Encryption be damned: govt wants your personal data in plain text form

QUICK PILL

The draft

• The govt\'s draft policy says all citizens and businesses must store their passwords on a plain text file

• The public also needs to preserve all social networking and mobile app messages for 90 days

• These have to be produced on demand from authorities, else it\'s seven years in jail

• In addition, the govt wants to decide encryption standards to be applied by all

The implications

• Keeping passwords on a plain text file means hackers will have it easy

• Storing personal messages would leave everyone vulnerable to extortion and blackmail

• For financial institutions like banks, this would mean maintaining humongous data banks

• What if the govt-mandated encryption standards get outdated within a week?

As an Indian citizen with internet access, do you keep a separate log of all your digital passwords? Do you preserve all messages on social networking websites and mobile apps for at least 90 days?

No? You think doing this would threaten your privacy, right? Well, you could be breaking the law.

The government's modified policy on encryption, a draft of which is available online, basically forces you to surrender your privacy. It now wants you to save all your encrypted data, which in effect means passwords to social networking websites like Facebook and even internet banking, in plain text form.

The biggest problem with doing what the government wants is obviously making yourself or your organisation vulnerable to theft or extortion. The financial implications for big businesses is another issue.

But even if one wanted to follow government guidelines in their current form, there are problems like how to decrypt and store encrypted data sent from mobile apps in plain text form. These are things a mobile user may not even be aware of.

If you can't or won't do as the government is asking you to, and a police officer demands an encryption key that you can't submit, according to the IT (amendment) Act, 2008, you could be punished with up to seven years' rigorous imprisonment.

What the policy says

The draft policy introduced under Section 84A of the IT Act, 2000, says all electronic information and communication will be included under the policy. This is what the draft document actually says:

"User shall reproduce the same plain text and encrypted text pairs using the software/hardware used to produce the encrypted text from the given plain text. All information shall be stored by the concerned B/C (business/citizen) entity for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country."

Moreover, the draft policy states quite clearly that: "Only the Government of India shall define the algorithms and key sizes for encryption in India, and it reserves the right to take action for any violation of this policy."

The third significant point the draft makes is that service providers offering encryption "will have to register with the Indian government".

What it means

Let's leave the questions of businesses and financial institutions aside for a moment. Here's an example of what the new policy could mean for an individual who's kept his or her passwords in plain text, and someone gets hold of it.

"Take the case of someone from the LGBT community. Someone may not have come out so far, but he or she still reserves the right to keep the secret to himself/herself. What if a message revealing this, sent to a close acquaintance, is read by someone? Imagine how this vulnerable person can be subjected to blackmail and extortion," says Nikhil Pahwa of Medianama.

Pahwa adds that the government has, worryingly, already argued in Supreme Court that right to privacy doesn't exist.

According to the draft policy, individuals and business will have to store messages for 90 days too

"The issue is that if you know you're vulnerable and your private messages can be read, you become more careful about what you think and say and censor yourself. Bizarrely, people in government say you shouldn't be worried if you have nothing to hide."

The government's intention of dictating what encryption to use is also worrying, says Chinmayi Arun, research director of the Centre for Communication Governance at the National Law University, Delhi.

"Having a static policy of encryption of any kind is foolish. The technology suggested by the government may be outdated in two weeks. What happens then? There are ways to circumvent every security detail. The government will only make personal data unsafe," she says.

There could also be interesting legal issues in handing over the keys to all your personal data to the government.

"Imagine a case where you convert all your encrypted data into plain text, which by the way is a self-defeating exercise, and hand it to the government. Now we know how well the government secures evidence. If someone plants incriminating information on your plain text files, but can't do it to the encrypted file, which version will the court give precedence to?" asks Akash Mahajan, a cyber security consultant.

Financial implications

Now, let's consider the financial implications.

Every business house and individual will have to maintain two copies of their data, for up to 90 days. The cost of maintaining such a huge volume of data for institutions like banks, for example, could mean the difference between profits and bankruptcy.

If the government's encryption policy is followed, e-commerce websites which want to expand their businesses outside India may not be allowed to operate in locations where the threshold of cyber security is higher.

Additionally, students of computer science and information technology could become unemployable outside India, if they continue to study and work on obsolete security systems and can't keep track of changes in their domain.