In the face of all-round outcry against the draft National Encryption Policy, the government had to beat a hasty retreat. But can we entirely do away with an encryption policy for the sake of privacy concerns? Souvik Goswami of Elets News Network (ENN) tries to analyse the tricky issue
It is the need of the hour. But how to go about it?
And, perhaps, there lies the crux of debate on the proposed National Encryption Policy. The Government of India’s Department of Information Technology Ministry (Deity) came come up with a draft National Encryption Policy late last year. But the moment it was put in public domain, it faced severe criticism from netizens and civil society alike, as the draft policy contained some provisions, which were seen as intrusion into the private space of citizens. Eventually, the government was forced to withdraw the draft policy amid huge hue and cry.
The revised drafted National Encryption Policy is, however, yet to be put in the public domain.
Need for Policy
Before we get to the draft policy, we must look first at what ‘encryption’ and why there is need for an encryption policy.
Encryption is the process of encoding messages or information in a way that only authorised parties can read it. In an encryption scheme, the intended communication information or message, referred to as plain text, is encrypted using an encryption key generated by an algorithm, which it turn generates a ciphertext that can be read only when decrypted. In principle, it is possible to decrypt the message without possessing the key, but for a well-designed encryption scheme, large computational resources and skill are required. An authorised recipient can easily decrypt the message with the key, but unauthorised interceptors can’t.
On the other hand, according to the Data Security Council of India, Information Technology (Amendment) Act 2008 provides for encryption under Section 84A, which reads: “The Central Government may, for secure use of the electronic medium and for promotion of e-governance and e-commerce, prescribe the modes or methods for encryption.”
Encryption policy under this section is urgently required as a national policy, since at present encryption is restricted to 40-bits under the telecom licensing policy regime. This level of encryption is weak, and does not promote client confidence, as clients require strong encryption for data protection and privacy protection. The government, however, has legitimate need to access encrypted data for monitoring of suspected criminals and terrorists in what is considered as lawful interception. Encryption policy, therefore, requires consideration of various technical issues, national security issues, business privacy and international competitive pressures for the growth of e-commerce and e-governance applications.
Why the Outcry?
It is in this context that the Government of India drafted the National Encryption Policy. But it had to be withdrawn following the public outcry.
The draft policy talked about making it mandatory for every citizen to save all digital communications, including emails and chats, for a period of 90 days. It had proposed that while citizens and businesses may use encryption technology for storage of data and communication, everyone will be required to store the plain texts of that information for a period of 90 days. Citizens were also required to provide verifiable plain text to law enforcement agencies as and when demanded.
A section of the society saw this as intrusion into privacy, and the government had to withdraw the draft encryption policy by stating that “relates only to those who encrypt… ordinary consumers of applications do not fall in this domain.” The government, however, added that there is a need for an encryption policy, which would apply to those who are involved in encryption of data.
The government has a legitimate need to access encrypted data for monitoring of suspected criminals and terrorists in what is considered as lawful interception, but the people at large feel that such a policy will infringe upon their privacy
However, a section of the industry feels that the National Encryption Policy should be about setting up of minimum encryption standards for data protection, penalising organisations and institutions for not implementing high encryption standards, and protecting the data from pilferage and leakage.
Encryption policies have always had an impact on the privacy of individuals and when used by corporations or organisations, it affects their business or trade secrets. Therefore, the government should also think of reworking on nonexistent privacy laws.
Taking into consideration the divergent views as well as the compulsions of the government, the whole debate boils down to whether the National Encryption Policy is at all needed. But what remains to be seen is as to how the government goes about it while redrafting and then implementing it? What also needs to be seen is how the new policy will do the balancing act in incorporating various concerns from both the industry and citizens at large. Till that time, the debate continues!
Privacy-Security Balance a Must
Encryption is an important feature which allows organisations to effectively manage and systematically store all communication. Recently withdrawn draft National Encryption Policy by the government encompassed a lot of aspects from the government point of view, but on customer and business requirements, there was a major threat to the privacy of data.
According to the withdrawn draft policy, it was mentioned that B2B/ B2C and C2B, sector should use encryption algorithms and key sizes as prescribed by the government. In this age of competition, organisations have their own trade secrets to be guarded from competitors. A weakened encryption scheme and mandatory storage of encrypted data in its plain text is not advisable.
Furthermore, the draft also said that the government would require users and companies to store plain text and encrypted text pairs for at least 90 days and make them available to law enforcement agencies when they are asked for it. This is technically infeasible for a customer to maintain this information. The government must take note that the knowledge and expertise of common citizens may be inadequate to understand the nuances of encryption.
The policy, in its current form, can make Indian information systems vulnerable to cyberattacks. Privacy and security must go hand in hand. This policy not only weakens the security of the information, but also puts the privacy at greater risk. Sensitive departments of the government should be included under the policy, as these are the organisations that need to be kept secure to enhance national cyber security. Besides, there should not be any specific mandate to use a particular algorithm for encryption with restricted key sizes. It is imperative to have clarity on which online services and online service providers will have to be registered with the government.
Having an encryption policy at SpiderG is necessary because of the nature of our business. As SpiderG deals with business transactions of companies, which have a direct financial impact, we have put in place state-of-the-art encryption processes.
At SpiderG, while encrypting, we take care of below-mentioned essential requirements needed for any business or financial transaction to be valid online:
We use a strong 256-bit SSL encryption to transmit data over the Internet. This ensures the confidentiality of the data as it is practically impossible to make sense of this data. A combination of user’s phone number, a mobile app and passwords are used to authorise transactions.
Data security and confidentiality is of prime focus for us. We have architected our business in a way to ensure that our customer’s data is kept safe in all cases.