New Delhi: A proposed draft national encryption policy has unnerved analysts as it is likely to give law enforcement agencies unlimited access to citizens’ personal and financial online data. Moreover, you may be required to save all your online and mobile data (WhatsApp messages, Google chats, BBM messages and emails, among others) for 90 days and provide it to law enforcement agencies in “plain text” if demanded, as per the proposed draft.
It will be the government which will notify the type of encryption keys and algorithms to be used by businesses and citizens, giving them backdoor access to all communications.
“All citizens, including personnel of government/business performing non-official/personal functions, are required to store the plain texts of the corresponding encrypted information for 90 days from the date of transaction and provide the verifiable plain text to law and enforcement agencies as and when required as per the provision of the laws of the country,” the proposed draft said.
While people don’t explicitly use encryption while communicating, it’s built into apps used every day, like WhatsApp, BBM messages and email.
All these service providers located within and outside India and using encryption technology for providing any type of services in India will have to enter into an agreement with the government for providing such services, the draft says.
So this may mean that in case WhatsApp or any other service provider that uses encryption has not registered with the government, it could be deemed illegal in India.
In case of communication with a foreign entity, the primary responsibility of providing readable plain text along with the corresponding encrypted information will rest on the business entity or the citizen located in India.
Only those algorithms and key sizes for encryption can be used which are notified by the government. All vendors of encryption products will have to register their products with the government. While seeking registration, the vendors will have to submit working copies of the encryption software/hardware to the government. The vendors will work with government agencies in a security evaluation of their encryption products.
Users in India will be allowed to use only products registered in India. “The government reserves the right to take appropriate action as per law of the country for any violation of this policy,” the draft says.
People can send comments on the draft policy to the government till October 16.
