The Draft National Policy on Encryption was released by the Department of Electronics and Information Technology recently. In order to allay fears that the government plans to look into the twitterati's chats and social media inanities, the Department also released an addendum.
The post below tries to point out what is problematic with the draft policy as well as the addendum.
Since public use of the internet is only about 20 years old, analogies with older systems may help us understand the technologies better. Hence, here is an analogy that can help clarify some issues.
In the days of yore (about 30-40 years ago!) we used to write a letter on plain paper, put it in an envelope, seal the envelope with glue and mail the envelope to the recipient. The envelope could be torn (or steamed!) open by someone else but the recipient would (could) then know that the letter had been read. If you had "nothing to hide" you sent letters using a postcard instead of an envelope! Under an amendment to the postal act, the government acquired the power to open envelopes if they could convince a judge or magistrate that something illegal or dangerous was being exchanged between sender and recipient. Similarly, a warrant to search the premises of the sender and recipient could unearth whatever information is available there; the alleged criminals are also required to hand over keys to safes and so on. There is no requirement on citizens to keep copies of all their letters in case they are later accused of being criminals or terrorists.
In modern systems, the letter is written as computer file, the envelope is the encryption and the glue is the hash that is used to seal it. Unecnrypted mail and files are like a postcard. On suspicion of terrorism or illegal activities, the government can ask a judge or magistrate to issue a warrant requiring the alleged criminal to hand over her/his encrytion passwords and thus look at all stored files and correspondence. However, the draft policy requires all citizens to keep copies of all their letters and files (provided that they encrypted them!) in case they are later suspected of being criminals or terrorists!
With this analogy, it is clear how wrong the policy is. Just to make it clear:
- Do we keep copies of all correspondence just to prove that we are innocent?
- How do we prove that we have not sent any encrypted letters?
- Who will provide the storage space for this data?
The addendum that excludes social media and SSL traffic does not help matters. Extending the analogy, it is like saying that you need not keep copies of your letters if you used a courier service (social media) to send them (or sent them as a telegram or postcard)! Alternatively, if I use a personal courier (SSL) to send a file to my correspondent, then it is no longer considered as a possibly criminal activity. The latter is a huge loophole for real criminals to bypass the proposed policy. Anyone who knows how to use socat or SMTPS can thus avoid keeping copies of files and letters.
Another part of the encryption policy tries to regulate the kinds of encryption tools that can be used by citizens. This is like saying everyone must buy their door locks from Harrison or Godrej, or can only use 7 lever locks; using more levers or using magnetic locks will require prior government approval!
It seems to me that this policy is based on the often discredited analogy of "encryption as munitions" that formed the basis of the encryption policy in USA for many years. The possession of and use of encryption tools is (under this analogy) considered to be like owning a gun---something that can be only be authorised for registered users or companies that can be regulated. The primary flaw with this notion is obvious when one sees that that encryption is not a weapon any more than a lock or safe is! On the other hand, by its very nature, a gun is a weapon (even if some people claim that is only for hunting or self-defense!). Of course, in the hands of a trained assassin even a paper clip is a weapon, that does not mean that we regulate the use of paper clips!
(The above text will be sent to "" in response to the request for comments on the draft encryption policy.)