Indian draft rules on encryption could compromise privacy, security

The government's focus is on ensuring access to information by law enforcement agencies

India's government is trying to ensure that its law enforcement agencies have easy access to encrypted information, but it could be compromising security and privacy in the process.

A draft policy on encryption issued by the Indian government aims to keep a check on the use of the technology by specifying the algorithms and the length of the encryption keys used by different categories of people.

Consumers will also be required to store the plain texts of encrypted information for 90 days from the date of a transaction and provide the text to agencies when required under the laws of the country.

Indian businesses, and the customers they correspond with, will also be responsible for providing readable plain text along with the related encrypted information when communicating with a foreign entity.

The policy will not, however, be applicable to designated sensitive departments and agencies of the government, though it is applicable to other government departments.

The government has invited comments from the public on the policy by Oct. 16.

Although the new policy could expose user data to hackers as plain text, the government document sets as its mission to "provide confidentiality of information in cyber space for individuals, protection of sensitive or proprietary information for individuals & businesses, ensuring continuing reliability and integrity of nationally critical information systems and networks."

It is surprising that even as there is so much concern about hacking and the loss of privacy, the government wants users to store data as plain text, said Akash Mahajan, a security consultant in Bangalore. Once the plain text is with the government, there is no way to verify it with the original digital data as the practices of law enforcement in safeguarding the integrity of data are not laid out very clearly, he added.

The country's Information Technology Act provides for rules to be framed that prescribe the mode of encryption. Under the proposed rules, service providers will also have to arrive at agreements with the Indian government to provide their services, which from the general tenor of the document suggests that they will have to be willing to provide plain text information to the government when required under the law.

Consumers, businesses and non-strategic government users of these services will also be responsible for providing plain text information when required.

Internet companies, including Google and Microsoft, did not immediately comment on the proposal.

The use of encryption in information technology and communications services has been a sore point for law enforcement agencies that want easier access to information, including through back-door access. In opposition are tech companies like Apple and Google and civil rights groups, which back stronger encryption and the privacy of data and communications.

U.S. Federal Bureau of Investigation Director James Comey called in July for a “robust debate” on encryption of communications, saying that the technology could prevent him from doing his job to keep people safe. “There is simply no doubt that bad people can communicate with impunity in a world of universal strong encryption,” Comey wrote in an op-ed in the Lawfare blog.

The move by India could break the trust that exists between people and online businesses and between Indian companies and their foreign partners, Mahajan said.

Join the CSO newsletter!

Error: Please check your email address.

More about AppleFederal Bureau of InvestigationGoogleMicrosoftTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John Ribeiro

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place