Encryption policy leaves much to be desired
India has withdrawn what is called the Draft National Encryption Policy following outrage. Okay, you won’t have to store all WhatsApp messages and emails for now. Life moves fast in the social media era.
In the space of 48 hours, India managed to float a draft of something as geeky as an encryption policy, trigger national outrage, exempt social media from it, and finally withdraw it.
On Tuesday afternoon, two days after the policy draft was floated, it was withdrawn. It had been released for public feedback “without my knowledge”, said <g data-gr-id="60">IT</g> Minister Ravi Shankar Prasad.
What was this draft National Encryption Policy (NEP)?
Encryption technology is used to encode messages, making them secure so that only <g data-gr-id="59">authorised</g> people can read them.
On the face of it, the NEP was a plan to define common minimum standards for encryption. Nice idea for the security of all communications, no? But wait, government agencies would be exempt from all these standards. Doesn’t that sound a little suspicious? Until it became clear that the policy did its best to ensure a decrease in the security of communications for individuals and <g data-gr-id="63">organisations</g> in India.
However, it got worse. Before you use an encryption product, said the NEP, it must be registered with “the competent authority”. You can only use encryption approved by the government, and, presumably, familiar to (and crackable by) government agencies.
That isn’t what caused the public outrage, though. WhatsApp and Facebook did that. As per law, send a text message on WhatsApp or Facebook or BBM messengers and you will have to save a plain text copy for 90 days.
The NEP plan was sweeping, covering all encrypted messages. All emails, including Gmail. All messages on any messenger except SMS. Everything is encrypted these days. On demand by Indian law enforcement or a government agency, you would need to submit a copy of any encrypted message sent in the past three months.
Yes, that was the plan according to the NEP, whose draft was released for public comment on September 20, with a month given for feedback. It’s rare for something as arcane as encryption to become a subject of national outrage in India within a day, but that’s what happened. The draft triggered fury and fiery debates.
By contrast, a debate on Net Neutrality earlier this year had taken months of protest and activism for it to enter public discourse. The difference was that the NEP draft was a short, six-page document that was quickly translated by experts and media into its likely outcomes.
After the outrage, an addendum followed overnight, exempting “popular mass exemption products used in platforms such as WhatsApp, Facebook, and Twitter” from this requirement and also encrypted financial transactions, and passwords.
Praise the Lord - Indian firms wouldn’t have to store plain text copies of all user passwords. However, they did not exempt email. So, no deleting any emails you’ve sent, for 90 days. It’s all encrypted.
That was up to Tuesday morning. By afternoon, the NEP draft was reportedly withdrawn; for now, at least. As we’ve seen with net neutrality, though, this government isn’t one to give up control so easily, especially over something that can be linked to national security. And indeed, Prasad has said that the NEP draft, which was poorly worded, would be reworked. Watch this space.
(Prasanto Kumar Roy is a senior technology writer head of <g data-gr-id="68">Trivone</g> Media. The views expressed are personal)