What is National Encryption Policy (NEP)?
National Encryption Policy or NEP, which is still in a draft mode (and now draft is also withdrawn), is basically set of guidelines on the Secured Communications. Communications like WhatsApp chats, SMSes, Electronic Fund Transfers, etc. communicated using ‘Encrypted’ messages. And government of India (or Department of Electronics and Information Technology, DeitY) plans to get control of the current situation in the ever-growing Indian market.
Why the need of such a policy?
Internet and Mobile are 2 industries in India which are seeing unprecedented growth and related to this is the growth of Electronic Transactions, Internet-based communications, Online transactions, etc. Most of these transactions carry information which are critical in nature, may carry sensitive information (such as Mobile Banking transactions, etc.) and hence are Encrypted.
Though increase in such transactions / communications bode good for Technological atmosphere in India, but it also indicates towards the need of control mechanism to over-look the same to maintain National Security from all aspects. No country would like to have their citizens’ mobile payment transactions being targeted by terrorists or similar groups planning attacks on Indian territory using Whatsapp messenger. Such concerns points towards having a National Policy to deal with all aspects of encryption and encrypted communication.
What has Government of India proposed in its National Encryption Policy (NEP)?
As per the draft document, the vision of Government of India says –
To enable information security environment and secure transactions in Cyber Space for individuals, businesses, Government including nationally critical information systems and networks.
With NEP, government also aims to:
- Encourage the use of Digital Signatures by all authorities for authentications, etc.
- Promote Research and Development work in the field of Cryptography
The broad points from the draft policy are:
- “The vendors shall submit working copies of the encryption software / hardware to the Government along with 4 professional quality documentation, test suites and execution platform environments. The vendors shall work with the designated Government Agencies in security evaluation of their encryption products.”
- For B2B communications, the encryption tools and techniques will be suggested by government from time to time. Also, the users shall be able to produce the plain text of communication done in past 90 days to law enforcement agencies as and when demanded. [How this is being interpreted – for a layman, this means that all communications that are done in B2B segment should be available in easily readable format available, which actually increases the chances of stealth as you will have to keep this data available at all times. And knowing the technical expertise of our government agencies, handing over this information to them would mean another hole in the security]
- The above is also required for all the B2C and C2B activities. So, that means if you are doing financial transaction using encrypted channels, you (not clear who is responsible here, B or C) will have to have plain text copies of these transactions for past 90 days available at all times readily available for government agencies to take a look at
- In the C2C segment, which is communications between 2 normal citizens, it would mean something like keeping you Whatsapp chats available in plain text for past 90 days available for scrutiny by enforcement agencies. Even if you post a status update on Facebook, it is done using SSL, which is again an encrypted channel – this too can be reviewed by agencies if at all required, under this draft policy
What is everybody saying about the Draft National Encryption Policy (NEP)?
Since the day the draft policy has been released, it has been condemned by all segments for various reasons. Some see this as invasion of privacy and for technical pundits, it reveals the technical in-expertise of our government in handling such critical and sensitive issues.
There are also certain stakeholders who have pointed out certain government agencies have been excluded from the purview of this policy, when they need this policy the most.
Draft National Encryption Policy (NEP) withdrawn
Given the furore created by release of the draft NEP document, the government has withdrawn the draft policy and has said that the policy has was open for interpretation by general public and all who are concerned with it. The government also mentioned that the policy will be re-looked at and a revised draft will be released soon.
Other clarifications that were released by the government (before withdrawing the draft NEP):
- The mass-use products, such as Facebook, Whatsapp, etc. have been exempted from the purview of draft NEP
- All products that use SSL/TLS in Inter-banking and financial transactions will be exempted from the draft NEP’s purview
- e-Commerce websites and password based transactions will also be exempted from the purview of draft NEP
As of now, the draft policy has been withdrawn and even the draft document has been removed from the website of DeitY.
In view of the concerns raised over the encryption policy, I have asked the draft to be withdrawn, made changes to and then re-released – Ravi Shankar Prasad, Telecom Minister
Our view on this whole episode:
Given the sudden explosion on the Internet and its usage in India and with exponential increase in complex products being introduced in the market, it is a welcome step from the Government of India. It is commendable to see government bring complex issues like this to table for discussion and actually working towards it.
But what lacked in this draft was the basic knowledge of how Cryptography industry works and what could be the implications of such policy measures in our lives on a day-to-day basis. There was also lack of depth and spread in the proposed policy implementation.
It is noted that certain government agencies, which actually perform critical and strategic roles, had been excluded from the purview of this draft policy. Whereas, these are the agencies, where the minimum level of policy implementation is necessary.
Our suggestion is that Government of India should discuss this first with the industry stakeholders to first understand it’s implications on them and then work out on the minute details of the draft policy.
What is your view on this? How do you think your life will be impacted if such a policy is actually implemented? Do share your views with us.