7 October 2015

India’s Encryption Policy: Online Privacy, Overruled

Saroj Kumar Rath 
5 Oct, 2015
http://swarajyamag.com/politics/indias-encryption-policy-online-privacy-overruled/

Exceptional access to encrypted message by the law enforcement agencies is both essential and risky business. On the one hand, encryption helps private enterprise retain confidential information, on the other hand, they reduce the chance of nabbing criminals.

Government of India, which normally faithfully follows colonial era innovations like the 19th-century vintage telegraph and telephone and Macaulay’s penal code laws, is a grand delusion and a profound misfit for the modern libertarian aspiring younger generations. During mid-September 2015, when government spread a 6-paged-1761-worded ‘Draft National Encryption Policy’, India’s matured national media, nascent social networking sites, and gullible internet websites have been collectively infuriated. The draft policy was seeking law enforcement agencies’ ‘exceptional access’ into internet data and web communications of all and sundry.




Unable to comprehend how to respond to the incessant media frenzy and public outrage, a confabulating Minister for Communication and Information Technology, Mr. Ravi Shankar Prasad, asked his officials to withdraw the draft with a promise to return with appropriate revision. The timing of the ill-fated policy could never be bad because during the same time Prime Minister Narendra Modi was finalizing his speech to be delivered at Google, Facebook and Apple headquarters at Silicon Valley advocating ‘freedom of opinion’ and ‘privacy’ when his officials back home mulling ending what Modi was supposed to promise his overseas audience.

Technology service providers have been encrypting their corporate and customer data after learning that security agencies are soaking digital communications and hacking into corporate information. Enforcement agencies complain against such encryption because they believe that such methods have been diminishing their chance to nab criminals, kidnappers, militants, and other roughs.

However, the encryption policy is only a string in the tapestry called Indian cyber (security) law. The September 2015 draft had a long and convoluted background. There was no computer related policy until 1970 when Government of India established the Department of Electronics (DoE) after a 1963 Homi Bhabha-led Committee’s recommendation. Until 1978, US companies’ Digital Equipment Corporation and IBM used to supply obsolete computers to India with a prohibitive price without offering technological know-how.

When India sought access to technology, IBM closed its operations. During this time, DoE able to make its own computer and indigenisation of production started with help from United Nations Development Programme. The real thrust for wide scale use of computer started in 1986 during Rajiv Gandhi’s tenure. Rajiv was overall in-charge of Asian Games of 1982-edition when the waiting time for a telephone connection was two years. He successfully used indigenous computers during the game, and two years later when he became the prime minister, he revolutionized the programme. Resultantly, from a mere 1000 computers in India in 1978 the number reached to 80,000 in 1990.

In 1986, when the Indian Railways replaced manual ticketing with computerised ticket, which reduced waiting hours in queues, the machine had changed the mind-set of the general population. Five years later, in 1991, India was about to default its foreign debt, and as the International Monetary Fund bailed the country out, it had imposed a condition to open its market to global investors. The software sector witnessed tremendous growth.

Curiously, despite the large-scale use of internet and computers in business transactions during the 1990s, the country was neither regulated by any official guidelines nor by any cyber policy. Indian policy makers never thought of having a cyber law. In the midst of this cyber-lawlessness, with a view to achieve uniformity in laws of various cyber-nations, the United Nations’ General Assembly passed a resolution in January 1997 adopting a Model Law on Electronic Commerce on International Trade.

Responding to this resolution, DoE drafted a bill on July 1998. After several debates and with a view to curb cyber crime, the Standing Committee suggested that a cyber cafe owner must maintain a record detailing the names and address of the visitors along with the websites they surfed. Like the draft encryption policy of 2015, this suggestion was also ridiculed and dropped. The bill finally became an act in 2000 and came to be known as Information Technology Act, 2000.

This act was to provide a legal framework and legal sanctity to e-commerce, e-records and other activities carried out by electronic means. It had nothing to do with cyber security policy, and India survived the next 13 years without a cyber security policy. Probably the country would have continued with status-quo had Edward Snowden not leaked US government’s surveillance on India’s domestic politics and its strategic and commercial interests. In June 2013, Snowden published the US National Security Agency’s mind-boggling surveillance on government and private individuals, fuelling hysteric debates on government’s mass surveillance and secrecy and the intricate evaluation of individual/business privacy and national security.

Within a month, on 2 July 2013, the government unveiled a 9-page National Cyber Security Policy 2013 with the explicit aim to ‘protect information and information infrastructure in cyberspace, build capabilities to prevent and respond to cyber threats, reduce vulnerabilities and minimize damage from cyber incidents’. Careful scrutiny convinces the policy document as a copy-paste initiative without original vision, futuristic enterprise or real ground work. Strangely, there is no mention of the word ‘encryption’ in the entire document while a 90-page ‘Compilation of Comments on Discussion Draft on National Cyber Security Policy’ dated 26 March 2011 had enough discussion on the subject. Participants like US-India Business Council, Tata group, FICCI, Infosys and various other participants pleaded that ‘the government must support the strong use of encryption by private sector.’ There are other surprises from the government as well. A ‘Discussion draft on National Cyber Security Policy: For Secure Computing Environment and Adequate Trust & Confidence in Electronic Transactions’ distributed at the behest of Ministry of Communication and IT in May 2011 by Dr. Gulshan Rai, Director General, CERT-IN advocates for ‘dynamic and strong encryption’ because cyber attacks encouraged the attackers and demoralize the victim.

Under the 12th Five Year Plan (2012-17) Kiran Karnik-led ‘Working Group on Information Technology Sector’ in its report noted the need to enact a ‘legal framework for encryption in the backdrop of cyber security, privacy and national security’.

Nevertheless, the draft encryption policy of 2015 defied all logic and is contradictory in its own volition. For example, the mission of the draft proposal is ‘protection of sensitive or proprietary information for individuals & businesses’ while at the same time it wanted the users to maintain the information on the internet (Facebook, Whatsapp, E-mail and all web related messages) for a period of 90-days so that a spook or a self-proclaimed government staff can verify the information under the pretext of national security. There is no framework to protect the citizen or business enterprise from misuse of information by dubious or rough government staff.

The policy has unnecessarily pitted technologists and privacy advocates against intelligence and law enforcement leaders. What is hilarious is the authoritarian draft came within a few months of the quashing of Section 66A of Information Technology Act that authorized law enforcement agencies to decide which message of the citizen is against national security.

The encryption debate is an old issue in western world, especially in the United States where citizens and technologists successfully overawe law enforcement organizations’ lobbies to get access to all data in 1995, twenty years before India started such a debate. After the 2013-Snowden snowball, imposition of extraordinary access mandate by law enforcement agencies is back to haunt Americans.

Unlike the carefree criticism of government policy by Indian urban elite and directionless debate in public media, the US intelligentsia has come out with a calibrated policy paper titled ‘Keys Under Doormats: Mandating Insecurity by Requiring Government Access to all Data and Communications’. The paper challenged government’s wit to gain exceptional access to all data and communications and cautioned law enforcement agencies about the growing economic and social cost and disregard for the rule of law such enforcement would attract.

Transmission of coded messages, interception, and breaking of such communications and unearthing secrecy is a brutal and age-old fascination. Woodrow Wilson, the President of United States, kept America out of the First World War for the initial three years until March 1917. In that year, British cryptographers deciphered a German coded telegram sent to Mexico where the Germans had offered American territory to Mexico in exchange for joining German cause. Decoding of the message famous as ‘Zimmerman Telegram’ forced America to join the war against Germany and its allies.

From the national security viewpoint, gathering of intelligence through electronic means is essential, and the enforcement agencies must gain lawful access to e-communications. But the widespread misuse of such information has become a cornerstone of western intelligence agencies like CIA, MI6 and others. Such snooping not only leads to a devastating revelation of private conduct but also results in misjudged wars such as the 2003 Iraq War. The United Kingdom and China had already promised legislation to compel communications service providers to grant access to law enforcement agencies.

Exceptional access to encrypted message by the law enforcement agencies is both essential and risky business. Citizens want the enforcement agencies to secure their lives, lifestyle, and property while authority wants access to communications to undertake such jobs along with national security. But there is no foolproof system to ensure safe and genuine exceptional access framework. Such regulation also dwarf the internet industry from ‘current open and entrepreneurial model to a highly regulated industry’

India is a peculiar place where the use of the internet is both beneficial and self-destructive. While the operation of cyber technology offers tremendous potential for economic growth and simplification of citizen’s services, it also leads to greater economic vulnerabilities and social jeopardy. 26/11 Mumbai terror attacks, numerous online banking frauds, and Radia tapes are some of the contrasting examples of cyber vulnerabilities.

During the starting of October 2015, when the Draft National Encryption Policy was already unveiled and withdrawn, to get a sense of the pulse of the nation, I contacted the students and faculty members of Tezpur University, Assam and Dr. Hari Singh Gaur University, Madhya Pradesh. To my utter surprise, the university fraternities of both the universities were unaware of any encryption policy, its withdrawal and debates because of a host of local reasons. This is a testimony of India’s digital divide.

Indians, especially who are living outside the metro walls are committed followers of jadu-tona (sorcery). Exceptional access of internet communication by the law enforcement agencies without safeguard would lead to the booming business of jadu-tona where offices armed with information would exploit rural internet users.


No comments: