Yay! Encryption Policy Will Not Be Enforced on Facebook, WhatsApp & Other Social Media Apps!
[Update – 22/09/2015 ]
It seems the people over at Department of Electronics and Information Technology (DeitY) have accepted that they made a blunder with their Draft encryption policy released yesterday (read details below). They have now come up with a proposed change which essentially exempts sites like Facebook, Twitter and apps like Whatsapp, Viber and others from the purview of encryption policy.
Here is the new Addendum released by DeitY.
By way of clarification, the following categories of encryption products are being exempted from the purview of the draft national encryption policy:
- The mass use encryption products, which are currently being used in web applications, social media sites, and social media applications such as Whatsapp,Facebook,Twitter etc.
- SSL/TLS encryption products being used in Internet-banking and payment gateways as directed by the Reserve Bank of India
- SSL/TLS encryption products being used for e-commerce and password based transactions
The experts sitting at Department of Electronics and Information Technology (DeitY) have come up with a draft encryption policy that should put some serious fear in your mind if you are a user of various messaging apps like WhatsApp, Viber, Hike and others. Not only messaging, but if you use any applications that use secure method of communication, this encryption policy could really be the nail in the coffin.
The encryption Policy was released with a vision to ”enable information security environment and secure transactions in Cyber Space for individuals, businesses, Government including nationally critical information systems and networks.” However, the regulations that policy document comes up with look like they have not been thought through thoroughly. How else can you explain a sentence like this.
All citizens (C), including personnel of Government / Business (G/B) performing non-official / personal functions, are required to store the plaintexts of the corresponding encrypted information for 90 days from the date of transaction and provide the verifiable Plain Text to Law and Enforcement Agencies as and when required as per the provision of the laws of the country
What this means is that any message that you have sent or received through an app will need to be saved with you – Not doing so may put you in legal soup!
We could have understood if this statement was applicable to only to a selected section of society (criminals etc) – but the policy enforces it on each and every individual, which is ridiculous.
And that’s not all – The policy also prescribes various other solutions that may not even be possible.
For example – the encryption algorithm will be provided only by the Government along with exact key sizes for secure communication between devices in India. Vendors and businesses providing such services will need to use those encryption algorithms only. Violation of this will attract legal action! Instead, the policy should have only suggested how strong the encryption should be rather than asking specific algorithms and key lengths to use.
Apart from this, businesses will also have to keep the encrypted data for a period of 90 days and will be made available to Law enforcement agencies as and when the demand is made.
All vendors of encryption products need to register their products with the designated agency of the Government. While seeking registration, the vendors will need to submit working copies of the encryption software / hardware to the Government along with 4 professional quality documentation, test suites and execution platform environments.
Overall, the suggestions made in Draft Encryption policy are not only difficult to implement, but may also put user privacy at risk!
Check the Draft Encryption Policy here.