Within a span of days, the government of India released and >withdrew its draft encryption policy , revealing it is still unsure how to regulate electronic communications.
The draft fatally confused two policy objectives: the need to protect data on the internet, and the need to retrieve it for the purposes of law enforcement. The twain do meet – encrypted communication between individuals planning a terrorist attack is often difficult to intercept. Rather than addressing how encrypted data can be lawfully intercepted, this draft policy cast too wide a net, bringing all encryption technology under a licensing regime.
Encryption is the practice of converting data into a garbled mix of numbers, letters and special characters that can be deciphered only by the intended recipient. Apple, for instance, offers end-to-end encryption for its iMessage and FaceTime applications, which theoretically means communication between iPhone users cannot be intercepted by a third party, unless Apple voluntarily hands over this data. Similarly, individuals who rely on internet banking to pay bills may have noticed a small logo on their bank’s website that reads “Verisign secured”. The sign suggests the website runs on an encryption platform capable of verifying the identity of both the account holder and the bank.
To transfer money from my account in say, the State Bank of India (SBI), my computer or mobile phone connects to SBI’s servers using the bank’s authorised “public key”. This public key is conceptually similar to a telephone listing in a directory, accessible to all. My request to transfer money is encrypted with this key. To read and act on my request, however, SBI should have a corresponding “private key”, available only to the bank. Verisign - or any other party providing the encryption service in this case - guarantees the confidentiality of the private key, and the authenticity of the publicly available key. Encryption services could be provided by a device (say, the iPhone), a service (Snapchat), or a vendor (e.g., Symantec). Drafting an encryption policy is a welcome sign that the Indian government has finally woken up to the need to protect its communications infrastructure. The IT department’s mandate only covers civilian and commercial conduct in cyberspace: India’s strategic installations are spared this chaotic policy development process, and the armed forces employ their own sophisticated techniques of cryptography. The stakes are no less high for India’s booming digital economy. The government’s encryption policy could be decisive in building consumer confidence in retail and e-governance, encouraging more Indians to go online and strengthening the country’s underdeveloped cybersecurity sector. The government’s draft must move beyond viewing data protection from the prism of law enforcement.
The revoked draft encryption policy rested on three major pillars. First, it suggested the technical standards around encryption will be set by the government. Second, the draft policy required encryption service providers, whether based in India or abroad, to “enter into an agreement” with the government, creating a legal obligation on them to provide encrypted data on demand. Third, all “vendors of encrypted products” had to be registered with the government of India. Only these products can be legally availed by Indian users. Setting encryption standards is the government’s prerogative. But this power should not be used to prescribe low encryption standards with a view to intercept communications. Currently, licensing agreements between the Department of Telecommunications and internet service providers (ISPs) permit the running of only those applications that use 40-bit encryption. 40-bit encryption is an abysmally low standard to observe, and leaves internet users susceptible to cyber attacks – it should come as no surprise that this rule is mostly observed in the breach. The licensing agreements are also woefully outdated: applications that use encryption standards higher than 40-bit are required to submit their “decryption keys” to the government. Communications platforms have become so advanced that even Apple does not store the private keys to decrypt iMessages, let alone share it with governments.
Any encryption policy must be sensitive to the need to promote cybersecurity research in India. A restrictive multilateral regime, called the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, already limits the import of crucial cyber security products to India from the United States and Western Europe. Advanced encryption technology too is covered under the Wassenaar Arrangement. While Indian diplomats negotiate India’s entry into this regime, the Communications and IT Ministry should not issue licensing regulations that could discourage foreign companies and researchers from investing in India’s cyber security sector. Unfortunately, the draft policy ignored this concern, requiring foreign vendors to not only provide encrypted data on demand but also submit “working copies” of encryption software and hardware to the government. This requirement – despite assurances of confidentiality – should not be retained, as it will trigger concerns regarding piracy and IPR violations.
The encryption policy must be separated from the legal regime to intercept communications.
Companies relying on cloud computing may simply refuse to submit data, encrypted or not, located in servers abroad. This is a concern to be resolved through multilateral agreements, not a property of the encryption regime. In the absence of such an agreement, requests to retrieve encrypted data must necessarily be backed by a court warrant from a civil court, obtained through an open judicial hearing.
The IT ministry’s first stab at drafting an encryption policy tried to blunt technological advancement
with the brute force of law. It is in the government’s interest that Indian businesses and users ultimately rely on sophisticated indigenous products to communicate and secure data. To nurture those research capabilities, the industry and academia, however require international partnerships and assistance. Rather than limiting the role of foreign expertise through a licensing regime, the Indian government must take active steps to encourage their interest and investment in India.
Arun Mohan Sukumar heads the Cyber Initiative at the Observer Research Foundation, New Delhi
