The Department of Electronics and Information Technology (DeitY) has made the ‘Draft National Encryption Policy’. The policy aims to “enable (an) information security environment and secure transactions in cyberspace for individuals, businesses and government including nationally critical information systems and networks.”
DeitY is now inviting comments on the policy that has been posted on its website. The draft policy that has been introduced under Section 84 A of the Information Technology Act (2000), will remain on the website till October 16. A specific part of the policy reads – “All citizens (C), including personnel of Government / Business (G/B) performing non-official / personal functions, are required to store the plaintexts of the corresponding encrypted information for 90 days from the date of transaction and provide the verifiable Plain Text to Law and Enforcement Agencies as and when required as per the provision of the laws of the country”.
This essentially means that the government would require users and companies to store plain text and encrypted text pairs for at least 90 days and make them available to law enforcement agencies when they are legally asked to. Also businesses and consumers may use encryption for storage and communication, but the encryption algorithms and key sizes will be prescribed by the Indian government. The policy seeks to promote R&D in the field of cryptography by public and private companies, government agencies and academia, but it requires all vendors of encryption products to register their products with the government and re-register when their products are upgraded.
Several points and notions made in the policy are still vague and raise a lot of questions on the way in which a user accesses services like WhatsApp and Gmail that are an integral part of ones day to day life. DeitY’s encryption policy is currently posted on its website, and you can check out here.