The Draft National Encryption Policy: The good, the bad and the downright ugly

In the recent proposal put forth by the Department of Electronics and Information Technology (DeitY) on the topic of encryption practices within the national context, there were bombs aplenty. Ranging from what reads like feasible suggestions (these were rare, and only at the very outset) to the unmistakably ludicrous (basically the rest of the document,) there is much outrage fodder here.

While the government agency has invited public feedback and comments by 16 October (feel free to mail akrishnan@deity.gov.in should you be so inclined,) there is much consternation at the implications of these draft suggestions. Fortunately, all of this still exists only in draft stage. But before things are cast in stone, it warrants closer examination and collective action.

The good

At the outset, this draft proposal does call out the inherent advantage of cryptography

It can help to assure the confidentiality, non-repudiability and integrity of information in transit and storage as well as to authenticate the asserted identity of individuals and computer systems.

It also accepts that while encryption was originally used primarily in military and diplomatic communications, the advent of web-based services like e-commerce and online communication has proliferated encryption technologies to wider audiences.

So far so good. But then as the clauses unfold, things quickly begin to devolve.

The bad

On the first page itself, is a paragraph that in one fell swoop excludes…

All sensitive departments and agencies of the government designated for performing sensitive and strategic roles.

And then it proceeds to include pretty much every other human being in the country under the purview of encryption scrutiny

From Central and State Government departments involved in non-strategic roles to academic institutions to businesses to all citizens.

Just like that, individual privacy goes right out the window.

The ugly

Here’s where things start to take a turn for the really ugly: in a manner that is so typical of babu-dom, where the powers that be see it fit to condescend to the masses.

Use of Encryption technology for storage and communication within government, businesses and citizens with protocols & algorithms for Encryption, key exchange, Digital Signature and hashing will be as specified through notification by the Government from time to time.

So the government wants to specify what type of encryption you and your business use, and wants to notify you to use its approved standards when as deems fit.

Then, the clause that drives home the point that the ‘expert group’ behind this document is so completely removed from the immediacy and efficacy of digital communication today. They propose:

On demand, the user shall be able to reproduce the same plain text and encrypted text pairs using the software / hardware used to produce the encrypted text from the given plain text.

Translation: the data you’re encrypting for protection should actually be stored, decrypted. The fact that this suggestion entirely defeats the purpose of encryption itself appears to be lost on the creators of this draft policy.

It doesn’t stop here…

Such plain text information shall be stored by the user/organisation/agency for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country.

90 days. Why three months? While the initial version of this draft proposal implied that even consumer communication applications such as Whatsapp and email, or encrypted online sessions including netbanking and e-commerce activity were included in the purview of this draft proposal, an addendum to this document has clarified that these particular cases are in fact exempt. Still, this does not detract from the fact that a person's personal data--even if encrypted using their encryption program of choice--should be made available to the government as and when they need it. Access to such information, when required, should be sought through a court of law, as is the norm.

Then there’s the inevitable watchdog clause…

Service Providers located within and outside India, using Encryption technology for providing any type of services in India must enter into an agreement with the Government for providing such services in India. Government will designate an appropriate agency for entering into such an agreement with the Service provider located within and outside India.

This reminds me of school, when you needed a written note from your parents granting permission to attend the picnic. Except this isn’t school. And the government certainly doesn't appear to resemble a person that has your best interests at heart.

There’s more: if you aim to use an encryption product, guess what--you can only use one that is registered in India.

Encryption products may be exported but with prior intimation to the designated agency of Government of India. Users in India are allowed to use only the products registered in India.

So your choice to go with a proven data encryption application (like TrueCrypt or KeePass) basically goes out the window.

Finally, they propose that any creator or developer of encryption products--software or hardware--is required to make the inner workings of their encryption products known to the government.

All vendors of encryption products shall register their products with the designated agency of the Government. While seeking registration, the vendors shall submit working copies of the encryption software / hardware to the Government along with professional quality documentation, test suites and execution platform environments. The vendors shall work with the designated Government Agencies in security evaluation of their encryption products.

It’s like leaving the door of your house open to the government, giving them a detailed tour around your rooms and cupboards, then handing them a copy of the keys on the way out.

At the outset of this document, they state the vision as ‘To enable information security environment (sic) and secure transactions in Cyber Space for individuals, businesses, Government including nationally critical information systems and networks.’

And to do this, the draft basically suggests removing all of your personal and business files from being encrypted and placing the job of safeguarding it in the hands of the government.

Such are the dichotomous times we live in. #DigitalIndia #FTW