Update: Web security consultant Akash Mahajan adds that the policy does not cover the following: 1. Hard Disk Encryption Products 2. SSH and RDP Encryption (Required to manage servers) 3. Wearables like Fitbit 4. Smartphone Full Disk Encryption 5. Symmetric Encryption Software to transfer files between humans and computers 6. OS Update Servers 7. Browser Update Servers 8. App Store, Play Store etc. 9. Encrypted Streaming for audio video 10. Email Encryption 11. Off The Record Messaging 12. Voice Communication apps like Skype etc. 13. Digital Signatures for software Update: the DeitY, after the public outcry, has issued an update, which doesn't address the issue entirely. The update (pdf): By way of clarification, the following categories of encryption products are being exempted from the purview of the draft national encryption policy: 1. The mass use encryption products, which are currently being used in web applications, social media sites, and social media applications such as Whatsapp,Facebook,Twitter etc. 2. SSL/TLS encryption products being used in Internet-banking and payment gateways as directed by the Reserve Bank of India 3. SSL/TLS encryption products being used for e-commerce and password based transactions. The problems with the update 1. The usage of the phrase 'currently in use' renders the policy vague: Firstly, when is "currently"? 2. Will a new service that uses a different kind of encryption to protect its users, still be covered? Why should users be "restricted to encryption currently in use"? Why should services like Whatsapp, Facebook and Twitter define our security standards?…
