India’s National Encryption Policy: Another Step in the Wrong Direction

India’s recent draft National Encryption Policy was so undesirable it was thrown out, but current politics in India imply the replacement won't be much of an improvement.

The policy was widely criticized for clauses that would have:

• Required citizens to “store the plaintexts of the corresponding encrypted information for 90 days from the date of transaction and provide the verifiable Plain Text to Law and Enforcement Agencies as and when required as per the provision of the laws of the country.”

• Required citizens to only use products registered in India and, in turn, required vendors of encryption products (like SumRando) to register with the Indian government by submitting working copies of any hardware or software. (A later addendum clarified the exclusion of mass use products such as Facebook, Twitter and Whatsapp from this clause.) 

• Prescribed the use of certain algorithms, including the known-to-be-vulnerable RC4 encryption.

Flawed as it was, many of the draft’s extreme measures were not without explanation. As Siddharthya Swapan Roy pointed out, “The entire post-Snowden civil liberties furore in the American media is about how their government must go through their courts only when the target of the surveillance is their countryman—an American. India may be their biggest market, but when it comes to digital civil rights, India is just another clump of lesser mortals called the third world and like all non-West nations, her citizens, common and VIP, are all fair game. This imbalance of power is what has lent credence to the efforts of BRICS members like Russia and China to block out and/or seek homegrown alternatives to Google and Twitter.”

No one would cite Russia and China as exemplars in protecting citizens’ privacy rights, but Roy does have a point. Rather than sit back and watch foreign companies profit off of their citizens’ data, these nations have taken action. India’s draft Encryption Policy fits with a history of similarly pushing back on foreign-owned companies with greater access to citizen data than itself, such as its standoff with Blackberry that led the Canadian company to install accessible servers in India. The outrage the initial draft Encryption Policy has been met with is not unfounded, but should perhaps ask itself why the fight against government all-access passes to data has not been extended to corporations as well. 

In the meantime, Indian Prime Minister Narendra Modi has been actively promoting the Digital India initiative, an purported effort to provide all citizens the digital connections and information necessary to be competitive in today’s world via measures such as linking local governments to each other and providing public Wi-Fi hubs in schools and cities. It may sound good, but recent developments imply that Digital India won’t really be for all Indians and won’t be completed without at least one major corporation: in recent weeks, Modi initiated yet another temporary internet ban in Gujarat province in order to avoid protests against his government and held a meeting with Facebook’s Mark Zuckerberg, a melding of minds that appears to have led to the rebranding of Internet.org—previously seen as incompatible with India’s commitment to net neutrality—as the more marketable Free Basics.

A second draft National Encryption Policy will eventually emerge and, given the current climate in India, there is little reason to believe it will be much kinder than the first. An anonymous senior government official recently told Newslaundry, “Rest assured, the government will not give up its right to intercept all forms of communication. If this is not included in the proposed encryption policy, then it will be included in a new set of rules and regulations that govern over-the-top [OTT] applications.”

Both government and business currently find themselves with a vested interest in India’s expanding internet and, unfortunately, neither has shown signs of making the average internet user’s right to privacy a priority. Unless drastic change materializes in the coming months and years, India’s users should expect to rely on independent action to preserve what online safety they may.  

SumRando Cybersecurity is a South Africa-based VPN, Web Proxy and Secure Messenger provider. Surf secure and stay Rando!