Indian draft rules on encryption could compromise privacy, security

The government's focus is on ensuring access to information by law enforcement agencies

India's government is trying to ensure that its law enforcement agencies have easy access to encrypted information, but it could be compromising security and privacy in the process.

A draft policy on encryption issued by the Indian government aims to keep a check on the use of the technology by specifying the algorithms and the length of the encryption keys used by different categories of people.

Consumers will also be required to store the plain texts of encrypted information for 90 days from the date of a transaction and provide the text to agencies when required under the laws of the country.

Indian businesses, and the customers they correspond with, will also be responsible for providing readable plain text along with the related encrypted information when communicating with a foreign entity.

The policy will not, however, be applicable to designated sensitive departments and agencies of the government, though it is applicable to other government departments.

The government has invited comments from the public on the policy by Oct. 16.

Although the new policy could expose user data to hackers as plain text, the government document sets as its mission to "provide confidentiality of information in cyber space for individuals, protection of sensitive or proprietary information for individuals & businesses, ensuring continuing reliability and integrity of nationally critical information systems and networks."

It is surprising that even as there is so much concern about hacking and the loss of privacy, the government wants users to store data as plain text, said Akash Mahajan, a security consultant in Bangalore. Once the plain text is with the government, there is no way to verify it with the original digital data as the practices of law enforcement in safeguarding the integrity of data are not laid out very clearly, he added.

The country's Information Technology Act provides for rules to be framed that prescribe the mode of encryption. Under the proposed rules, service providers will also have to arrive at agreements with the Indian government to provide their services, which from the general tenor of the document suggests that they will have to be willing to provide plain text information to the government when required under the law.

Consumers, businesses and non-strategic government users of these services will also be responsible for providing plain text information when required.

Internet companies, including Google and Microsoft, did not immediately comment on the proposal.

The use of encryption in information technology and communications services has been a sore point for law enforcement agencies that want easier access to information, including through back-door access. In opposition are tech companies like Apple and Google and civil rights groups, which back stronger encryption and the privacy of data and communications.

U.S. Federal Bureau of Investigation Director James Comey called in July for a “robust debate” on encryption of communications, saying that the technology could prevent him from doing his job to keep people safe. “There is simply no doubt that bad people can communicate with impunity in a world of universal strong encryption,” Comey wrote in an op-ed in the Lawfare blog.

The move by India could break the trust that exists between people and online businesses and between Indian companies and their foreign partners, Mahajan said.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

John Ribeiro

IDG News Service
Show Comments

Father’s Day Gift Guide

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?