India Withdraws Draft National Encryption Policy after Outrage
Life moves fast in the social media era. In the space of 48 hours, India managed to float a draft of something as geeky as an encryption policy, trigger national outrage, exempt social media from it, and finally withdraw it.
On Tuesday afternoon, two days the policy draft was floated, it was withdrawn. It had been released for public feedback “without my knowledge,” said IT Minister Ravi Shankar Prasad,
What was this draft National Encryption Policy (NEP)?
Encryption technology is used to encode messages, making them secure so that only authorised people can read them.
On the face of it, the NEP was a plan to define common minimum standards for encryption. Nice idea for security of all communications, no? But wait, government agencies would be exempt from all this. Suspicious. Until it became clear that the policy did its best to ensure a decrease in the security of communications for individuals and organizations in India.
It got worse. Before you use an encryption product, said the NEP, it must be registered with ‘the competent authority’. You can only use encryption approved by the government, and, presumably, familiar to (and crackable by) government agencies.
That isn’t what caused the public outrage, though. WhatsApp and Facebook did that.
Send a text message on WhatsApp or Facebook or BBM messengers, and you’d be required by law to save a plain text copy for 90 days.
Actually, the NEP plan was sweeping, covering all encrypted messages. All emails, including Gmail. All messages on any messenger except SMS. Everything is encrypted these days.
On demand by Indian law enforcement or a government agency, you would need to submit a copy of any encrypted message sent in the past three months.
Yes, that was the plan according to the NEP, whose draft was released for public comment on September 20, with a month given for feedback.
It’s rare for something as geeky as encryption to become a subject of national outrage in India within a day, but that’s what happened in India yesterday. The draft triggered fury, and fiery debates.
By contrast, a debate on Net Neutrality earlier this year had taken months of protest and activism for it to enter public discourse.
The difference was that the NEP draft was a short, six-page document that was quickly translated by experts and media into its likely outcomes.
After the outrage, an addendum followed overnight, exempting “popular mass exemption products used in platforms such as WhatsApp, Facebook and Twitter” from this requirement. And also encrypted financial transactions, and passwords.
Praise the lord—Indian firms wouldn’t have to store plain text copies of all user passwords.
They did not exempt email, though. So, no deleting any emails you’ve sent, for 90 days. It’s all encrypted.
That was up to Tuesday morning. By afternoon, the NEP draft was reportedly withdrawn. For now.
As we’ve seen with net neutrality, though, this government isn’t one to give up control so easily, especially over something that can be linked to national security.
And indeed, Mr Prasad has said that the NEP draft, which was poorly worded, would be reworked. Watch this space.
- Poor Router Security Makes Indians Vulnerable To Cyber Attacks
- What's BitLocker’s Role In Encryption And Compliance?
- Why 4 out of 10 Security Alerts Go Attended Daily In India?
- Key Technologies Redefining Human Resources
- Study Shows Digital Trust Gap Between Companies And Consumers
- Is There A Weak Link In Your Encryption Strategy?
- Cisco Announces A Slew Of Initiatives To Accelerate Digitization In India
- New Security Flaw Grips Most Modern Laptops: F-Secure Researchers
- Multi-Factor Authentication Can Mitigate Password Risks: Study
- Policybazaar Deploys Trend Micro’s Solutions To Boost Security