DeitY's National Encryption policy is a disaster [Updated]
19 September 2015 By Bhavyanshu Parasher
First of all, what is National Encryption Policy?
- Update: They pulled down the original document, here is the copy
“Under Section 84A of Information Technology Act, 2000 Rules are to be framed to prescribe modes or methods for encryption”. So DeitY has framed a draft of such rules which will decide the future of how encrypted services are to be used or provided to users in India. The preamble in the draft clearly shows that they very well understand what encryption is meant to be used for. What they fail to understand is how it helps secure communication between two entities. The problem lies in the strategies stated in the draft. Let us break the draft into parts and try to analyze how exactly they can possibly ruin encrypted services and also how it will affect you.
(III Objectives i)) states “to protect privacy in information and communication infrastructure without unduly affecting public safety and National Security”. This is perfect but then they contradict themselves by saying (IV Strategies 4), “On demand, the user shall be able to reproduce the same Plain text and encrypted text pairs using the software/hardware used to produce the encrypted text from the given plain text. Such plain text information shall be stored by the user/organization/agency for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country”. Yeah, so what is wrong with this? Well, to answer this, let us take an example. You are currently using messaging services that encrypt data sent over network. You still have a sense of security that you can freely talk about things over the network without worrying that ISPs, private companies and the government are continuously monitoring/logging what you say. The problem arises when the private companies like your Internet service provider, government and even notorious hackers can misuse this data. What government has stated under “Strategies” is not exactly that but a different version of this. They don’t want to get rid of the encryption but want a backdoor access to the encrypted networks. This is not acceptable. By demanding this, they are putting critical data and infrastructure in danger. Why? Ask these questions to yourself. Can we trust the authorities to keep the keys and the data in “Plain text” safe from hackers? It is common that hackers target government organizations everyday to get their hands on information. Governments are easy targets for most hackers because they don’t invest enough resources in security. Can we trust the government employees with our data who can’t prevent hacks on government websites? The cost of such security breaches would be severe. Think if e-commerce companies are forced to keep currently encrypted data in plain text as well. Not challenging anyone’s security but knowing that hackers always find a way in, from experience, I can tell that I would probably never use e-commerce services again knowing they are storing critical data in plain text as well. Like me, many would not want to access such services ever. This will affect the economic growth. These services will lose users. If there is a security breach and hackers have access to data stored in “plain text”, people will think twice before using such services ever again. At least currently the data is encrypted. Even if hackers get in, there is still an extra layer of protection. They may or may not be able to decrypt the data easily. Of course it all depends on the methods used to encrypt such data. This is one of the major problems that I personally see with government asking services for back-doors.
(IV Strategies 5) states that “B/C groups (i.e. B2C, C2B Sectors) may use Encryption for storage and communication. Encryption algorithms and key sizes will be prescribed by the Government through Notification from time to time. All information shall be stored by the concerned B/C entity for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country. In case of communication with foreign entity, the primary responsibility of providing readable plain-text along with the corresponding Encrypted information shall rest on entity (B or C) located in India”. The entity B is any business and commercial private or public bodies providing encrypted services and entity C includes every citizen. This is completely broken. They say that all information should be stored by concerned B/C entity for 90 days from the date of transaction. How can they expect citizens to store such information? What if the hackers hack into anyone under “C” entity and gets access to that information. In that case, who will be held responsible? Will the government take responsibility because they demand users to store such important information for 90 days? Moreover, they are clearly saying that they will be the ones to dictate what encryption algorithms to use and what should be the size of the key. This will cause problems to any business on the technical front. What if their business wants to use a different encryption algorithm because it suits their requirements better? Now the government will decide how you should do business and the technology used behind your encrypted network? That’s why this is completely broken.
The most absurd point, according to me, (IV Strategies 7), states that “Users within C group (i.e. C2C Sector) may use Encryption for storage and communication. Encryption algorithms and key sizes will be prescribed by the Government through Notification from time to time. All citizens (C), including personnel of Government/Business (G/B) performing non-official/personal functions, are required to store the plain-texts of the corresponding encrypted information for 90 days from the date of transaction and provide the verifiable Plain Text to Law and Enforcement Agencies as and when required as per the provision of the laws of the country”. This is a horrible strategy to propose. See, C group contains every citizen. So this clearly applies to communication between two citizens. Now let us take an example. I encrypt most of my emails with PGP and now according to the above stated strategy, the government can tell me to stop using PGP and use something else or they can also tell me to reduce the size of the key. This will only make my data more vulnerable. There is a reason why PGP exists. I use it so I can be sure that the email is only read by the person whom I grant access to. No matter what network it passes through, no one else will be able to read that data. I have this sense of security right now. The point 7 even takes away that from me.
(V Regulatory Framework 1), states that “while seeking registration, the vendors shall submit working copies of the encryption software/hardware to the Government along with professional quality documentation, test suites and execution platform environments”. This is very stupid. Why? See, if some xyz organization has some patented or closed source encryption technology, the government cannot just ask them disclose every detail of the encryption technology. The government will have to get a license from the organization to get each and every detail of how the encryption is implemented. Think about the cost. Secondly, the more problematic situation is that what if such details land up in the hands of competitors? Bam! that will expose your whole security infrastructure to competing company. That can happen. How can you rule out such possibility when you know more than one organization has all this information stored somewhere? Whom can you trust?
(V Regulator Framework 3), states that “The vendors of encryption products or service providers offering encryption services shall necessarily register their products / services with Government for conducting business in the country”. So most of the services will probably not wanna do business in India because of above stated reasons. Now you only decide if it’s going to affect the economy or not.
Lastly, (V Regulator Framework 5), states “Users in India are allowed to use only the products registered in India”. Well, say goodbye to VPN services. You see what they did there?
[Update - September 21]
All those who are saying that the proposed addendum exempts social media apps, messaging apps, etc., have clearly not read the addendum point 1 carefully. It states that “mass use encryption products” are exempted from the NEP. The “mass use encryption products” definitely does not include copyright crypto algorithms/proprietary encryption products owned by respective companies. So it does not clarify anything but only adds to the problems.
I am just an engineer. I am stating my opinion on this because I think it will affect me a lot. Your comments on this are welcome and hope we can have a healthy discussion on this. This will ultimately affect you and how you use Internet services. Hence, this is a crucial matter and everyone from tech should participate in this.
blog comments powered by Disqus