The Big Picture – Pitfalls in framing National Encryption Policy
Experts feel that the National Encryption Policy was required but not in the way it was put forth. According to them, there was no need for separate clause giving government the powers to snoop as it was already covered under section 69 of the IT Act. Section 69 of the IT act specifies the conditions under which the government can intercept, monitor and decrypt communications. Instead of this clause the government should have mentioned that the entitites should maintain certain minimum security standards which ensure privacy of data of users privacy and to ensure that privacy of financial transactions are held. However, the government defends itself by saying that this draft was prepared by a group of experts which was not in sync with policy of the government.
The draft policy has been introduced under Section 84 A of the Information Technology Act (2000). Once finalised, rules for encryption of electronic information and communication will be introduced under the policy. The draft document says that the policy’s mission is to “provide confidentiality of information in cyber space for individuals, protection of sensitive or proprietary information for individuals & businesses, ensuring continuing reliability and integrity of nationally critical information systems and networks.”
While the draft policy claims to have an objective of enhancing data security, activist feels that it runs counter to the aim, and is ill-conceived. The provisions of the draft policygive the government access to all encrypted information stored on computer servers in India, including personal emails, messages or even data. The policy also wants users to store all encrypted communication for at least 90 days and make it available to security agencies, if required, in text form.
Other problems with the proposed policy:
- Only the government of India shall define the algorithms and key sizes for encryption in India, and it reserves the right to take action for any violation of this Policy.
- Businesses also have to keep all encrypted data for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country.
- Entities in India are responsible for providing unencrypted details of communication with foreign companies in readable plaintext.
- Service providers which provide encryption in India will have to register with the government.
Many companies send their messages in encrypted form. Government has said that the purport of this encryption policy relates only to those who encrypt. As far as the ordinary consumers of applications, like Whatsapp, are concerned, they do not fall in this domain.
Some sort of encryption policy is being followed all over the world, particularly in free democratic societies. The cyber space interaction, commercial, official and private, is on the rise. Many of these come in an encrypted form. Hence, the concerns of security are certainly there. India is lacking in having any sound policy on encryption. Hence, there is a need for proper encryption policy.