Almost all non-official, personal electronic communication in India will be ripped of its privacy under the Draft National Encryption Policy proposed yesterday by the Department of Electronics and Information Technology (Deity), which seeks to make the information available for legal investigation.
Both government officials as well as private citizens will have to store “plaintexts of the corresponding encrypted information for 90 days from the date of transaction” and will have to make these plaintexts available to law and enforcement agencies, when asked by the agencies, for investigation, according to the policy, reported Medianama.
However, in an addendum to the policy, Deity has today exempted web applications, social media sites such as Facebook, Twitter and others, social media applications such as Whatsapp and others, internet banking and payment gateways and e-commerce and password based transactions, from the policy.
Deity has, however, qualified the exemption with the phrase “[encryption products] currently being used”. Medianama has pointed out that this vague qualification makes it unclear, what is “currently” and whether a new service that uses a different kind of encryption to protect its users still be covered.
It is also not clear whether the policy includes operating systems that encrypt hard disks for security, and Twitter was abuzz with at least 20 obvious cyber security related loopholes pointed out in the policy for which Deity has invited public comment.