New Delhi: If the government has its ways, internet users will have to store all their messages sent through encrypted messaging services such as WhatsApp and iMessage for at least 90 days.
The govt has released a draft National Encryption Policy document up for comment. The policy aims to "enable (an) information security environment and secure transactions in cyberspace for individuals, businesses and government including nationally critical information systems and networks."
Data encryption is used by all business entities to protect financial and private data. Websites and messaging platforms use encryption to protect their personal data and so on.
When a data is encrypted, it is turned into scrambled text which makes it impossible for third party to read the data other than the person it is intended for who has decryption code for the scrambled data.
When you send a WhatsApp message, it's automatically encrypted or turned into scrambled text, which is then unscrambled for the person you're messaging.
The draft document says that the policy's mission is to "provide confidentiality of information in cyber space for individuals, protection of sensitive or proprietary information for individuals & businesses, ensuring continuing reliability and integrity of nationally critical information systems and networks."
Among the provision of proposed encryption policy is that government will prescribe encryption algorithm and all encrypted messages must be store for 90 days.
WhatsApp, Apple, Google or any other company can not provide its encrypted communication services in India unless it signs an agreement with the govt.
The draft says that Service Providers located within and outside India, using Encryption technology for providing any type of services in India must enter into an agreement with the Government for providing such services in India. Government will designate an appropriate agency for entering into such an agreement with the Service provider located within and outside India.
"All vendors of encryption products shall register their products with the designated agency of the government. While seeking registration, the vendors shall submit working copies of the encryption software / hardware to the Government along with professional quality documentation, test suites and execution platform environments. The vendors shall work with the designated Government Agencies in security evaluation of their encryption products," the draft adds.
“Encryption algorithms and key sizes will be prescribed by the Government through Notification from time to time. On demand, the user shall reproduce the same Plain text and encrypted text pairs using the software / hardware used to produce the encrypted text from the given plain text. All information shall be stored by the concerned B / C entity for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country,” strategies section of the draft reads.
Guidelines for B2B or enterprise users and for B2C communication says, “All citizens (C), including personnel of Government / Business (G/B) performing non-official / personal functions, are required to store the plaintexts of the corresponding encrypted information for 90 days from the date of transaction and provide the verifiable Plain Text to Law and Enforcement Agencies as and when required as per the provision of the laws of the country.
The government has published the draft of the policy document online to seek feedback from citizens and organisations. The draft by the government has faced severe criticism from the experts as it violates privacy of the internet users.
The draft policy has been introduced under Section 84 A of the Information Technology Act (2000). It is drafted by an expert group set up under the Department of Electronics and Information Technology (DeitY) which comes under the union ministry of communications and information technology.
Once finalised, rules for encryption of electronic information and communication will be introduced under the policy.
The draft document is open to public and expert comment until October 16.