Any encryption policy requires holistic, inter-connected approach: Cyber crime expert

The Government of India recently published the Draft National Encryption policy for public comments on the official website. The said draft policy evoked strong responses from various stakeholders and consequently, shortly after its introduction for comments in the public domain, the said Draft National Encryption policy was withdrawn by the Government on 22 September.

The draft policy aimed to prescribe the modes and methods of encryption in India and has imposed various responsibilities for all users of encrypted products in India. It was extremely broad and comprehensive and included within its ambit any user of a computer or a mobile phone, who was using any encryption of any kind whatsoever.

(Image credit: Getty Images)

(Image credit: Getty Images)

The policy stipulated that every user will be required to copy, paste and save in the text format all the original encrypted messages on the relevant computer resource and preserve the same for the period of 90 days. The same information was required to be saved in order to be provided to any governmental law enforcement authority, if any, which asks for such information to be furnished.

Further, the said draft policy also stipulated that failure to collect such information shall expose the user to potential legal consequences.

A clarification dated 21 September was issued, which categorically stated that all the messages using encryption on social media sites and social media applications such as Whatsapp, Twitter And Facebook will be excluded. The clarification further provided that transactions of internet banking, payments and e-commerce as also passwords generation would be excluded.

While the clarification attempted to be a step in right direction, it raised more questions than it answered. This was primarily because the clarification categorically excluded all social media sites and social media applications. However, mobile applications were not excluded and consequently, all applications used by users on mobiles which use encryption were still included within the ambit of the draft policy.

(Image: Reuters)

(Image: Reuters)

The clarification represented a very piecemeal approach in an isolated environment because if the said clarification and the draft policy were to be implemented, it virtually would have encouraged everyone to bypass the policy and go to the social media sites and social media applications for sending encrypted messages.

One of the biggest problems of the draft policy was the insistence on the mandatory requirements for all users for retaining all their encrypted messages sent, for 90 days retention period. The said requirement would have made all users to police all their messages and would have led to violations of the fundamental right to privacy, thereby prejudicially impacting people’s enjoyment of their fundamental right to life. The impact of the draft encryption policy on the enjoyment of digital right of users could not be ruled out.

Encryption allows you to secure the electronic message, so that the message cannot be read or modified on the transmission route. Mandating the requirements for copying and saving in text format all encrypted messages on users’ computer would have tantamount to effectively becoming a general, universal invitation to hack for all hackers and would have made the entire purpose of encryption redundant. Further, the methodology of how to save such messages in text format and what reasonable security practices and procedures were required to be implemented and maintained by the users, were not defined in the draft policy.

Seen from another perspective, the draft encryption policy was issued, not in keeping with the objectives given under Section 84A of The Information Technology Act 2000. This is so because 84A enables government to prescribe the methods or modes of encryption and it is required to be done for secure usage of the electronic medium as also for promoting e-commerce and e-governance. When one looked at the objectives of the draft policy, its objectives were in variance with the objectives under Section 84A of the Information Technology Act, 2000 as amended, under which it was issued.

Further, the draft policy was not formulated in keeping with the overall cyber security policy approach for the country. Already, India does not have a dedicated cyber security legislation.

Implementation of the policy, which insisted on Government departments and ministries to retain all sent encrypted messages in text form on Governmental networks, which are being repeatedly targeted by hackers, could potentially impact national security and cyber security, apart from having a prejudicial impact upon the security, sovereignty and integrity of India and India’s sovereign’s interest in cyberspace.

The draft encryption policy was completely silent on the Dark Net. This assumes more significance as Indians today are increasingly moving on to the Dark Net.

With the withdrawal of the current draft of the encryption policy, the government has highlighted the need for reworking on the same and addressing the concerns expressed by
various stakeholders.

Any policy of encryption requires to take into consideration a holistic and inter-connected approach, with other elements of Cybersecurity ecosystem. It will be interesting to see as to how further developments take place in this space.

pavan_duggal100x100 

 

The author Pavan Duggal is an Advocate at the Supreme Court of India and is a leading expert on Cyberlaw & Mobile Law. For more information, visit www.pavanduggal.net.


Published Date: Sep 28, 2015 02:03 pm | Updated Date: Sep 28, 2015 02:03 pm