The department of electronics and information technology (DeitY) recently released the draft of the National Encryption Policy. The policy aims to "enable (an) information security environment and secure transactions in cyberspace for individuals, businesses and government including nationally critical information systems and networks."
The rapid rate of growth of internet-based service delivery has made it necessary to put in place standards that protect privacy and increase the security of the internet and associated information systems.
The DeitY has posted the draft on its website inviting mailed comments from the public on its mission, strategies, objectives, and regulatory framework, which you can send to firstname.lastname@example.org, until October 16, 2015.
Here's all that you need to know about the policy:
What is the use of cryptography in information systems?
Defined as the practice and study of techniques for secure communication in the presence of third parties, cryptography encompasses a wide spectrum of applications that include encrypting communication sent in plain text and decrypting it on receipt or using a secure channel of communication within which data can be sent in plain text.
We use it frequently in our day-to-day activities on the internet. If the website you are accessing begins with HTTPS, instead of HTTP, it is using a secure channel to transmit data. Similarly, websites store user information in an encrypted format, like a user name and passwords. Cryptography initially had application in military and diplomatic communications, but is now used widely in Virtual Private Networks (VPNs), secure email, electronic fund transfers, secure messaging applications to name a few.
Is there a legal precedence to this policy?
Yes. The information technology act has provisions for such guidelines to be issued for encryption (Sec 84A) and decryption (Sec 69). Most of the technical terms like Hashing Algorithms (used to map digital data of arbitrary size to digital data of fixed size), keys (used to encrypt and decrypt communication), digital signatures (used to ensure confidentiality, integrity and authenticity of communication), etc have been explicitly defined in the IT Act.
What objectives does the national encryption policy aim to achieve?
It aims to promote the use of encryption for ensuring the security and confidentiality of data and to protect privacy in information and communication infrastructure without unduly affecting public safety and national security. It also aims to synchronize with the global standards that are emerging in the era of digitised economy and networked society.
Further, the policy aims to promote the use of digital signatures by all entities, including the government, for trusted communication, transactions and authentication. And lastly, it envisages adoption of information security best practices by all entities and stakeholders in the government, public and private sector enterprises and citizens at large.
How does the government plan to achieve this through the policy?
The policy categorizes users in three types of groups – government (G), which would include all central and state government departments (including sensitive departments/agencies while performing non-strategic and non-operational role). Business (B), that includes all statutory organisations, executive bodies, business and commercial establishments, including all PSUs and academic institutions. As also a category for citizens (C) that includes all citizens (including personnel of government/business (G/B) performing nonofficial/personal functions).
It then mandates that use of encryption technology for storage and communication within G group of users and technology for communications between G group and B/C groups will be done as per standards specified through notification by the government from time to time.
For the users of groups B/C it mandates that such users should not only adhere to standards notified by the government but also produce plain text and encrypted copies of communications if demanded by law enforcement agencies for up to 90 days from the date of transaction.
The onus to store this plain text communication lies with end user of each category, and if the entity is based out of India then the responsibility of providing the plain text communication lies with the corresponding entity based in India.
Is there a regulatory framework planned to implement this policy?
Yes, the policy proposes the setting up of a specialised agency to oversee its implementation. Service providers located within and outside India, using encryption technology for providing any type of services in India, must enter into an agreement with the government for providing such services in India. The government will designate an agency for entering into such an agreement with the service providers. The policy also mentions that all vendors of encryption products shall register their products with the designated agency. Further such vendors shall work with the designated government agencies in security evaluation of their encryption products. The government on its part will put the list of registered vendors in public domain with no liability associated with the use of products of these vendors.
The policy also mandates that while exporting such encryption products would be allowed, it should be done after prior intimation to the designated agency. Also, users in India will be allowed to use only those encryption products that are registered in India.
What are other provisions of the policy?
The policy proposes a technical advisory committee to monitor the technology development in the area of cryptography to make appropriate recommendations on all aspects of encryption policies and technologies. It also calls for the development of indigenous algorithms and manufacture of indigenous products for encryption, hashing and other cryptographic functions. The testing and evaluation infrastructure of these products will be set up by the government.
What are the concerns in this policy?
The primary area of concern is the insistence on storage and provisioning of plain text communication by end user entities. The notion is antithetical to the idea of promoting encryption practices. While it will add to the infrastructure costs of businesses to maintain such databases, the general public is practically unaware of most of these practices. The process of registration of vendors and insistence of Indian users using only such products will not be welcome by international organisations that are looking to expand digital services in India. In fact, the government may end up stifling innovative solutions in the procedural aspects of registration with a regulating agency.
The policy document also portrays a sense of lack of technical aptitude. It refers to protocols like SSL (Secured Socket Layer) and TLS (Transport Layer Security) as "products" and excludes them from the purview of registration. It also mentions up front that the policy is not applicable to sensitive departments/agencies of the government designated for performing sensitive and strategic roles. This exemption is unjustified as the compliance to a minimum standard of
security should in fact be mandatory for such agencies.
What is the way forward for the National Encryption Policy?
This is a draft document and it is expected to generate a public debate leading to quality inputs towards the final policy document. The fact that a high-end technology like encryption is finding its way into public policy discourse is a commendable task unto itself. The DeitY should consider all inputs it receives from the public as well as from technology specialist in this regards. It should not rush to codify this policy with legal provisions, but instead aim to engage maximum stakeholders before rolling out the final policy.
This is also a chance for the policy makers to add practices like hackathons to the list of research activities and encourage such informal events to act as platforms for testing and evaluation of security products. The nature of the technology that the policy seeks to regulate is very dynamic, coercive regulation may end up throttling its development and growth instead of promoting it. The government needs to work hand in hand with technologists and subject matter experts if it aims to convert good intentions into sound policy actions.
(The author works with Symantec Software on digital certificates and encryption and is a contributor for the strategic affairs think tank, Takshashila Institution.)