Yesterday I was planning to blog about the new government policy about data storage and encryption. By the time I was able to type something it was late night and I didn’t want to write something about it half asleep. So I thought lets take it up today. I normally do not bash up anybody, thing or thought, well coz its personal. but this time somebody in their mind thought about it and then thought to impose it on all of us .. Whoa.. it was crazy brave of that guy.

special-kind-of-stupid
special-kind-of-stupid

This is not an analysis from somebody with a background in legal or policy structuring. I am just looking it from a generic perspective or to put it plain words, it’s the opinion of a guy who reads news on the pot seat.

Read about the actual policy draft here. So this is what happened. A new policy “National Encryption Policy” was drafted by Indian Department of Electronics and Information Technology (IDEIT aka IDIOT) and then published for public review. The whole population was just asked to review it. Now if it was a room full of people, it would have been few for and few against it and it might be quite manageable to have a discussion. Rather now the entire Indian and maybe foreign population is tearing it open from limb to limb, well it didn’t have any to stand on, at the first place.

The actual intent was to guide the industrial standards of encryption and allow government access to encrypted messages deciphered at a later date. Even though the intent was clear somehow the language of the policy was misguiding. If rightly done, it could have served as standards which need to be implemented at a basic level for any social/business interaction. It would just set the basic level of encryption needed on all sites or at least set a guidance. Thus tracking on defaulters would happen and some kind of repository would be present currently maintained by search engines to tag harmful sites. But what happened was that it was lamely worded and now something that could have been better for common man using internet, has turned out to be a debate topic.

These are some of the key points of the policy and what they were ultimately interpreted to be.

  1. Making it mandatory to store all messages in plain text form as well
  2. “On demand, the user shall be able to reproduce the same Plain text and encrypted text pairs”

  3. Government has the right to access this plain text information and it should be available for 90 days.
  4. “Such plain text information shall be stored by the user/organization/agency for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country.”

  5. The policy would cover everything to the likes of WhatsApp, Facebook, well any online/offline application which is involved in data transfer.
  6. “This policy is applicable to all Central and State Government Departments (including sensitive Departments / Agencies while performing non-strategic & non-operational role), all statutory organizations, executive bodies, business and commercial establishments, including public sector undertakings and academic institutions and all citizens (including Personnel of Government / Business performing non-official / personal functions).”

  7. Every organization providing any kind of communication service should get into an agreement with Indian Government and abide by this dictatorship.
  8. “Service Providers located within and outside India, using Encryption technology for providing any type of services in India must enter into an agreement with the Government for providing such services in India”

  9. Indian IT knows better than the entire world, so just do what we say, no questions asked.
  10. “Algorithms and key sizes for Encryption as notified under the provisions in this Policy only will be used by all categories of users”

The zeal with which the policy was announced was matched only by the speed with which it was withdrawn. It lasted all of Monday morning to Tuesday evening. Meanwhile, a scapegoat was found—a poor low-level scientist—and everyone else washed his or her hands off the draft National Encryption Policy.
It was indeed a draft, but it was a draft of a National Policy that was placed in the public domain to enable stakeholders and the public to offer their comments.
Finally, it has been revoked and the government would be sharing the second draft sometime later. Lets wait for it…

Few links for reference.

https://publicintelligence.net/india-draft-encryption-policy/

http://www.financialexpress.com/article/fe-columnist/act-first-think-later/142010/

P.S. This was continuation of Active Blogger Initiative

Advertisements