Draft encryption policy exempts social media, e-commerce apps

22 Sep 2015

The Draft National Encryption Policy has exempted social media tools such as WhatsApp and e-commerce platforms from the purview of government surveillance.

This means services such as mass-use social media applications such as Whatsapp, Facebook and Twitter will be out of the national encryption policy's purview.

The government, however, will have access to all encrypted information, including personal emails, messages or even data stored on a private business server, according to the draft of a new encryption policy.

The Draft National Encryption Policy also wants users to store all encrypted communication for at least 90 days and make it available to security agencies, if required, in text form. It also wants everyone to hand over their encryption keys to the government.

The draft was formulated by an expert group set up by the Department of Electronics and Information Technology (DeitY) under Section 84A of the Information Technology Act, 2000. Since every messaging service and email, including WhatsApp and Gmail, use some form of encryption, this draft would cover almost all instant messages and emails.

However, following widespread protest and media outcry, DeitY decided to amend the draft policy exempting ''mass use encryption products that are currently being used in web applications, social media sites, and social media applications such as Whatsapp, Facebook, Twitter etc'', from its purview.

The revised policy also exempts SSL / TLS encryption products used in internet-banking and payment gateways as well as SSL / TLS encryption products being used for e-commerce and password-based transactions.

DeitY has invited comments from the public on the draft policy till 16 October. It has also suggested that ''all vendors of encryption products shall register their products with the designated agency of the government''.

The final policy draft will be based on the feedback on the present draft.

As the preamble of the draft says, ''The cryptographic policy for domestic use supports the broad use of cryptography'' in ways that facilitate privacy and international economic competitiveness. However, in its objectives, it lists the ''use of encryption for ensuring the security/ confidentiality of data and to protect privacy in information and communication infrastructure without unduly affecting public safety and National Security''.