Indian government has formulated a new policy to ensure that its law enforcement agencies have easy access to encrypted information. But with this, your sense of privacy and security will remain at stake.
Here are some implications
for citizens and companies if the policy is implemented in its current form ...
According to the draft, citizens may use encryption technology for storage and communication. However, encryption algorithms and key sizes will be prescribed by the government through Notification from time to time. This means that the government will determine the encryption standards for all and entities like Google and WhatsApp will have to follow the encryption standards prescribed by the Indian government.
According to the draft, citizens may use encryption technology for storage and communication. However, encryption algorithms and key sizes will be prescribed by the government through Notification from time to time. This means that the government will determine the encryption standards for all and entities like Google and WhatsApp will have to follow the encryption standards prescribed by the Indian government.
What's bizarre is that the draft lists specific guidelines for all citizens who use encryption services including instructions that individuals should store in plain text versions of communication for 90 days. So this may imply that you'll have to store your WhatsApp messages for 90 days or face action in case asked to reproduce.
What's appalling is that the government expects all citizens to be aware of encrypted communication and the way to store messages in plain text securely. A large number of
users may in fact not even
know that WhatsApp and iMessage use encryption.
As per the draft, "all
citizens including personnel of Government / Business (G/B) performing
non-official / personal functions, are required to store the plaintexts of the
corresponding encrypted information for 90 days from the date of transaction
and provide the verifiable Plain Text to Law and Enforcement Agencies as and
when required as per the provision of the laws of the country."
The draft also proposes similar guidelines for B2B or enterprise users where data exchange is even more critical and for B2C communication. "On demand, the user shall be able to reproduce the same Plain text and encrypted text pairs using the software / hardware used to produce the encrypted text from the given plain text. Such plain text information shall be stored by the user/organisation/agency for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country," it adds. This implies that e-commerce websites will have to keep a plain-text copy of user details leaving their information vulnerable to hackers.
Stay connected with us.....
like our facebook page - Brigadier Android.
Join us on Google+ - Brigadier Android.
Follow us on Twitter - @brig_android.
The policy also mentions that Service Providers located within and outside India, using encryption technology for providing any type of services in India must enter into an agreement with the government for providing such services in India. The government will designate an appropriate agency for entering into such an agreement with the service provider located within and outside India. This means WhatsApp, Apple and Google will have to sign agreements with the Indian government to provide services in the country as they use encryption technology. This will make the process more bureaucratic and create roadblocks for app providers. In its current form the policy could have a detrimental effect on the privacy of citizens and expose sensitive data to potential abuse.
"All vendors of encryption products shall register their products with the designated agency of the government. While seeking registration, the vendors shall submit working copies of the encryption software / hardware to the Government along with professional quality documentation, test suites and execution platform environments. The vendors shall work with the designated Government Agencies in security evaluation of their encryption products," the draft adds.
However, mass use products like SSL/TLS that are used for financial transactions are exempted from registration. Users in India are allowed to use only the products registered in India though. So using a service not registered with the government will be illegal. "Government reserves the right to take appropriate action as per Law of the country for any violation of this Policy," the draft categorically states.
The document has been drafted by an expert group set up under the Department of Electronics and Information Technology (DeitY) which comes under the union ministry of communications and information technology. All citizens can send their comments on the draft policy to akrishnan@deity.gov.in by October 16 and give suggestions.
like our facebook page - Brigadier Android.
Join us on Google+ - Brigadier Android.
Follow us on Twitter - @brig_android.
The policy also mentions that Service Providers located within and outside India, using encryption technology for providing any type of services in India must enter into an agreement with the government for providing such services in India. The government will designate an appropriate agency for entering into such an agreement with the service provider located within and outside India. This means WhatsApp, Apple and Google will have to sign agreements with the Indian government to provide services in the country as they use encryption technology. This will make the process more bureaucratic and create roadblocks for app providers. In its current form the policy could have a detrimental effect on the privacy of citizens and expose sensitive data to potential abuse.
"All vendors of encryption products shall register their products with the designated agency of the government. While seeking registration, the vendors shall submit working copies of the encryption software / hardware to the Government along with professional quality documentation, test suites and execution platform environments. The vendors shall work with the designated Government Agencies in security evaluation of their encryption products," the draft adds.
However, mass use products like SSL/TLS that are used for financial transactions are exempted from registration. Users in India are allowed to use only the products registered in India though. So using a service not registered with the government will be illegal. "Government reserves the right to take appropriate action as per Law of the country for any violation of this Policy," the draft categorically states.
The document has been drafted by an expert group set up under the Department of Electronics and Information Technology (DeitY) which comes under the union ministry of communications and information technology. All citizens can send their comments on the draft policy to akrishnan@deity.gov.in by October 16 and give suggestions.
Source: TOI
No comments:
Post a Comment