India still doesn’t understand how online security works

Author

Abhimanyu Ghoshal

September 21, 2015

This article originally appeared on The Next Web

The Indian government has made a fool of itself and caused anxiety among citizens with a woefully misguided proposal for a national encryption policy that it’s just released to the public for feedback.

While its mission is to “provide confidentiality of information” and ensure “protection of sensitive or proprietary information”, the policy essentially calls for online services operating in India to hand over their encryption keys to the government — similar to what the NSA wants for spying on US citizens.

An ‘expert’ group set up by the Department of Electronics and Information Technology (DeitY) has proposed a framework that requires every citizen to store plain text versions of all encrypted data from their devices for 90 days and produce it upon request from law enforcement agencies.

Most people wouldn’t even know which parts of their correspondence, login details across several services, software downloads and other data are encrypted, much less be able to capture and store it. That’s just not how things work.

Other gems from the draft include:

Service Providers located within and outside India, using Encryption technology for providing any type of services in India must enter into an agreement with the Government for providing such services in India. Government will designate an appropriate agency for entering into such an agreement with the Service provider located within and outside India.

and my personal favorite:

Encryption algorithms and key sizes will be prescribed by the Government.

There are thousands of services based outside the country that encrypt users’ data. DeitY expects them all to play ball and offer the government backdoors into their secure data.

By attempting to prescribe a limited set of encryption technologies, the proposal could make things easier for potential attackers and put service providers and their users at risk.

With that, the Indian government has once again proven itself to be out of touch with issues of privacy and online security.

Pranesh Prakash, Policy Director at Center for Internet and Society in Bangalore, told The Times of India he found it strange that ‘sensitive departments’ of the government are exempt from the policy. “What the government ought to be doing is setting minimum standards for encryption for governmental use. But here, they are doing the opposite,” he said.

You can view the policy draft in full here (PDF) and send your comments to akrishnan@deity.gov.in by October 16.

India’s draft encryption policy puts user privacy in danger [Medianama]

Image credit: Shutterstock

 

This article was written by Abhimanyu Ghoshal from The Next Web and was legally licensed through the NewsCred publisher network.


Comment this article

Great ! Thanks for your subscription !

You will soon receive the first Content Loop Newsletter