Public outcry compels Indian government to remove WhatsApp, social media from purview of draft encryption policy

The Indian government had earlier put forward a proposal to keep a check on every message that an individual would send via WhatsApp, SMS, or Google Hangouts. According to that, the government required storing of all encrypted messages, including SMSes and emails, sent from any mobile device or computer mandatory for 90 days under the New Encryption Policy.

Following public outcry over investigation and compulsory storing of messages, the Modi government yesterday issued clarification that social media websites like WhatsApp, Twitter, Facebook and applications will be exempted from the purview of the Encryption Policy.

There are certain categories of encryption products that will be exempted from the purview of the draft national encryption policy, according to the draft posted by The Department of Electronics and Information Technology (DeitY).

A proposed addendum to the policy posted on the department’s website said that the mass-use encryption products, which are currently being used in web applications, social media sites, and social media applications such as WhatsApp, Facebook, Twitter etc. are being exempted from the purview of the draft National Encryption Policy.
Also, banking transactions, payment gateways as well as password protected e-commerce businesses will be exempted from the purview of this policy.

The following categories of encryption products are being exempted from the purview of the draft national encryption policy:

1. The mass use encryption products, which are currently being used in web applications, social media sites, and social media applications such as Whatsapp, Facebook, Twitter, etc.

2. SSL/TLS encryption products being used in Internet-banking and payment gateways as directed by the Reserve Bank of India.

3. SSL/TLS encryption products being used for e-commerce and password based transactions.

The draft of New Encryption Policy proposes that users of encrypted messaging service on demand should reproduce same text, transacted during a communication, in plain format before law enforcement agencies. The draft also implied that there may be punishment associated with the deletion of WhatsApp communication for 90 days.

The proposed policy, issued by the DeitY would be applicable on everyone including citizens, government departments, academic institutions, and for all kind of personal or official communications.

As per the draft, “all citizens including personnel of Government / Business (G/B) performing non-official / personal functions, are required to store the plaintexts of the corresponding encrypted information for 90 days from the date of transaction and provide the verifiable Plain Text to Law and Enforcement Agencies as and when required as per the provision of the laws of the country.”



“On demand, the user shall be able to reproduce the same Plain text and encrypted text pairs using the software / hardware used to produce the encrypted text from the given plain text. Such plain text information shall be stored by the user/organisation/agency for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country,” it adds.

“All vendors of encryption products shall register their products with the designated agency of the government. While seeking registration, the vendors shall submit working copies of the encryption software / hardware to the Government along with professional quality documentation, test suites and execution platform environments. The vendors shall work with the designated Government Agencies in security evaluation of their encryption products,” the draft adds.

All the modern messaging services basically like WhatsApp, Google Chat, Viber, Yahoo Messenger, Line etc, come with high level of encryption and many a time the law enforcement agencies find it hard to access the encrypted information.

In the event, the user has communicated with foreigner or entity abroad, then it would be the primary responsibility of the user in the country to provide with readable plain text along with the corresponding encrypted information.

According to the draft, apart from this all service providers situated within and outside India that use encryption technology must register themselves with the government that provide any type of services in India.

The draft proposes to introduce the New Encryption Policy under section 84 A of Information Technology Act 2000. This section was introduced through amendment in 2008.

The sub-section 84 C that was also introduced through the amendment has provision of imprisonment for violation of the act.

“Encryption products may be exported but with prior intimation to the designated agency of Government of India. Users in India are allowed to use only the products registered in India. Government reserves the right to take appropriate action as per Law of the country for any violation of this Policy,” the draft said.

Arun Sukumar, Head, Cyber Initiative, said “Having a draft on issue is a welcome step. It looks at everything with prism of law enforcemnnt. It will create a license raj. There is very much concern around privacy of citizen. The policy wants messages to be given on demand. If my private information is sought by government, it should be done through courts.”

As netizens, you can send in your opinion and comments to [email protected] until 16 October, 2015.