The Elusive National Encryption Policy

Subhasish writes draft National Encryption Policy (NEP) was formulated by an Expert Group set up by Department of Electronics and Information Technology (DeitY) and was released in Sep 2015 for comments and suggestions from the public. However, the draft was withdrawn as some of its provisions were criticised by activists and experts. Even after two years DeitY is yet to release a new draft of the policy.

1. As per Section 84A of the Information Technology (amendment) Act, 2008, rules are to be framed to prescribe modes or methods of encryption of data. The operative Section reads as follows:-

 

“84A. The Central Government may, for secure use of the electronic medium and for promotion of e-governance and e-commerce, prescribe the modes or methods of encryption.”

 

2. A draft National Encryption Policy (NEP) was formulated by an Expert Group set up by Department of Electronics and Information Technology (DeitY) and was released in Sep 2015 for comments and suggestions from the public. This policy was to be applicable to all except “departments/ agencies of the government designated for performing sensitive and strategic roles” that are governed by classified policies. However, the draft was withdrawn as some of its provisions were criticised by activists and experts.

 

3. The criticism primarily centred around certain “law-enforcement” provisions that included the following:-

 

(a)          All users were “required to store the plain text of the corresponding encrypted information for 90 days from the date of transaction and provide the verifiable plain text to Law and Enforcement Agencies as and when required as per the provisions of the laws of the country”.

 

(b)          All service providers using encryption technology were required to “enter into an agreement with the Government for providing such services in India”.

 

(c)           All vendors of encryption products were required to register their products with a designated government agency and submit details of their product for registration (mass use products were exempted from this registration).

 

(d)          Algorithms and key sizes for encryption as notified under the provisions of the policy only will be used.

 

4. The legality of these law-enforcement practices is embedded in Section 69 of the IT Act 2000 that authorises the Central or State Government to issue directions for interception or monitoring or decryption of any information through any “computer resource”. The person in-charge of the “computer resource” is expected to provide access, intercept, monitor or decrypt as the case may be or provide information stored in the “computer resource”.

 

5. After withdrawal of the draft policy in Sep 2015, no fresh proposal has been submitted by DeitY, although there is general agreement that a NEP is required to frame the guidelines for use of data encryption in the country. Guidelines for various sectors have been issued by respective regulators such as Department of Telecommunications (for telecom operators), Securities and Exchange Board of India (for stock market transactions) and Reserve Bank of India (for banking transactions). These guidelines stipulate the minimum standards of encryption to be used in transactions.

 

6. To complicate matters further, internet messaging service providers (like WhatsApp has done since April 2016) have started end-to-end encryption for their services. This means that all data being exchanged between users (voice calls, files, images and messages) are available only to the intended users. This ensures the privacy of individuals but relieves the service provider from complying with government directives for retrieving data since it claims that it neither stores the data nor has the “key” to decrypt the data. These secure messaging services are now being used by criminal and terrorist organisations to communicate without fear of interception by government agencies.