Withdraws Draft Encryption policy
It took more than six years for the government-appointed committee to present a Draft Encryption Policy, which had to be withdrawn in less than 24 hours after it was put up for public comments, thanks to an impractical suggestion that required individuals to store all messages/calls made through WhatsApp, Facebook, Viber, Skype, etc, for 90 days.
The draft report, which was put up on the website of the department of information technology late on Monday evening, was withdrawn on Tuesday morning amid an uproar in the social media. Communications and IT minister Ravi Shankar Prasad said a revised policy would be placed in the public domain again after reworking some of the “expressions” that gave rise to “misgivings”.
Experts FE spoke to pointed out that the suggestion of the committee that individuals be asked to store such messages was not only impractical but not required. Encryption means text or voice that gets converted from plain text or voice into code and then gets transferred through internet protocol networks, and is then decrypted at the other end. Encryption and decryption is not required for voice calls over mobile/landline or SMS. However, it is required in IP networks, so all messages sent through apps like WhatsApp, Facebook or Viber or calls made through Skype use encryption.
It is also used by enterprises like banks which deal in sensitive information to communicate between their different branches or locations.
Analysts said that all encrypted messages or calls made through IP networks are stored with the mobile operators as it is part of their licensing condition. The government can access them whenever it wants but it would need to ask the app provider like Facebook or WhatsApp to decrypt it as they use a very high level of encryption that the government would not be able to decrypt on its own.
Simply put, the onus for encryption should be on the service providers rather than individuals.
“While an encryption policy is required, asking individuals to store messages is impractical and not required. All that the policy needs to say is that whenever the government needs it, IP network players or enterprises would have to give decryption key to the government,” an industry expert on the subject who gave a presentation before the committee told FE.
“It is wrong to put the onus of encryption on individuals when it should be on the service providers,” Pawan Duggal, an expert on cyber security laws, said. “Any onus on individuals also raises the issue of policing,” he added.
At a news conference on Tuesday to speak on the decisions taken by the Cabinet, Prasad said, “I wish to make it very clear that it is just a draft and not the view of the government. But I have noted some of the concerns expressed by certain enlightened segments of the public. I have personally seen that some of the expressions used in the draft are giving rise to uncalled-for misgivings. Therefore, I have written to DeitY (the department of electronics and information technology) to withdraw that draft, rework it properly and thereafter put in the public domain for comments.”
The minister, however, maintained that there is a need for an encryption policy which would apply to those who are involved in encrypting a messaging product for a variety of reasons. “I wish to make it very clear that there are two issues. One, creation of encryption. Many companies send messages in an encrypted form. Other is those who are consumers of applications like WhatsApp, social media and other platforms available in the cyber domain. The purpose of this encryption policy relates only and only to those who encrypt. This has to be made very clear. As far as ordinary consumers of applications are concerned, they do not fall in this domain. Because (for) those who encrypt, for a variety of reasons, there has to be a policy regulating the manner of their encryption,” he said.