Govt withdraws draft encription policy under public pressure

23 Sep 2015

The government yesterday decided to withdrew a Draft National Encription Policy that sought to control secured online communication, including through mass-use social media and web applications such as WhatsApp and Twitter.

Communications and information technology minister Ravi Shankar Prasad announced the government's decision at a news conference, saying the draft National Encryption Policy will be reviewed before it is again presented to the public for their suggestions.

''I read the draft. I understand that the manner in which it is written can lead to misconceptions. I have asked for the draft policy to be withdrawn and reworded,'' Prasad said.

While a National Encryption Policy is required to ensure secure transactions in cyber space for individuals, businesses and government, there is a need for clarity on policy, the minister noted while announcing the decision to withdraw the present draft.

The draft has been prepared on the basis of recommendations of a high level expert committee on encryption policy, which were recently put up on the website of the Department of Electronics & Information Technology (DeitY) for public comments.

DeitY has noted public sentiments viz-a-viz the draft. ''It is hereby clarified that the above mentioned draft is not the final view of the government on the matter,'' an official release stated.

"DeitY has also taken note of the ambiguity in some portions of the draft that may have led to misgivings. Hence, the above mentioned draft has been withdrawn and will be put up for consultation after appropriate revision," it added.

Prasad said the draft would be re-released, but did not say when it would be made public.

While the Draft National Encryption Policy proposed  to exempt social media tools such as WhatsApp and e-commerce platforms from the purview of government surveillance, the government will have access to all encrypted information, including personal emails, messages or even data stored on a private business server, according to the draft of a new encryption policy.

The Draft National Encryption Policy also wants users to store all encrypted communication for at least 90 days and make it available to security agencies, if required, in text form. It also wants everyone to hand over their encryption keys to the government.

The draft was formulated by an expert group set up by the Department of Electronics and Information Technology (DeitY) under Section 84A of the Information Technology Act, 2000.

Since every messaging service and email, including WhatsApp and Gmail, use some form of encryption, this draft would cover almost all instant messages and emails.

However, following widespread protest and media uproar, DeitY decided to amend the draft policy exempting ''mass use encryption products that are currently being used in web applications, social media sites, and social media applications such as WhatsApp, Facebook, Twitter etc'' from its purview.

The revised policy also exempts SSL/TLS encryption products used in internet-banking and payment gateways as well as SSL/TLS encryption products being used for e-commerce and password based transactions.

As the preamble of the draft says, ''The cryptographic policy for domestic use supports the broad use of cryptography'' in ways that facilitate privacy and international economic competitiveness. However, in its objectives, it lists the ''use of encryption for ensuring the security/ confidentiality of data and to protect privacy in information and communication infrastructure without unduly affecting public safety and National Security''.