If a draft proposal by government's Department of Electronics and Information Technology (DeitY) becomes the law in its current form, you might be asked to retain certain forms of digital communication for a period of 90 days.
Update 22 September 1:40am: The government issued an addendum to clarify that "mass use encryption products, which are currently being used in web applications, social media sites, and social media applications such as WhatsApp, Facebook, Twitter etc." While that language is vague in itself, you can rest easy without needing to worry about having to store your WhatsApp messages for 90 days. The original text continues below.
The DeitY has posted a draft National Encryption Policy on its website inviting comments from the public on its mission, strategies, objectives, and regulatory framework, which you can send to firstname.lastname@example.org, until 16th October 2015. A lot of the details mentioned in the draft guidelines are worrying, and this is a topic that concerns every consumer.
While the draft encryption policy's preamble starts by talking about improving e-governance and e-commerce through better security and privacy measures, it very quickly brings up national security as well, and that's where things get worrying from a consumer's perspective. It's very reminiscent of when the Indian government was thinking about banning BBM in India unless BlackBerry (then Research in Motion) gave security agencies access to snoop on emails. The two would eventually reach an arrangement that allowed the government to intercept email.
The language of the new draft policy is quite clear on one thing - businesses and consumers may use encryption for storage and communication, but the encryption algorithms and key sizes will be prescribed by the Indian government. What's more, vendors of encryption products would have to register in India (with the exception of mass use products, such as SSL), and citizens are allowed to use only the products registered in India.
"Would OpenPGP, a commonly-used standard for encryption of email, fall under 'mass use'?" asks Pranesh Prakash, Policy Director at the Centre for Internet and Society, speaking to Gadgets 360. "Because if it doesn't, I am prohibited from using it. But if it does, I am required to copy-paste all my encrypted mails into a separate document to store it in plain text, as required by the draft policy. Is that what it really intends? Has the government thought this through?"
Most people don't explicitly use encryption, but it's built into apps they use every day. Do the draft guidelines also extend to products and services with built-in encryption like WhatsApp? If yes - and the language certainly suggests it does - then combine them with governments requirements for its citizens, as proposed in the draft guidelines, and we could have very worrying scenarios.
The draft guidelines read "All citizens (C), including personnel of Government/ Business (G/B) performing non-official/ personal functions, are required to store the plaintexts of the corresponding encrypted information for 90 days from the date of transaction and provide the verifiable Plain Text to Law and Enforcement Agencies as and when required as per the provision of the laws of the country."
WhatsApp messages are now encrypted end-to-end. So do the draft guidelines mean you have to store a copy of all your WhatsApp messages for 90 days? What about Snapchat? Or any other form of ephemeral messaging that is automatically deleted after being read? The consumer is expected to maintain plain text copies of all communications for 90 days - so that these can be produced if required by the laws of the land - so, will it even legal to read a message that deletes itself, if and when the draft guidelines become law?
The draft policy document states that the vision is to create an information security environment, and secure transactions. But the actual details mentioned in the draft appear to do the opposite, and put a focus more on the lines of limiting encryption only to technologies that likely could be intercepted by the government, when required.
This is in many ways similar to the Telecom Regulatory Authority of India's draft letter on Net Neutrality, which instead talked about issues like cyberbullying and 'sexting'. In the feedback period, Trai received over 1 million emails. but the Department of Telecom report on Net Neutrality also went against public sentiment on certain things, suggesting that telcos should be allowed to charge extra for specific services, such as Skype or WhatsApp voice calls in India, showing that calls for feedback aren't necessarily being taken seriously.
And, with the draft National Encryption Policy, another problem that is shared with the Net Neutrality discussions, is the use of vague language. The result is that there is very little clarity at this point on what will and will not be permitted by the government if the draft guidelines are adopted. We're living in a time when the government talks about how WhatsApp and Gmail may be used by "anti-national elements", and even considered requiring Twitter and Facebook to establish servers in India.
With that in mind, you have to ask, will it be even legal to use WhatsApp if these guidelines are implemented? After all, WhatsApp messages have end-to-end encryption and if this service does not register in India, and comply with the algorithms prescribed by the government, then as a citizen of India, you won't be allowed to use it because "users in India are allowed to use only the products registered in India," as per the draft guidelines.
If the draft policy comes into affect, businesses need to provide the plain text message, and the encrypted pair, to verify that the intercepted encrypted communication is indeed the same as the plain text message that they are providing to law enforcement or intelligence agencies, when asked as per the laws of the country.
"There is an assumption here, that given the same plain text, you always get the encrypted text. This assumption is wrong," Prakash says. "It holds for some forms of encryption, but does not necessarily hold for all forms of encryption. If there's a changing salt, it won't lead to the same encrypted text each time."
Prakash also argues against the draft specifying the hashing mechanisms, algorithm, and the key length. He says the government should instead be setting a minimum encryption strength for various sectors, like financial data, health data, or governmental use, adding that algorithms cited were outdated and broken.
"Of the 3 symmetric cryptographic primitives that are listed - AES, 3DES, and RC4 - one, RC4, has been shown to be a broken cipher. It is unimaginable that they would be mandating it as one of the three currently permissible. They are weakening national security by doing so!"
These are questions that don't just affect a few people, but just about every Indian who is using the mobile Internet. In its present form, the draft actually severely limits what you can do online, and could hobble the push for a digital India. There's almost a full month to give our feedback, but is anyone listening?
For details of the latest launches and news from Samsung, Xiaomi, Realme, OnePlus, Oppo and other companies at the Mobile World Congress in Barcelona, visit our MWC 2024 hub.