The encryption policy will be back soon, here’s what you need to know

Some called it India’s war on encryption. In September 2015, under the pretext of promoting online security, the Indian government proposed to debase the premise of encryption-based secure communications.
Among other points made in the draft encryption policy last year was the laughable clause that users must store plain text versions of their communications for 90 days to help law enforcement agencies. It also wanted services that provide encryption to register with the government and provide working copies of their software.
The internet called out the foolishness of the government and rightly so. The policy was withdrawn. However, it is only a matter time before the government tries to bring it back on the table — a lot more cautiously this time. As internet users, we must be careful as well. This isn’t some esoteric debate for wonks. Let me explain how it affects all of us.

With or without our knowledge, we use encryption in our daily computing lives. For instance, does the link of the site you browse start with ‘https’ instead of ‘http’? If yes, you are already leveraging encryption. WhatsApp much? You are using encryption.
Encryption is necessary for our basic safety online — it guarantees a reasonable amount of safety and privacy online. Since we all are in it together, here are four major concerns we must ask the government to address if it comes to that.

Upper limit on encryption key size

The 2015 draft bill prescribed the usage of key sizes “up to 256 bit” to encrypt communication. The size of the key is what determines how hard it would be to “break” the encryption using available computing power. Today, a 256 bit key size is considered secure. However, it will not remain so as computational power increases.

There is no good reason to prescribe an upper limit on key size unless the government believes that it can crack encrypted communication below the prescribed limits. Note that the stated purpose of the policy does not talk about surveillance at all. The government should either not prescribe an upper limit or should modify the policy to include a provision for surveillance and be honest about its objectives.

Lower limit on key size

Most encryption standards prescribe a minimum key length and the type of algorithm that should be used. For the government to prescribe such standards for their own use — in the form of government-to-government or government-to-consumer communication — is a good idea.

This is no different (in terms of policy, not implementation) than the IT department of a private company prescribing standards for its internal use. However, mandating businesses and consumers to have a minimum standard is a bad idea. There may be many reasons why encryption may not be required for a website (case in point, does this site really need SSL?). While it is a good practice to encrypt all web traffic, making it “illegal” would be excessive. In addition, from an implementation perspective, identifying and punishing non-compliant consumers would be a herculean task that will need a small army of lawyers to execute effectively.
The government may be better off working with key stakeholders, such as web hosting companies, to encourage adoption of encryption technologies.

Focus on other digital security initiatives

While cryptography is at the heart of internet security, the current scope of this policy (i.e. encrypting traffic and data at rest) will not, in itself, create a safer digital environment. A plethora of other security controls need to be implemented by the government, businesses and consumers to make the digital world safer. This policy addresses none of those concerns. It will be useful to broaden the scope to include security measures which prescribes guidelines for controls such as authentication, authorisation and breach disclosure, rather than pigeon hole it to encryption standards alone.

Deviation from stated purpose

The lack of attention to larger digital security issues and the discussions on “upper limits” for key sizes hints that the primary goal of this policy could be surveillance. If this is indeed the scope, then a larger debate on the trade-off between security and privacy in our society is necessary.

Specifically, we should deliberate if it is in India’s public interest to give the government sufficient powers to intercept any traffic on the pretext of national security. Also, by prescribing a ceiling on key sizes, if the government can now intercept digital communication, what stops other state and non-state hackers from doing the same? There is no reason to believe that the Indian government has the world’s best hackers on it’s payroll.
Currently, the government policy rarely addresses cyber security challenges. The move to change that is appreciable. However, it is imperative to clearly state its purpose and get the details right. Governments often use prevention of terrorism as a reason to defend surveillance. Prescribing “upper limits” on encryption standards to catch a small fraction of the population (such as terrorists), may just weaken security for the vast majority of Indians.