The government will have access to all encrypted information, including personal emails, messages or even data stored on a private business server, according to the Draft National Encryption Policy.
The draft of the new encryption policy wants users to store all encrypted communication for at least 90 days and make it available to security agencies, if required, in text form. It also wants everyone to hand over their encryption keys to the Government.
The draft was formulated by an expert group set up by the Department of Electronics and Information Technology (DeitY) under Section 84A of the Information Technology Act, 2000.
Since every messaging service and email, including Whatsapp and Gmail, use some form of encryption, this draft would cover almost all instant messages and emails.
Cyberlaw expert Pawan Duggal says the policy is not only dacronian, but also misplaced. “Almost everyone using the Internet will find themselves in violation of these rules and is hence detached from the ground realities. This policy has been drafted for the PC era and does not take into consideration the mobile revolution in the country,” he said.
Duggal says the policy presumes that everyone will fall in line, while the OTT providers, most of whom are based outside India, will not even bother to conform to these rules. “In fact, the policy will be counter productive and will only discourage people from using encryption,” he said, adding that draft was also in contrast to the objectives of the IT Act under which it has been framed.
The draft policy, for which the DeitY has invited comments from the public till October 16, has suggested that “all vendors of encryption products shall register their products with the designated agency of the Government”. The final policy will be drafted only after the feedback is taken into account. At the moment, it seems like the public reaction to this policy will be more aggressive than what was seen when the Net Nutrality policy was drafted as it will affect almost everyone, a majority who are not even aware that they are using encryption technologies.
The preamble of the draft says “the cryptographic policy for domestic use supports the broad use of cryptography” in ways that facilitate privacy and international economic competitiveness. However, in its objectives, it lists the “use of encryption for ensuring the security/ confidentiality of data and to protect privacy in information and communication infrastructure without unduly affecting public safety and National Security”.
The government will regularly notify a list of registered encryption products and only these registered services will be able to conduct business in the country. Duggal says this will only restart a “registration raj” and isolate India further.
Unlike the US, which prevents the export of encryption products, India will allow this with “prior intimation to the designated agency”. But again, “users in India are allowed to use only the products registered in India”.
When contacted, representatives of OTT messaging and email services refused to react to the draft policy.