India Withdraws Draft National Encryption Policy after Outrage
Life moves fast in the social media era. In the space of 48 hours, India managed to float a draft of something as geeky as an encryption policy, trigger national outrage, exempt social media from it, and finally withdraw it.
On Tuesday afternoon, two days the policy draft was floated, it was withdrawn. It had been released for public feedback “without my knowledge,” said IT Minister Ravi Shankar Prasad,
What was this draft National Encryption Policy (NEP)?
Encryption technology is used to encode messages, making them secure so that only authorised people can read them.
On the face of it, the NEP was a plan to define common minimum standards for encryption. Nice idea for security of all communications, no? But wait, government agencies would be exempt from all this. Suspicious. Until it became clear that the policy did its best to ensure a decrease in the security of communications for individuals and organizations in India.
It got worse. Before you use an encryption product, said the NEP, it must be registered with ‘the competent authority’. You can only use encryption approved by the government, and, presumably, familiar to (and crackable by) government agencies.
That isn’t what caused the public outrage, though. WhatsApp and Facebook did that.
Send a text message on WhatsApp or Facebook or BBM messengers, and you’d be required by law to save a plain text copy for 90 days.
Actually, the NEP plan was sweeping, covering all encrypted messages. All emails, including Gmail. All messages on any messenger except SMS. Everything is encrypted these days.
On demand by Indian law enforcement or a government agency, you would need to submit a copy of any encrypted message sent in the past three months.
Yes, that was the plan according to the NEP, whose draft was released for public comment on September 20, with a month given for feedback.
It’s rare for something as geeky as encryption to become a subject of national outrage in India within a day, but that’s what happened in India yesterday. The draft triggered fury, and fiery debates.
By contrast, a debate on Net Neutrality earlier this year had taken months of protest and activism for it to enter public discourse.
The difference was that the NEP draft was a short, six-page document that was quickly translated by experts and media into its likely outcomes.
After the outrage, an addendum followed overnight, exempting “popular mass exemption products used in platforms such as WhatsApp, Facebook and Twitter” from this requirement. And also encrypted financial transactions, and passwords.
Praise the lord—Indian firms wouldn’t have to store plain text copies of all user passwords.
They did not exempt email, though. So, no deleting any emails you’ve sent, for 90 days. It’s all encrypted.
That was up to Tuesday morning. By afternoon, the NEP draft was reportedly withdrawn. For now.
As we’ve seen with net neutrality, though, this government isn’t one to give up control so easily, especially over something that can be linked to national security.
And indeed, Mr Prasad has said that the NEP draft, which was poorly worded, would be reworked. Watch this space.
- Why Most Connected Car Owners Won't Buy Self-Driving Car
- AI Raises Serious Security Concerns, Say Researchers
- Study Reveals Why CISO Should Report To The CEO
- CXOs Still Wary Of Cloud Data Security: Study
- PNB Scam: Some Tech Lessons For Indian Banks
- Embracing Technology For HR Innovation
- IBM Steps Up Its Skills Development Efforts In India
- Why Financial Sector CIOs Should Get On Top Of Machine Learning
- Unnecessary Security Cordons Make Fintech More Vulnerable
- Direct Co-ordination With CEO Can Maximise Cyber Security