If you use WhatsApp or Snapchat and regularly delete messages to keep your phone or computer clutter-free, think again. A draft government policy on internet security wants you to save all messages for up to 90 days and be able to produce them if asked by the authorities.
The draft National Encryption Policy on internet security also seeks to control the level of security online apps can build into their products and proposes that digital business save all information in plain text format for 90 days, potentially exposing such sensitive data to both government agencies as well as cyber attacks.
“Whatever little semblance of privacy exists, will be evaporated if this draft policy were to be implemented”, said Pavan Duggal, cyber law expert and Supreme Court advocate.
“The government may hold the users liable, according to the draft policy. The user has to keep data in ‘plain text’ for 90 days. Most people in the country don’t even understand what it means,” said Nikhil Pahwa, editor of cyber issues website MediaNama. “The draft policy compromises the privacy of users. Do you make traffic laws with the policemen in mind, or citizens who use the road?... We all have messages and information that we want to keep secure, and is legal, so why shouldn’t we able to keep that information private, away from the prying eyes of government officials?”
India doesn’t have an exclusive policy on digital encryption, or methods by which data is kept secure on the internet. The draft, seeking to address this legislative vacuum, cites ‘concerns of national security’ to justify its stringent proposals.
“There are security concerns, and they should be addressed, but not at the cost of the rights of individuals… It’s a bizarre draft that has come out,” Pahwa added. “What if BPO’s in India have to make available to the government data they have from, say, banks in other nations? Does that not violate laws of other countries? Won’t they lose business?” said Pahwa, who also volunteers for savetheinternet.in.
The government’s proposal, uploaded over the weekend for feedback from the public, reads: “Encryption algorithms and key sizes shall be prescribed by the government through notifications from time to time... Service providers located within and outside India, using encryption technology for providing any type of services in India must enter into an agreement with the government for providing such services in India”. Encryption algorithms and key sizes determine how secure a communication is.
The draft’s proposal holds major implications for foreign software services providers because it gives the Indian government the right to determine what encryption standards should be used.
“The government has invoked the IT Act while making this document. Technically, refusal to comply with the final policy would be deemed illegal,” Ranjeet Rane, who works in the domain of digital certificates and data encryption, told Hindustan Times.
“The draft defeats the very purpose of encryption. If we are to save our sensitive data in plain text — leaving it susceptible — what is the point of the encryption in the first place,” Rane said. “Also, the onus of saving the data is on the user. He or she would not even know what to save, and how.”
The move comes at a time when the government is formulating its stand on net neutrality, which says all internet traffic should be treated as equal whether it carries voice, text, images, or video.
For the encryption policy draft, the Department of Electronics and Information Technology has asked for the public’s feedback by October 16.
Rane said the draft was likely to invite a wave of criticism from several quarters. “It’s like re-inventing the wheel. The government would end up adding an unnecessary layer in the information technology domain, preventing innovative solutions that are the norm in the dynamic domain of encryption from being tested and used.”
“The policy should try to promote innovative platforms like Hackathons while developing newer standards.”
The author tweets at Nisheeth_U