After criticism that emanated over the week end on the draft National Encryption Policy that the Government released last week, Government has quickly made some clarifications.
The original policy is available here
We had provided our comments and suggestions on the draft policy in our earlier post.
We had requested the Government to exempt the individuals from the responsibilities of being bound by this encryption policy and enforce it only through the intermediaries. Others have highlighted the fact that “need to preserve encrypted information for 90 days” is an additional security risk and privacy invasion.
Keeping the upcoming US visit of Mr Modi and possible repercussions if the privacy issue is left un-attended, Government has moved fast to issue a “Clarification”.
The clarification reads as follows:
PROPOSED ADDENDUM TO THE DRAFT ENCRYPTION POLICY
By way of clarification, the following categories of encryption products are being exempted from the purview of the draft national encryption policy:
1. The mass use encryption products, which are currently being used in web applications, social media sites, and social media applications such as WhatsApp,Facebook,Twitter etc.
2. SSL/TLS encryption products being used in Internet-banking and payment gateways as directed by the Reserve Bank of India
3. SSL/TLS encryption products being used for e-commerce and password based transactions.
It is unfortunate that clarification became necessary so soon after the issue of the draft NEP policy. At the same time it should be appreciated that releasing the draft policy for public comments and reacting to it quickly was good. Atleast we can say that the department has been responsive.
Some in the media are however misrepresenting the clarification and stating that “E Banking is exempted from Encryption Policy”.
This is however not the correct interpretation. E Banking is already been under the guidance of RBI and the G Gopalakrishna Working group has already given elaborate guidelines on E Banking security. Additionally there is an industry level information security standard already in place. The clarification only means that the security need not be limited to what is mentioned in the encryption policy and could be different.
The same interpretation holds for other sensitive departments of the Government which are exempt from this policy. They (such as the Military and Police) need to keep the information encrypted at levels better than what is suggested in this policy.
It should also be remembered that this is only a policy guideline which is subordinate to the law contained in Information Technology Act 2008. It cannot be ultra vires the Act.
The ITA 2008 already has a provision under Section 69 that the Government (through CCA) has the power to demand decryption of any communication. There is no need for this policy to demand decrypted message from WhatsApp or other message systems.
Under Section 67C, there is a provision for data retention norms being set. Government may set here any time limit for retention of data by any intermediary.
Further, any information that becomes “Potential Data related to a cognizable offence” becomes an “Evidence” and has to be retained for an indefinite period, failure of which can become a contravention of Section 65 of ITA 2008.
These sections 67C and 65 carry 3 years imprisonment and Section 69 carries 7 year imprisonment if the IT user/intermediary does not comply.
For some data to be treated as “Potential Evidence”, notice from law enforcement is not mandatory. Knowledge that the data may hold evidentiary value is sufficient. A notice will however seal the status of some data changing its status to “Potential Evidence” which need to be preserved.
This is part of the ITA 2008 compliance that every IT user need to follow at present and this would continue.
Hence, media should not proliferate the incorrect view that “E Banking” and “E Commerce” is exempt from the encryption policy and inter alia the need to retain data particularly what is suspected to be an “Evidence”.
In the past media by its ignorance created a situation where Section 66A was wrongly painted as unconstitutional and even the Supreme Court Judges were rendered blind to reality and scrapped the section just to correct a false perception. In the last few days, we have also pointed out how Karnataka Government, in its ignorance of Cyber Law has passed a Bill which is ultra vires the ITA 2008 and how the Adjudicator of Karnataka in the past has created an untenable legal situation out of his ignorance of ITA 2008. Now the media highlighting “E Banking exempted from Encryption Policy” will be another mis-perception that would be circulating and will gain acceptance by uninformed.
We need to ensure that this mistake does not happen.
The Government when it issues the final policy should therefore clarify that E Banking and E Commerce are expected to use encryption systems commensurate to what can be considered as “Reasonable Security Policy” under ITA 2008. This will be another Suggestion that we would like to make to the department on the policy.
Naavi