The Department of Electronics and Information Technology (DeitY) of the Ministry of Communications and IT, Government of India has released the Draft National Encryption Policy. This draft seeks to later get converted into a law and assimilated into the Information Technology Act 2000; and thereafter govern the way in which encryption is used for online communications in India.
The policy paper has invited suggestions from the general public and is open to receiving comments until October 16, 2015. But as has been the case with all attempts by the Indian government to regulate the Internet, this one too finds itself in the eye of a Twitter storm.
In the following article we look at both the government’s proposition and the alarms that have been raised.
What the draft says
The paper starts of with the benign “Vision, Mission and Objectives” sections and they look well-intentioned and state broad things, which one can’t possibly disagree with.
But things get messy the moment the paper begins dealing with the specifics.
In the “Strategies” section, the draft basically says:
While that is enough to raise the hackles of pro-privacy and civil rights activists, what has been most alarming is the first point in the “Regulatory Framework” section. In this, the government demands encryption firms deposit working copies along with product documentation, test suites and platforms on which such tests are done.
In the “Annexure”, the paper lists out the names of AES, Triple DES and RC4 encryption algorithms as the ones allowed and limits key sizes up to 256 bits.
WHAT’S WRONG WITH THE DRAFT
Technically, a lot. The draft clearly shows that a lot more homework needed to be put into making the draft before releasing it to the public.
For example the government says they want to test encryption tools before giving them place on the allowed list. But the government also explicitly washes its hands off the responsibility of faulty tools causing damages to the users.
Either the government knows its technical incapability in handling high technology products and really assessing and commenting on them. Or the government is admitting that the testing is a sham intended at creating a bureaucratic hurdle and therefore having a leash on technology.
As if to underscore its technical incapabilities, the draft prescribes the RC4 algorithm, which has long been broken, and multiple well-documented attacks already exist against this. In February 2015, the Internet Engineering Task Force (IETF), the de facto standards committee of Internet engineering, issued a declaration prohibiting further use of RC4 and it’s own creator Ronald L. Rivest is now working on a different algorithm called Spritz.
The other major technical problem is the unbounded scope of regulation. Encryption is omnipresent in our online communications and happens so transparently that when the government says it wants to control or regulate encryption it’s spreading itself too thin.
The paper does say that “Mass use products like SSL / TLS are exempted from registration”, but that still leaves out huge sectors like clouds, Virtual Private Networks (VPN) and a host of other communications.
This unbounded scope together with the directive to individuals to keep plain text (unencrypted) copies of their communication is technically unviable.
Say, for example, a citizen browses the net using a VPN connection. Keeping “plain text” will mean he has to find storage for all websites visited, all videos watched and all trivial activities he does. Where does one store all that huge data? Who bears the cost (both monetary and effort wise)? What format should the 90 days’ data be captured in? A screen video or a data stream?
The gravity of the technical problems notwithstanding, they are perhaps nothing when compared to the political problems posed by the draft.
It’s an open invitation to snooping by the State and an easy handle for violation of individuals’ right to privacy and civil liberty. Nothing stops the government from approving only faulty tools lulling its citizens into believing their communications are private when they are not.
Moreover absurd demands like keeping plain text for 90 days could possibly not just be a mistake but a legal “backdoor” of sorts. One that follows the time tested policy of States to “ban everything; apply selectively”.
Civil liberties activists have rightly converted this draft into a rallying point.
STRIKING A BALANCE
Having said the above, some of the reactions on Twitter and nearly all of the headlines that have followed the release of the draft are more alarmist than factual.
Take this headline on The Indian Express website for example.
Firstly the draft policy is a draft that proposes an amendment to a law. As potentially dangerous as it might be, it doesn’t give the government the key to Whatsapp messages or any other messaging system. The article itself goes on to say that most such messaging services are registered outside India and won’t bother to hand over such keys.
Secondly, it must be asked as to how is it okay for Facebook (who owns Whatsapp) or any other private corporation to have the keys to read people’s messages but not the Indian government? How does it make users any safer if their data is not intercepted by their government and is instead sold to the highest bidder, which could be anyone?
Is it just a coincidence that government censorship of Internet gets a lot more press attention than corporate censorship of the Internet ever has?
The draft dedicates an entire section to “Promotion of Research and Development in Cryptography” aimed at developing an indigenous ecosystem of cryptographic studies and technology building. But in the din of the #outrage that doesn’t find much place.
There has been an increasing awareness about digital civil rights and the demand that the government leave its citizens’ democratic to rights untouched has found an increasingly stronger echo in the Indian cyberspace.
What remains eclipsed, though, is the talk about the rights of the sovereign nation states, vis-à-vis the Internet and communication technology corporations and the Western industrial military complex of which they are integral members.
When Indian citizen X communicates with Indian citizen Y via Facebook or Whatsapp, or sends an email using Gmail or Yahoo, the communication is encrypted for the Indian authorities. They will have to approach the firm on a case-to-case basis to get plain texts.
However as the Snowden documents and innumerable other studies clearly show, the American government (and its four English speaking allies from the Five Eyes alliance), has the corporations on board and can therefore have full access to these communications without breaking any laws.
The entire post-Snowden civil liberties furore in the American media is about how their government must go through their courts only when the target of the surveillance is their countryman — an American. India may be their biggest market, but when it comes to digital civil rights, India is just another in the clump of lesser mortals called the third world and like all non-West nations, her citizens, common and VIP, are all fair game.
This imbalance of power is what has lent credence to the efforts of BRICS members like Russia and China to block out and/or seek homegrown alternatives to Google and Twitter. China has been reported to have negotiated aggressively with Yahoo and other corporations to make them do business on their terms.
It is worth noting the diametrically opposite reactions of India and Brazil when it was discovered that private ISPs and telecom firms were spying on political targets in their countries. Indian Prime Minister Manmohan Singh didn’t bother reacting and his minister Salman Khurshid brushed the allegations off, while Dilma Rousseff of Brazil blockaded the companies’ operations and started investigations.
So it is not only justified that India seeks to tighten her leash on these companies, it is overdue.
Democratic governments can be questioned, held responsible and be forced to become transparent. They can be made to seek people’s opinions when formulating laws. And as was seen in the case of the porn ban and the Sec 66A, democratic movements are still effective against popularly elected governments and can make them go back on laws if they are regressive and anti-freedom.
But such means are ineffective on corporations because they are essentially non-democratic and place their selves outside the ambit of popular democracy. Additionally, thanks to the pedestal which popular and mainstream media puts the IT corporations on, they have assumed an unwritten exceptionalism to ethics commonly followed by others. IT corporations have time and again asserted that they can pursue their interests and their profits at any cost and by any means beyond the laws of the land because they are “differen”.
For this debate on encryption to stay on course and reach fruition, both the civil society-NGO contingent and the government would do well to isolate their interests and agenda from that of the corporates. And thereafter communicate clearly with each other and build trust along the way.
PS: At the time of this article being written, Shri A Krishnan of DeitY has not responded to emails or phone calls made by the author seeking a better understanding of the motive of this draft. However an addendum has been released that says mass use products like social media services will be exempted.