Encryption Policy

Encryption Policy

Defining Encryption:
“Encryption” – a component of cryptography refers to encoding of information such thatonly authorized parties can read it.  The intended communication information, as in the process, being referred to as plaintext, is encrypted using an encryption algorithm, to generate what is calledcipher text that can only be read if decrypted. The algorithm used produces a pseudo-random encryption key. The authorized recipient can easily decrypt the message with the key provided by the originator to recipients, but not to unauthorized interceptors.:

The process was originally used for the protection of military, diplomatic and other crucial government information. Due to recent developments in ICT, growing use of online apps for communication expanded the scope of encryption to e-commerce and e-governance civilian applications. Subsequently, there emerged the need to protect privacy and increase the security of the Internet and associated information systems and develop policies that favour the spread of encryption worldwide.

Encryption can be used to protect both data “at rest”, such as information stored on computers and storage devices (e.g. USB flash drives) as well as data in transit, for example data being transferred via networks (e.g. the Internet, e-commerce), mobile telephones, wireless microphones, wireless intercom systems, Bluetooth devices and bank automatic teller machines. There have been numerous reports of data in transit being intercepted in recent years. Data should also be encrypted when transmitted across networks in order to protect against eavesdropping of network traffic by unauthorized users.

Encryption along with other techniques can protect the confidentiality of messages.

WhatsApp, Google Hangouts, Skype, Apple iMessage, Telegram, Viber, Line and BlackBerry Messenger use encryption to convert the chats to some undecipherable code that can be only decrypted by the recipient. They store encrypted imessage chats on its servers before the messages are delivered but it cannot unscramble these. Some services keep this key on their own servers but most are moving to end-to-end encryption. There is a backlash from surveillance agencies who want access to decryption keys for security reasons.

The Draft of the Encryption Policy:
• The Department of Electronics and Information Technology, Ministry of communications and Information Technology, Government of India had put up a draft National Encryption Policy document online seeking to prescribe the methods of encryption of data and communications used by the government, businesses, and even citizens. The document says that the policy’s mission is to “provide confidentiality of information in cyberspace for individuals, protection of sensitive or proprietary information for individuals & businesses, ensuring continuing reliability and integrity of nationally critical information systems and networks.

• The draft policy was introduced under Section 84 A of the Information Technology Act (2000). Once finalized, it aimed to introduce rules for encryption of electronic information and communication.

• The policy will be applicable on everyone: government departments, academic institutions, citizens and for all kinds of communications — official or personal

The Criticisms of the Policy:
The policy document triggered widespread privacy concerns and generated a heated debate:

• According to the draft, users and organizations would “on demand” need to store all communication in plain text for 90 days from the date of transaction and make it available to law enforcement agencies in line with the provisions of the laws of the country. As many users in India do not know the meaning of plain text and in such a case they can be held liable for not storing their encrypted data in plain text format.

• In case of communication with any foreign entity, the primary responsibility of providing readable plaintext along with the corresponding encrypted information shall rest on the business or citizen located in India. Additionally, service providers located within and outside India, using encryption technology for providing any type of services in India, must enter into an agreement with the government. The provision is totally illogical and ambiguous.

• The policy presents a totalitarian strategy in name of protecting data in a democratic regime.

• It also raises the issue of privacy.