Updated: Comments on Draft National Encryption Policy
The Government of India is in process of issuing a National Encryption Policy. Recently, it came out with a draft and invited comments on the same.
Imagine, the Government issues a policy which states that you may lock your house but you have to leave the keys outside the house, at all times. The Government appointed officials may then at any time visit your house to see what's going on inside. You have no choice but to comply. What would your reaction be?
If your answer to above question ranges between 'you'll be annoyed' and 'you'll be outraged' then be prepared to let it out. After the much debated anti-Net Neutrality proposal, the GoI has come out with yet another controversial proposal. It has recently published a Draft National Encryption Policy which, if implemented, would create conditions similar to the above mentioned scenario.
Let's go through it point by point to understand how:
Preamble
This section states that:
The recognition of the need to protect privacy and increase the security of the Internet and associated information systems have resulted in the development of policies that favour the spread of encryption worldwide. The Information Technology Act 2000 provides for prescribing modes or methods for encryption (Section 84A) and for decryption (Section 69). Taking into account the need to protect information assets, international trends and concerns of national security, the cryptographic policy for domestic use supports the broad use of cryptography in ways that facilitates individual / businesses privacy, international economic competitiveness in all sectors including Government.
Here the GoI clearly states it's motives behind publishing this policy for domestic use. They are as follow:
Protect Privacy of businesses and individuals
Protect Information Assets
Increase National Security
Align with international policies
So far so good. Given the increasing significance of cyber-warfare these would be the primary concerns of any government, as far as cryptography is concerned. Next, the preamble lists the scope of the policy:
This policy is not applicable to sensitive departments / agencies of the government designated for performing sensitive and strategic roles. This policy is applicable to all Central and State Government Departments (including sensitive Departments / Agencies while performing non-strategic & non-operational role), all statutory organizations, executive bodies, business and commercial establishments, including public sector undertakings and academic institutions and all citizens (including Personnel of Government / Business performing non-official / personal functions).
When translated in simpler language, this means that this policy will be applicable to one and all including agencies such as RAW,Intelligence Bureau etc. However, it excludes such agencies whenever they would be involved in sensitive and strategic operations, which is most of the time. The policy does not define what it considers to be 'Sensitive departments'.
I. Vision
To enable information security environment and secure transactions in Cyber Space for individuals, businesses, Government including nationally critical information systems and networks.
Thought it's a good vision statement, but the policy does not define the constituents of the said information security environment nor the nature of transactions that need to be secured. For example, this policy could be used to enable the implementation of a centralized decryption system, which the GoI may consider as a part of information security environment .
II. Mission
To provide confidentiality of information in cyber space for individuals, protection of sensitive or proprietary information for individuals & businesses, ensuring continuing reliability and integrity of nationally critical information systems and networks.
This is an ambiguous mission statement since the policy does not define what information can be kept confidential, what information would be considered sensitive and what information will be termed as proprietary information. It does refer to Information Technology Act 2000 for certain definitions though.
III. Objectives
To synchronize with the emerging global digital economy / network society and use of Encryption for ensuring the Security / confidentiality of data and to protect privacy in information and communication infrastructure without unduly affecting public safety and National Security.
To encourage the adoption of information security best practices by all entities and Stakeholders in the Government, public & private sector and citizens that are consistent with industry practice.
Observations & Comments:
Note the repeated emphasis on ensuring confidentiality and protecting privacy in information and communication infrastructure.
The policy does not state what are the information security best practices, especially in terms of cryptography. For example, using an encryption key of higher strength (1024 bits or more) is an information security best practice. However, if GoI mandates the use of key of lesser strength (say 256 bits) it would be in contradiction of it's stated objectives.
IV. Strategies
Throughout this section the following statement has been used repeatedly:
Use of Encryption technology for storage and communication within [x group of users] with protocols & algorithms for Encryption, key exchange, Digital Signature and hashing will be as specified through notification by the Government from time to time.
This statement gives the government the power to dictate or change encryption algorithms, key strength, protocols to be used as and when required. GoI has mandated 256-bit 3DES symmetric encryption algorithm. That's relatively weak and can be broken with few resources.
On demand, the user shall be able to reproduce the same Plain text and encrypted text pairs using the software / hardware used to produce the encrypted text from the given plain text. Such plain text information shall be stored by the user/organisation/agency for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country.
This is one the most critical statement in this policy. Notice how above sections repeatedly emphasized that the primary purpose of this policy is to protect information privacy and confidentiality. This is where everything becomes null and void. In simple terms, it states that user groups are entitled to keep information private and confidential, as long as they agree to reveal everything encrypted to the government when called to do so. Not only that, it requires the information to be kept in plaintext form for a period of 90 days, thus reducing the work of cyber criminals and espionage groups. This is also a contradiction to the objective which states that GoI wants to align itself with international standards of information security. No security standard or framework has such ludicrous requirement. The last time I checked we were living in a democratic nation, when did it convert into dictatorship?
In case of communication with foreign entity, the primary responsibility of providing readable plain-text along with the corresponding Encrypted information shall rest on entity (B or C) located in India.
Policy makers might have essentially written that 'We don't care what the laws of other countries state, we will follow our own will.' If this statement were to be interpreted word for word, it would mean that government is free to access communications of Indian user groups with any foreign entity, be it the Indian office of a MNC communicating with their off-shore headquarters or a citizen communicating through Skype with his/her friend in a foreign land. This would also mean that Indian organizations could never do business with entities located in regions which have strict Data Protection Laws such as European Union, USA etc.
Service Providers located within and outside India, using Encryption technology for providing any type of services in India must enter into an agreement with the Government for providing such services in India.
Every service provider, at least in Information Technology space, relies on encryption for data protection, to some extent be it Facebook, WhatsApp, Twitter or Indian Railways. This clause would require all of them to register their services with government and unless approved, the use their services would be considered illegal. Be ready to go back to the age of no social media. This is license raj all over again. The policy is also not clear on whether or not it applies to software products such as operating systems, office suites, anonymising software etc.?
Conclusion
This policy clearly depicts the lack of understanding of global cyber security scenario on government's part. I feel that the government needs to do proper homework before coming out with such controversial policy documents. It portrays a weak picture internationally, but at least we are in the picture now.
Have you read the Draft National Encryption Policy? Do you think the government is on the right track? Why or Why not? Share your views in comments.
Update: GoI has withdrawn the Draft National Encryption Policy.