It is only a matter time before the government tries to bring the encryption policy back on the table. Here's how it affects all of us.
Some called it India’s war on encryption. In September 2015, under the pretext of promoting online security, the Indian government proposed to debase the premise of encryption-based secure communications.
Among other points made in the draft encryption policy last year was the laughable clause that users must store plain text versions of their communications for 90 days to help law enforcement agencies. It also wanted services that provide encryption to register with the government and provide working copies of their software.
The internet called out the foolishness of the government and rightly so. The policy was withdrawn. However, it is only a matter time before the government tries to bring it back on the table — a lot more cautiously this time. As internet users, we must be careful as well. This isn’t some esoteric debate for wonks. Let me explain how it affects all of us.
With or without our knowledge, we use encryption in our daily computing lives. Does the link of the site you browse start with ‘https’ instead of ‘http’? WhatsApp much? You are already using encryption
The 2015 draft bill prescribed the usage of key sizes “up to 256 bit” to encrypt communication. The size of the key is what determines how hard it would be to “break” the encryption using available computing power. Today, a 256 bit key size is considered secure. However, it will not remain so as computational power increases.
There is no good reason to prescribe an upper limit on key size unless the government believes that it can crack encrypted communication below the prescribed limits
Most encryption standards prescribe a minimum key length and the type of algorithm that should be used. For the government to prescribe such standards for their own use — in the form of government-to-government or government-to-consumer communication — is a good idea.
The government may be better off working with key stakeholders, such as web hosting companies, to encourage adoption of encryption technologies
While cryptography is at the heart of internet security, the current scope of this policy (i.e. encrypting traffic and data at rest) will not, in itself, create a safer digital environment. A plethora of other security controls need to be implemented by the government, businesses and consumers to make the digital world safer. This policy addresses none of those concerns. It will be useful to broaden the scope to include security measures which prescribes guidelines for controls such as authentication, authorisation and breach disclosure, rather than pigeon hole it to encryption standards alone.
The lack of attention to larger digital security issues and the discussions on “upper limits” for key sizes hints that the primary goal of this policy could be surveillance. If this is indeed the scope, then a larger debate on the trade-off between security and privacy in our society is necessary.
Prescribing “upper limits” on encryption standards to catch a small fraction of the population (such as terrorists), may just weaken security for the vast majority of Indians