National Encryption Policy draft withdrawn: 11 things to know

If you were worried that deleting WhatsApp, Facebook and Viber chats could put you behind bars, fret not. In a complete u-turn, the government has withdrawn the proposed National Encryption policy that could have landed you in trouble for deleting your WhatsApp, Facebook messages before 90 days.

Here's all you need to know about the now-withdrawn policy draft

* Telecom minister Ravi Shankar Prasad has announced that the government has decided to withdraw the draft of National Encryption Policy. The minister said that the draft of the policy has created many apprehensions

* Prasad said that in view of the concerns raised, he has asked the draft to be withdrawn, made changes to and then re-released. The telecom also clarified that it is just a draft and not a policy of the government.

* The union government had put up a draft National Encryption Policy document online seeking to prescribe the methods of encryption of data and communications used by the government, businesses, and even citizens. The document says that the policy's mission is to "provide confidentiality of information in cyberspace for individuals, protection of sensitive or proprietary information for individuals & businesses, ensuring continuing reliability and integrity of nationally critical information systems and networks."

* The now-withdrawn proposed policy, issued by the Department of Electronics and Information Technology, would apply to everyone including government departments, academic institutions, citizens and for all kind of communications — be it official or personal.

* The document was formulated by an "expert group" set up under the Department of Electronics and Information Technology (DeitY) which comes under the union ministry of communications and information technology.

* The draft policy was introduced under Section 84 A of the Information Technology Act (2000). Once finalized, it aimed to introduce rules for encryption of electronic information and communication.

* The policy document triggered widespread privacy concerns and generated a heated debate. As the language of the draft was open to interpretation and implied that all citizens who use encryption services should store in plain text versions of encrypted communication for 90 days. So this meant that users will have to store their WhatsApp messages for 90 days or face action in case asked to reproduce old messages.

* Another contentious point of the draft said users "shall reproduce the same Plain text and encrypted text pairs using the software/hardware used to produce the encrypted text from the given plain text. All information shall be stored by the concerned B/C (business/citizen) entity for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country."

This meant that e-commerce websites may have to keep a plain text copy of user transaction details, leaving their information vulnerable to hackers. However, the issued addendum exempted "SSL/TLS encryption products being used for e-commerce and password based transactions."

The addendum also exempted "SSL/TLS encryption products used in internet banking and payment gateways as directed by the Reserve Bank of India."

* Current guidelines on encryption: Encryption was never a top priority for the government. According to Pavan Duggal, an advocate who specializes in cyberlaw, the ISP license conditions formulated in 1999 mandated 40-bit encryption standard as de facto. It was never revised even at a time when 256-bit encryption was being widely used. The IT Act 2000 also didn't detail encryption.

It was only in 2008 after the Mumbai terror attacks that the Act was amended to expand the government's power to decrypt information. It could also approach intermediaries for assistance. As per the amendment, the government may only prescribe the modes or methods of encryption "for secure use of the electronic medium and for promotion of e-governance and e-commerce."

* Encryption used in mass communication mediums such as WhatsApp and Apple iMessage: To prevent an intruder from getting access to your private messages through servers, messaging services like WhatsApp and Google Hangouts use end-to-end encryption. This means that your messages are converted into a different format before being transmitted and the capability to convert them back to text or the 'key' is only available with the other user on his/her device.

Similarly, Apple stores encrypted iMessage chats on its servers before the messages are delivered but it cannot unscramble these. Some services keep this key on their own servers but most are moving to end-to-end encryption. There is a backlash from surveillance agencies who want access to decryption keys for security reasons.

* Messaging services that use encryption: WhatsApp, Google Hangouts, Skype, Apple iMessage, Telegram, Viber, Line and BlackBerry Messenger use encryption to convert your chats to some undecipherable code that can be only decrypted by the recipient. This means all services other than BlackBerry, such as WhatsApp, Google Hangouts, Facebook Messenger, Apple iMessage etc do not have dedicated servers to store encryption data in India.

Source : The Times Of India - Tech