The draft encryption policy requires you to keep any encrypted communication or data in plain text format for a period of 90 days.
If the government has its way, you’ll soon be required to store a plain text copy of your encrypted email for 90 days after receiving it. At least, that’s what the Draft National Encryption Policy proposes, should be done. It also wants enterprises providing such services to set up infrastructure in the country according to the guidelines laid out by the government, including the algorithms for encryption and hashing.
The Department of Electronics and Information Technology (DeitY) has put up the draft encryption policy on its website, inviting comments from the public. While its goal of creating an “information security environment” is noble, the manner in which it proposes to go about it is anything but. Among other things, it proposes that all encryption technologies and algorithms used for storage and communication be specified by the government. Additionally, it requires businesses and citizens to store the plain text version of any corresponding encrypted information for 90 days from the day of transaction. The draft further states that service providers based out of the country will need to set up servers on Indian shores and use encryption technologies as framed by the government. The vague wording has also contributed to the confusion. SSL and TLS have been mentioned as mass use encryption products and are exempted from registering with the government. However, it hasn’t been explicitly mentioned as to which other encryption technologies are exempt. If indeed such a policy is adopted, there is a high chance that you won’t be able to use Whatsapp, Gmail, Facebook, etc.
The draft policy seeks “To provide confidentiality of information in cyberspace for individuals, protection of sensitive or proprietary information for individuals & businesses, ensuring continuing reliability and integrity of nationally critical information systems and networks.” However, the measures that it proposes render the very utility of encrypting any communication or stored data redundant. In fact, storing any data in plaintext format for any amount of time is counter-productive, since it is exposed to hackers. Whatsapp uses end-to-end encryption, which can effectively make it illegal to delete your messages for 90 days. Experts and online activists have unanimously slammed the move. This is reminiscent of furore created when the government planned to ban BBM. More recently, it has courted controversy over the issue of net neutrality.
The draft policy intends to promote R&D in cryptography. But, the draconian policies drawn up in the proposal will instead, impede any developmental activity. policy director at digital rights organisation Access, Raman Jit Chima said to Economic Times, "By trying to restrict and weaken the everyday usage of encryption in order to facilitate tapping demands, the everyday communications of all Indians will likely become less secure."
The Department of Electronics and Information Technology has invited feedback from the public. You can mail your suggestions to akrishnan@deity.gov.in by 16th October. You can read the draft here.