MENUMENU

Indian government proposes an encryption plan that would mandate backdoors

abstract art of a computer surrounded by encryption force fields

What started in the United States has quickly spread to other countries, with worrisome results.

The global debate over encryption reached India this weekend as the country’s government became the latest to publicly wrestle with the growing popularity of strong cryptography and its implications for law-enforcement operations.

The government of India, the world’s most populous democracy, released a draft National Encryption Policy over the weekend that would require all individuals and businesses using encryption to store decrypted versions of data for 90 days, available for law enforcement to demand pursuant to the country’s laws.

The law would apply to everyone using services in India, even if they are not Indian citizens.

The policy also says that “encryption algorithms and key sizes will be prescribed by the Government through Notification from time to time,” introducing the strong possibility of a legally mandated backdoor allowing the government to access encrypted data.

The policy would not apply to “sensitive departments / agencies of the government” but would apply to Central and State Government Departments, an exception deemed hypocritical by civil-liberties advocates.

The document is the work of an unspecified “expert group” inside India’s Department of Electronics and Information Technology (DeitY).

Other than releasing the draft, which is open to public comment until Oct. 16, Indian officials have not addressed its subject matter or responded to the intense criticisms it has generated.

India’s new draft policy comes in the midst of an ongoing global encryption debate that has pitted privacy activists and law enforcement officials in multiple countries against each other. As strong encryption becomes more prevalent, its implications for law-enforcement and national-security investigations become more worrisome to government officials.

In the U.S., the years-long public debate on the issue has seen the director of the FBI accusing companies like Apple of aiding terrorists by locking out government investigators. But the White House hasn’t taken a position in the debate, and reports suggest that the Obama administration is preparing to publicly support widespread strong encryption against the wishes of some intelligence officials.

Obama, who is being presented with multiple options by the National Security Council, seems likely to back off of a plan similar to India’s draft proposal.

In Europe, however, the debate is shifting in the opposite direction. A bill dubbed the “snoopers’ charter,” which is expected to become law in the newly empowered Conservative government, would ban apps from operating in the U.K. unless they contained a backdoor allowing government access to encrypted data.

Security experts across the world have slammed backdoors as unfeasible and insecure technical solutions.

“The path to hell starts at the backdoor,” Brad Smith, general counsel and executive vice president of legal and corporate affairs at Microsoft, said at the World Economic Forum. “You should not ask for backdoors. That compromises protection for everyone against everything.”

Privacy advocates in India immediately slammed the government’s draft policy. Pranesh Prakash, policy director at the Bengaluru-based Center for Internet and Society, told the Times of India that the policy was a “bad idea conceived by people who do not understand encryption,” because it exposed businesses and individuals to hackers like those who infiltrated Ashley Madison and those who have repeatedly broken into U.S. government systems.

Update 9:12am, Sept. 22: The Indian government has withdrawn the draft of its encryption proposal, arguing that it was misunderstood and did not reflect the government’s full views of encryption priorities.

Illustration by Max Fleishman 

Patrick Howell O'Neill

Patrick Howell O'Neill

Patrick Howell O'Neill is a notable cybersecurity reporter whose work has focused on the dark net, national security, and law enforcement. A former senior writer at the Daily Dot, O'Neill joined CyberScoop in October 2016. I am a cybersecurity journalist at CyberScoop. I cover the security industry, national security and law enforcement.