The recently introduced, and rapidly withdrawn in the face of criticism, draft of the National Encryption Policy (NEP) started on a positive note. It noted that although originally used to ensure the security of messages of greater political importance, either military or diplomatic, encryption is important for all citizens. In a recent report titled ‘Keys under Doormats,’ leading cryptography experts have described how certain attempts by Western security agencies are resulting in a structural weakening of Internet security.
The draft NEP identified that creating a secure Internet experience would require: a) widely adopting internationally accepted encryption practices, b) mainstreaming the use of digital signatures, especially for public officials, and c) substantial investment in domestic research in cryptography. All these concerns are crucial in the face of the emerging evidence that Western governments are tampering with encryption standards and demanding that Internet companies must give back-door access to security agencies of those countries into services and platforms run by the companies.
The draft NEP attempted to simultaneously implement encryption and ensure that Indian security agencies were able to decrypt such communication, when needed, by putting the burden on Internet companies and users alike to store their messages and security keys. The statements in the draft policy regarding specifications of the encryption standards to be used, and necessary pre-registrations of products using encryption suggest that the government might be considering the ‘backdoor’ method for surveillance.
The fundamental problem of the draft NEP is that it approaches the challenge of digital security primarily from the perspective of surveillance, and not from a broader perspective of democracy and welfare. The Digital India (DI) initiative has identified ‘safe and secure cyber-space’.
It seeks to transform how and through what kind of interfaces the citizens of India communicate with the State, and vice versa. The issue of digital security is regarding how such communications from State agencies and from citizens can be authenticated, how sharing citizens’ information between State agencies can be made transparent and consensual, and how liability can be assigned in the case of an accidental loss or abuse of information provided by citizens.
Another example is digital communication by public agencies. While such communication is moving to emails and digital files, a systematic approach to their archiving is yet to emerge. The draft NEP’s requirement for individuals to store messages for 50 days (with encryption keys) creates a burden on private users, but the same requirement for public officials errs on the side of being insufficient.
These concerns need to be addressed urgently to strengthen the DI initiative.
Sumandro Chattapadhyay is research director, the Centre for Internet and Society
The views expressed are personal