Bad proposal by the Govt. could help hackers mine data.
By Dileep Thekkethil
If you have a habit of deleting chat records and attachments of your instant messaging apps such as Whatsapp, Apple iMessage, and Google Hangouts, this could soon be illegal in India as the government has proposed a new National Encryption Policy that require users and online business organizations to keep their chat and email records in plain text at least for a period of 90 days.
According to a report published by the Outlook magazine, India has the worst record of maintaining secret data as they come under constant hack attack. The new move of the central government will aggravate the issue as keeping information such as passwords and other data in plain text could help hackers to tamper with data.
The draft of the policy document has been published online for citizens to read and respond. The draft has detailed the encryption methods that should be used by the government, businesses and citizens. If the public opinion is in favor of the draft, Instant messaging apps will have to alter their encryption methods to fall in line with the government proposal.
Here are some of the key implications for citizens and online business firms:
According to the policy draft, citizens should use encryption prescribed by the government for storage and communication purpose. Also, the government will roll out new encryption algorithms and key sizes from time to time through notifications. This essentially means that it will be the sole power of the government to design and regulate encryption standards for entities like Whatsapp and iMessage.
Interestingly, the government hasn’t left out any citizens, whether it be the uneducated or the less tech savvy, from following the guidelines. More bizarre is the dictate to keep the important data stored in plain text version for 90 days. One startling question is, what if the device got infected by a virus or we had to force restore the device due to some technical glitch. Hopefully, that doesn’t happen at the wrong time when authorities ask for reproducing data.
As per the draft, “all citizens including personnel of Government / Business (G/B) performing non-official / personal functions, are required to store the plaintexts of the corresponding encrypted information for 90 days from the date of transaction and provide the verifiable Plain Text to Law and Enforcement Agencies as and when required as per the provision of the laws of the country.”
For B2B or enterprise users, the new draft is more than a nightmare. It says, “On demand, the user shall be able to reproduce the same Plain text and encrypted text pairs using the software / hardware used to produce the encrypted text from the given plain text. Such plain text information shall be stored by the user/organisation/agency for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country.” Which means online marketplaces like Flipkart and Snapdeal will have to put their user info in plain text inside the server, making it easy for the hackers to consume the data for all wrong reasons.
There is a detailed clause in the draft explaining how foreign and innate service providers have to comply with the government’s proposed encryption technology. If the draft becomes government policy, the service providers will have to enter into an agreement with the government of India for providing encrypted technology and the government will constitute an agency exclusively for looking into this.
“All vendors of encryption products shall register their products with the designated agency of the government. While seeking registration, the vendors shall submit working copies of the encryption software / hardware to the Government along with professional quality documentation, test suites, and execution platform environments. The vendors shall work with the designated Government Agencies in security evaluation of their encryption products,” the draft adds.
Apple, Google, and Whatsapp will be forced to sign a pact with the government of India submitting that it is willing to provide services adhering to the encryption technology proposed by the government.
What is appalling for app providers is the fear of getting stuck in the bureaucratic roadblock. For citizens, this could end up in rewriting the concept of privacy in the country as their sensitive data will be up in plain text, susceptible to abuse.
Thankfully, the draft has given an exemption to products like SSL/TLS that are used for financial transactions. But, citizens who use services not approved by the government will face legal action if found. The draft says, “Government reserves the right to take appropriate action as per Law of the country for any violation of this Policy.”
The draft has been scripted by the expert panel constituted by Department of Electronics and Information Technology under the supervision of Ministry of Information Technology. Feedback of citizens should be emailed to akrishnan@deity.gov.in by October 16 and give suggestions.