The next time you read a message on WhatsApp, don’t delete it – there’s a chance you might be asked to show it to the police, and you might need to be able to show the message in plain text for 90 days after receiving it. That is if using WhatsApp is even legally permitted anymore.
The Department of Electronics and Information Technology (DeitY) has posted a draft National Encryption Policy on its website inviting mailed comments from the public on its mission, strategies, objectives, and regulatory framework, which you can send to [email protected], until 16th October 2015. A lot of the details mentioned in the draft guidelines are worrying, and this is a topic that concerns every consumer.
While the draft encryption policy’s preamble starts by talking about improving e-governance and e-commerce through better security and privacy measures, it very quickly brings up national security as well, and that’s where things get worrying from a consumer’s perspective. It’s very reminiscent of when the Indian government was thinking about banning BBM in India unless BlackBerry (then Research in Motion) gave security agencies access to snoop on emails. The two would eventually reach an arrangement that allowed the government to intercept email.
The language of the new draft policy is quite clear – businesses and consumers may use encryption for storage and communication, but the encryption algorithms and key sizes will be prescribed by the Indian government. What’s more, vendors of encryption products would have to register in India (with the exception of mass use products, such as SSL), and citizens are allowed to use only the products registered in India.
“Would OpenPGP, a commonly-used standard for encryption of email, fall under ‘mass use’?” asks Pranesh Prakash, Policy Director at the Centre for Internet and Society, speaking to Gadgets 360. “Because if it doesn’t, I am prohibited from using it. But if it does, I am required to copy-paste all my encrypted mails into a separate document to store it in plain text, as required by the draft policy. Is that what it really intends? Has the government thought this through?”
Most people don’t explicitly use encryption, but it’s built into apps they use every day. Do the guidelines also extend to products and services with built-in encryption like WhatsApp? If yes, then combine them with governments requirements for its citizens, and we could have very interesting (and worrying) scenarios.
The draft guidelines read “All citizens (C), including personnel of Government/ Business (G/B) performing non-official/ personal functions, are required to store the plaintexts of the corresponding encrypted information for 90 days from the date of transaction and provide the verifiable Plain Text to Law and Enforcement Agencies as and when required as per the provision of the laws of the country.”
WhatsApp messages are now encrypted end-to-end. So do the guidelines mean you have to store a copy of all your WhatsApp messages for 90 days? What about Snapchat? Or any other form of ephemeral messaging that is automatically deleted after being read? The consumer is expected to maintain plain text copies of all communications for 90 days – so that these can be produced if required by the laws of the land – so, is it even legal to read a message that deletes itself?
The policy states that the vision is to create an information security environment, and secure transactions. But the actual details mentioned in the draft appear to do the opposite, and put a focus more on the lines of limiting encryption only to technologies that can be intercepted by the government, when required. This is in many ways similar to the Telecom Regulatory Authority of India’s draft letter on Net Neutrality, which instead talks about issues like cyberbullying and ‘sexting’. In the feedback period, Trai received over 1 million emails but the Department of Telecom report on Net Neutrality also went against public sentiment, suggesting that telcos should be allowed to charge extra for specific services, such as Skype or WhatsApp Voice calls in India, showing that calls for feedback aren’t necessarily being taken seriously.
And, with the National Encryption Policy, another problem that is shared with the Net Neutrality discussions, is the use of vague language. The result is that there is very little clarity at this point on what is, and what is not, permitted by the government. We’re living in a time when the government talks about how WhatsApp and Gmail may be used by “anti-national elements”, and even considered requiring Twitter and Facebook to establish servers in India. With that in mind, you have to ask, is it even legal to use WhatsApp? After all, WhatsApp messages have end-to-end encryption and if this service does not register in India, and comply with the algorithms prescribed by the government, then as a citizen of India, you aren’t allowed to use it.
These are questions that don’t just affect a few people, but just about every Indian who is using the mobile Internet. In its present form, the draft actually severely limits what you can do online, and could hobbl