encryption

IAMAI has released a discussion paper on encryption policy in India, highlighting the need for freedom of encryption, strong encryption base standard, no plaintext storage and mandatory legal monitoring or no backdoor entry clauses, citing strong encryption as critical to counter cyber security issues.

The paper is a response to the encryption policy drafted by the Indian Government in September last year, which set limitation on encryption, required the storage of a plaintext version of encrypted data, and would also define the algorithms and key sizes for encryption in the country. The draft policy was withdrawn in the same month, following strong criticism for its draconian provisions.

An overview of the important points brought up by IAMAI:

Freedom of encryption: IAMAI criticizes the requirement for licenses for encryption over 40 bits, suggesting instead that the government specify a lower mandatory limit for the use of encryption, rather than capping the strength of encryption. Deeming a 40 bit encryption as the minimum standard for example, would help increase cyber security. Additionally the IAMAI asks for the creation of procedural safeguards as a means to limit misuse of digital data by government agencies, as well as a need to distinguish between digital and physical criminal investigations.

No ‘backdoor entry’: Mandating backdoor technologies creates the risk of accidental disclosure, theft by hackers, or abuse of power by agencies as well as a lack of confidence to do business in the country. The IAMAI suggests instead that restrictions should be handled on a case by case basis and should be limited to what is necessary for the goal. Note that a similar case in the US was dropped by the FBI after it managed to unlock a shooter’s iPhone. The FBI filed an order asking Apple to unlock the iPhone used by Tashfeen Malik by creating a backdoor, which Apple refused to do so.

No plaintext storage: Instead of requiring to store keys and plaintext of encrypted data, IAMAI suggests that decryption keys should be deleted immediately after use, making it impossible to steal the keys. The industry body mentions that mandatory storage policy violates the right against self incrimination, a guaranteed right under the constitution.

No mandatory registration: According to the paper, mandating only the usage of products that are registered in India will take away the freedom from users to choose what they trust as well as make public the information about the company’s product, leading to a negative impact of research and development happening in India. As such, IAMAI suggests that the regulators should not enforce such a rule.

Other highlights: IAMAI also mentions that regulators should have a more liberal approach on import and export of encryption products, adopt and encourage adoption of strong internationally accepted encryption standards like AES-128 and formulate a policy that can protect all types of digital data, including data in transit (communication) or at rest (storage).

India’s privacy policy: Earlier this month the Government said it would draft a legislation to protect privacy of individuals breached through unlawful means in consultation with stakeholders, although it did not provide a timeline for it. As of now, the certain sections of the IT Act of 2000 provide the legal framework for digital privacy and security, mandating that agencies collecting personal data must provide a privacy policy, and compensations must be paid to the victim in case of unauthorized access or leakage of information.

Also read:

How India’s ridiculous draft mapping data law will impact you (and your business)

Geospatial Information Bill: It’s not just about maps or national security

Image credit: Flickr Brett Nielsen under CCBY license