Indian draft rules on encryption could compromise privacy, security

India’s government is trying to ensure that its law enforcement agencies have easy access to encrypted information, but it could be compromising security and privacy in the process.

A draft policy on encryption issued by the Indian government aims to keep a check on the use of the technology by specifying the algorithms and the length of the encryption keys used by different categories of people.

Consumers will also be required to store the plain texts of encrypted information for 90 days from the date of a transaction and provide the text to agencies when required under the laws of the country.

Indian businesses, and the customers they correspond with, will also be responsible for providing readable plain text along with the related encrypted information when communicating with a foreign entity.

The policy will not, however, be applicable to designated sensitive departments and agencies of the government, though it is applicable to other government departments.

The government has invited comments from the public on the policy by Oct. 16.

Although the new policy could expose user data to hackers as plain text, the government document sets as its mission to “provide confidentiality of information in cyber space for individuals, protection of sensitive or proprietary information for individuals & businesses, ensuring continuing reliability and integrity of nationally critical information systems and networks.”

It is surprising that even as there is so much concern about hacking and the loss of privacy, the government wants users to store data as plain text, said Akash Mahajan, a security consultant in Bangalore. Once the plain text is with the government, there is no way to verify it with the original digital data as the practices of law enforcement in safeguarding the integrity of data are not laid out very clearly, he added.

The country’s Information Technology Act provides for rules to be framed that prescribe the mode of encryption. Under the proposed rules, service providers will also have to arrive at agreements with the Indian government to provide their services, which from the general tenor of the document suggests that they will have to be willing to provide plain text information to the government when required under the law.

Consumers, businesses and non-strategic government users of these services will also be responsible for providing plain text information when required.

Internet companies, including Google and Microsoft, did not immediately comment on the proposal.

The use of encryption in information technology and communications services has been a sore point for law enforcement agencies that want easier access to information, including through back-door access. In opposition are tech companies like Apple and Google and civil rights groups, which back stronger encryption and the privacy of data and communications.

U.S. Federal Bureau of Investigation Director James Comey called in July for a “robust debate” on encryption of communications, saying that the technology could prevent him from doing his job to keep people safe. “There is simply no doubt that bad people can communicate with impunity in a world of universal strong encryption,” Comey wrote in an op-ed in the Lawfare blog.

The move by India could break the trust that exists between people and online businesses and between Indian companies and their foreign partners, Mahajan said.