Written By Joshita Pai
The National Draft Encryption Policy which was released for public comment, and subsequently withdrawn by the Union Government within a span of three days after its release, has been a subject of much discourse. The clarification issued by the Ministry on 22nd early in the day, stated that mass products will be exempt from purview of the policy, and these products would include those currently in use amongst social media, facebook, payment gateways and e-commerce. Medianama issued a detailed report indicating that the clarification only led to more questions.
The conflicting interest of law enforcement agencies in lieu of national security vis a vis privacy concerns, necessitates a balancing act in terms of encryption policy. The UN Special Rapporteur David Kaye’s recent report on freedom of speech and expression emphasizes on the need for digital anonymity and the importance of encryption for protecting the right to privacy and integrity of information. We do not have a centralized legal framework for encryption systems and there is a dearth of cyber research to that end. The draft Policy released by the Union recently is a far cry from resolving it. The withdrawal of the policy at this stage indicates the need for a fundamental modification in the approach to tackling encryption related issues.
Dissecting the Debatable Clauses of the Demised Policy:
With the Union Minister of the Information Technology stating that the view reflected in the policy is not the final one, further assessment of the policy has been effectively stalled.
The policy intends to extend its applicability to sensitive departments/agencies of the government designated for performing sensitive and strategic roles. This policy is applicable to all Central and State Government Departments (including sensitive Departments/Agencies while performing nonstrategic & non-operational role), all statutory organizations, executive bodies, business and commercial establishments, including public sector undertakings and academic institutions and all citizens (including Personnel of Government/Business performing non-official/personal functions).
The policy while enlisting the strategies employable during communications between business and business groups, and business and citizen groups, prescribes a standardized mode of encryption keys and protocols to be followed which is to be notified by the government from time to time. This is not viable since different entities might in all likelihood have a different standard of privacy and ensuring security. The Organization for Economic Co-operation and Development (`OECD’) issued guidelines on Control of Encryption in March 1997 and principle 2 states that: users should have a right to choose any cryptographic method, subject to applicable law.
The fatalistic inclusion of the ‘90 days in plain text’ clause which makes the communication between any two groups presentable in a readable format has invited an endless criticism of the policy and the clarification issued by the government subsequently only made things more obscure.
The requirement of foreign companies or entities to first register with the government and to enter into an agreement (drafted by an agency prescribed by the government) with the government has not been well received globally.
Section 69 of the Information Technology Act empowered the government to monitor and decrypt communications in the interest of the sovereignty of the state, national security, integrity. The section was equipped with procedural safeguards. The amendment of 2008 to the IT Act introduced section 84A which provides the basis for the formulation of the draft policy. The section empowers the government to prescribe modes of encryption if it deems fit. Not delving into the nature of section 84A and the question it invites of a possible excessive delegation, it is pertinent to note that the standardization and a vertical mode of prescribing encryptions in communications defeats the principal basis behind the need for encryption: protecting privacy and ensuring the unique integrity and security of the communication.
While the policy has been called foul on many counts, the provision for symmetric encryption to the size of 256 bits is a welcome one. The next draft proposal is anxiously awaited and will hopefully not be a patchwork of the same policy.
Joshita Pai was a Fellow at the Centre for Communication Governance from 2015-2016