Yesterday, the union government had released a draft National Encryption Policy document online seeking methods of data encryption of data and communications used by the government, businesses, and even citizens. The draft was created by an “expert panel” set up by the Department of Electronics and Information Technology (DeitY) which comes under the union ministry of communications and information technology.
The draft policy was introduced under Section 84 A of the Information Technology Act (2000) and the document was made open for the public to comment till October 16. However, after facing immense negative reviews and protests against the massive loopholes in the draft, the government has now withdrawn the draft.
Telecom minister, Ravi Shankar Prasad today announced that the government has decided to withdraw the draft of “encryption policy”. “In view of the concerns raised over the encryption policy, I have asked the draft to be withdrawn, made changes to and then re-released,” Prasad said.
He also made it clear that it is just a draft and not a policy implemented by the government. He stated that no ordinary consumer would be affected by the encryption policy and that the purpose of encryption does not pertain to WhatsApp, Facebook and other social media messaging platforms used by common man.
“Union government supports the freedom of social media. We are very proud of the initiatives taken by the government under leadership of PM Narendra Modi for promotion of social media,” said the telecom minister.
The draft of New Encryption Policy read “On demand, user shall reproduce the same Plain text and encrypted text pairs using the software/hardware used to produce the encrypted text from the given plain text. All information shall be stored by the concerned B/C (business/citizen) entity for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country.”
This would mean that a company has to keep a user’s personal data like the password in plain text for 90 days – allowing hackers a comfortable 90 days to retrieve user data that is unencrypted and exposed.
The draft also proposed that this policy would apply to everyone; including government departments, academic institutions, citizens engaging in any kind of communications – official or personal.
The draft also read, “Service Providers located within and outside India, using Encryption technology for providing any type of services in India must enter into an agreement with the Government for providing such services in India. Government will designate an appropriate agency for entering into such an agreement with the Service provider located within and outside India.”
This roughly translates into the fact that every company in the country will be bound by this policy.