Controversial Indian encryption policy to be 'reworked'

After mass public rebuke, a proposed law that requires users to hand over their encryption data is being rewritten

APT infrastructure infecting a wide range of sectors detected in India
APT infrastructure infecting a wide range of sectors detected in India

A controversial internet encryption policy has been ripped up following considerable public outrage in India.

The National Encryption Policy(NEP), proposed earlier this month, would have required Indian citizens and businesses to hand over their private encryption details on demand to government and law enforcement bodies.

The broadly stated aim of the proposed policy was the “confidentiality of information in cyber-space for individuals, protection of sensitive or proprietary information for individuals and businesses,” as well as, “ensuring continuing reliability and integrity of nationally critical information systems and networks”. 

However, privacy advocates claim the content of the proposed policy contradicted the optimistic preamble. The policy details how users would be expected to store encryption data in plain text and that “all information shall be stored by the concerned business/citizen entity for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country”.  

While the law would exempt certain government departments from its statutes, overseas businesses operating in India would be included. Such businesses would be required to submit themselves to a comprehensive inventory of their security measures by the Indian government  including testing suites, cryptography software and supporting documentation.

While the government invited the public to comment on the proposals, they were met with disapproval from a wide array of people and organisations including tech companies, privacy organisations and the Indian public, who quickly forced into the proposals an exemption for social media accounts.

Many criticised the law citing the fact that individual privacy concerns aside, encryption data stored in plain text would make cyber-crime far easier for hackers. Raman Jit Singh Chima, a member of Access Now, an internet freedoms group, told Reuters “it would be a huge risk and a massive target for any hackers”.

Richie Tynan, a technologist at Privacy International, a charity that defends global privacy, spoke to SCMagazineUK.com on the folly of the proposed law saying, “By forcing communications and data to be in both encrypted and unencrypted form, Government hacking suites would allow them to hoover up information at will. It is disgraceful that a government would force citizens to be kept in such a vulnerable state.”

But it appears that it was the outcry over the intrusion into the public's social media accounts that dealt the final blow to the complex and clumsy NEP. 

“I have noted some of the concerns,” said Ravi Shankar Prasad, India's minister for communications and information, rubbishing the public's concerns to reporters last Tuesday. 

“Some of the expressions used in the draft are giving rise to uncalled-for misgivings,” the minister said as he announced the withdrawal of the draft law. 

Prasad concluded, “But when I noted the concerns of the public and some expressions that were avoidable, I thought it was better to rework it.” To be sure, similar proposals will be back in a ‘re-worked' form, but what form they will take remains to be seen.

Richie Tynan, speaking to SC, added that as they stood, the proposals were not acceptable: “It is likely that this naive approach is the simplest and possibly cheapest solution they could think of to address the supposed barriers that encryption poses to law enforcement. It places a tremendous burden on citizens and businesses and may cause many to abandon secure forms of communication entirely. Without which, whistle blowers, investigative journalists and lawyers cannot act as an effective check on the powerful.”