India's proposed encryption policy is a huge threat to its national security!

There is a need to re-work on India's proposed encryption policy as it has come under heavy fire with internet experts and online activists not liking it.

They have criticized the policy, alleging that it provides blanket backdoors to law enforcement agencies to access user data, which could be misused.

The Department of Electronics and Information Technology (DeitY) has made the 'Draft National Encryption Policy', which if implemented could be abused by hackers and spies, public on its website.

The Deity has asked public to comment over the proposed policy. The draft policy will remain be there on the website till October 16.

The stated mission of the policy on encryption is to "provide confidentiality of information in cyber space for individuals, protection of sensitive or proprietary information for individuals & businesses, (and) ensuring continuing reliability and integrity of nationally critical information systems and networks".

Experts have said that the policy for encryption is a welcome move, however, they felt that the policy document in its current form is not well thought-out and makes suggestions that could harm businesses and individuals, and thwart research and development in the field of encryption.

The most contentious provision in the draft policy document is perhaps the one requiring businesses and individuals to keep a plain text copy of the data they encrypt for storage and communication, for 90 days, and make it available to law enforcement agencies "as and when demanded in line with the provisions of the laws of the country".

"The mission of the policy is to promote national security and increase confidentiality of information, but it specifically excludes `sensitive department agencies', which most need such protection. The content of the policy shows why they have been excluded: the policy, in fact, decreases security and confidentiality of information," said Pranesh Prakash, policy director at the Centre for Internet and Society.

If e-mails are required to be kept in plain text rather than in encrypted form, then that makes it easier for hackers and foreign agencies to spy on the government, businesses, and all Indian citizens, he said.

Raman Jit Chima, policy director at digital rights organization Access, is of the opinion that instead of promoting the use of encryption, the policy draft "appears to seek to heavily regulate encryption and the rules it proposes will likely impede its usage by Indian developers and startups".

He also said: "By trying to restrict and weaken the everyday usage of encryption in order to facilitate tapping demands, the everyday communications of all Indians will likely become less secure."

The policy seeks to promote R&D in the field of cryptography by public and private companies, government agencies and academia, but it requires all vendors of encryption products to register their products with the government and re-register when their products are upgraded.

Arun Mohan Sukumar, cyber initiative head at Observer Research Foundation, said: "The government has finally realized the need to protect its communications infrastructure from cyber intrusions. But creating a `license raj' of encrypted products and services, as this draft policy aims to, will only stunt cyber security research."

(Image: Indiatimes)