It is the kind of embarrassment that Prime Minister Narendra Modi could have done without, a few days before he interacts with luminaries of the Silicon Valley such as Mark Zuckerberg of Facebook. Instead of demonstrating that India has a firm grasp of the policy conundrums that new Internet technologies pose to governments, the communications and IT ministry has had to withdraw the draft national encryption policy after a furore over its contents.
The policy will now be redrafted and opened for public debate subsequently, but the document offers a glimpse into the Indian State’s ambition in the sphere of surveillance and it betrays the deep discomfort that policy practitioners have for encryption technologies in general. The draft seems to have been conjured without regard for India’s reputation globally and its implications for our rights as citizens.
Take three problematic elements that were proposed. After solemnly stating that the policy wishes to ‘provide confidentiality of information in cyberspace’, protect sensitive or proprietary information for individuals and businesses, it goes on to say that the government will prescribe encryption algorithms and key sizes for both citizens and businesses. Further it expected service providers using encryption technology to enter into an agreement with the government for providing such services in India.
And while seeking registration, vendors of encryption products were to ‘submit working copies of the encryption software/hardware to the government’. In other words, Indian and foreign tech firms were not only expected to sign individual agreements with the government, they were to disclose the software to the government and go on to use encryption levels decided by the Centre. This is so much beyond what businesses are expected to comply with that one wonders if any senior executives of technology firms were even consulted informally about the propriety and feasibility of such measures while the document was in draft.
Lastly, and most critically, the draft expected all citizens to ‘store the plain texts’ of the encrypted information for 90 days, which meant that they were to store every email, chat and videos for three months, just in case government wanted to examine them. The government would hence not only decide encryption standards at one end, it would also expect the citizen offer personal communication on demand. Taken together, these proposals appear to originate in a weak belief in the right to privacy. The Centre must note that any policy framed from that vantage will infringe on individual liberty and provoke the kind of reactions on view. Governments may have to find other ways of ‘seeing’ through societies, beyond the magic bullet of cracking encryption which citizens value.