If you use WhatsApp or Snapchat and regularly
delete messages to keep your phone or computer clutter-free, think again. A
draft government policy on internet security wants you to save all messages for
up to 90 days and be able to produce them if asked by the authorities.
The draft National Encryption Policy on internet
security also seeks to control the level of security online apps can build into
their products and proposes that digital business save all information in plain
text format for 90 days, potentially exposing such sensitive data to both
government agencies as well as cyber attacks.
“Whatever little semblance of privacy exists, will
be evaporated if this draft policy were to be implemented”, said Pavan Duggal,
cyber law expert and Supreme Court advocate.
“The government may hold the users liable,
according to the draft policy. The user has to keep data in ‘plain text’ for 90
days. Most people in the country don’t even understand what it means,” said
Nikhil Pahwa, editor of tech news website MediaNama.
India doesn’t have an exclusive policy on digital
encryption, or methods by which data is kept secure on the internet. The draft,
seeking to address this legislative vacuum, cites ‘concerns of national
security’ to justify its stringent proposals.
"There are security concerns, and they should
be addressed, but not at the cost of the rights of individuals… It’s bizarre
draft that has come out,” Pahwa added. “What if BPO's in India have to make
available to the government data they have from, say, banks in other nations?
Does that not violate laws of other countries? Won't they lose business?” said
Pahwa, who also volunteers for savetheinternet.in.
The government’s proposal, uploaded over the
weekend for feedback from the public, reads: “Encryption algorithms and key
sizes shall be prescribed by the government through notifications from time to
time... Service providers located within and outside India, using encryption
technology for providing any type of services in India must enter into an
agreement with the government for providing such services in India”. Encryption
algorithms and key sizes determine how secure a communication is.
The draft’s proposal holds major implications for
foreign software services providers because it gives the Indian government the
right to determine what encryption standards should be used.
“The government has invoked the IT Act while making
this document. Technically, refusal to comply with the final policy would be
deemed illegal,” Ranjeet Rane, who works in the domain of digital certificates
and data encryption, told Hindustan Times.
“The draft defeats the very purpose of encryption.
If we are to save our sensitive data in plain text leaving it susceptible what
is the point of the encryption in the first place,” Rane said. “Also, the onus
of saving the data is on the user. He or she would not even know what to save,
and how.”
The move comes at a time when the government is
formulating its stand on net neutrality, which says all internet traffic should
be treated as equal whether it carries voice, text, images, or video.
For the encryption policy draft, the Department of
Electronics and Information Technology has asked for the public’s feedback by
October 16.
Rane said the draft was likely to invite a wave of
criticism from several quarters. “It’s like re-inventing the wheel. The
government would end up adding an unnecessary layer in the information
technology domain, preventing innovative solutions that are the norm in the
dynamic domain of encryption from being tested and used."
“The policy should try to promote innovative
platforms like Hackathons while developing newer standards.”
No comments:
Post a Comment