they can access the market. The implication is that the government could also revoke registrations as a way to exert influence over the vendors. Further, saying “Government may review this policy from time to time and also during times of special situations and concerns” suggests products and services will have to be retooled to fit the government’s changing standards.

It will be far easier for the government as well as consumers if the former sticks to defining standards and not insist on participating in their specific implementation by the latter. For example, the widely used OpenPGP protocol is not recognised by Indian law. For another, DEITY could do better to distinguish between products and protocols themselves: at one point, the document says the product called SSL is exempt from its requirements; SSL however is an encryption. Another way the policy itself could be benefited is by having a standalone privacy law that provide the safeguards that protects user rights downstream, instead of defining them from one application to another.

Comments on the document can be emailed to akrishnan@deity.gov.in by October 16, 2015.