Prasad does right thing, but who came up with draft?
Rarely, if ever, does a government completely withdraw a draft policy so rapidly since, as the name suggests, a draft is meant for comments – if these are very adverse, the issues raised get accommodated at the time the policy is finalised. This time however, Communications Minister Ravi Shankar Prasad was very active. So, when the buzz picked up on what the Draft National Encryption Policy could mean to people’s WhatsApp chats, for instance, Prasad got the IT ministry to issue a statement saying the policy didn’t apply to social media, and within a few hours of that, he had the draft withdrawn altogether – and rightly so, since the draft was positively embarrassing and looked as if it had been put together by people who had little idea of what is happening on encryption standards globally. While every country, as Prasad rightly said, needs some rules/guidelines on encryption, what is not clear is how this particular policy got drafted and how it did not reflect any of the concerns/solutions that have been worked on for the past 5-6 years in the two high-level committees that were formed by the Department of Telecommunications (DoT) for this very purpose.
Every company – even apps like WhatsApp – encrypts data, not just for security of communication for their clients/staffers, but also because the law demands it; India’s case is unique because while one set of laws require higher encryptions, others require lower levels. So, the DoT allows a maximum encryption level of 40-bit keys while Sebi mandates 64/128-bit encryption and RBI specifies that banks have to use at least 128-bit encryptions – in other words, all banks and ecommerce firms are violating some part of the law today! The Draft Encryption Policy, you would have thought, would have specified guidelines on encryption but it left it vague and said it ‘will be as specified through notification by the Government from time to time’.
What got social media upset, and rightly so, was the draft saying users of WhatsApp-type services would have to keep their messages for 90 days and, if required by law, provide these to the government. But if this was ridiculous – and would have been challenged in a court of law – how did the draft hope to implement getting service providers outside India to ‘enter into an agreement with (it) for providing (encryption) services in India’? Various apps offer encryption and they can just be downloaded on phones – how is this to be monitored and why would foreign app-makers want to sign such agreements with India? Indeed, there is the issue that came up in the case of Blackberry servers, of whether service providers have the ‘keys’ to encryption or whether these are dynamic and generated by users themselves; if they are user-generated, there are no ‘keys’ to be handed over to the authorities – it is these issues that the DoT committees were set up to try and address and find workable solutions to. And what if other countries were to emulate India and say that any Indian firm sending encrypted information overseas – as Indian IT firms do all the time to their clients – would have to sign an agreement with their governments? And if security is the issue, surely exempting social media is not a great idea since terrorists are more likely to be using this to communicate. In which case Prasad would do well to examine what the committees had to say on these issues and to ensure that these are incorporated into the next draft before it is released for consultation – left unsupervised, the ministry’s bureaucrats could once again end up embarrassing both Prasad and the government.