WhatsApp, Facebook, Twitter exempted from purview of National Encryption Policy

Clarification comes after widespread public outrage on the new draft proposal

After widespread outrage over its draft encryption policy, the Department of Electronics and Information Technology on Tuesday said that social media websites and applications will be exempted from its purview.

A proposed addendum to the National Encryption Policy said that mass-use encryption products, which are currently being used in web applications, social media sites and social media applications such as WhatsApp, Facebook, Twitter, would be exempt from the draft National Encryption Policy.

The clarification came on the heels of public criticism snowballed over a proposal that mandated storing messages that people send through WhatsApp, SMS, e-mail or any such service for up to 90 days. .

All messages in that time period would need to be stored in plain text format and made available on demand to security agencies. 

All modern messaging services such as WhatsApp, Viber, Line, Google Chat, Yahoo messenger, etc, come with high level of encryption, which often makes it harder for security agencies to intercept these messages. 
 

The earlier draft had also proposed legal action including imprisonment for failure to store and produce on demand the encrypted messages sent from any mobile device or computer. The policy also wanted providers of such services to hand over encryption keys to the government.

The Indian government had earlier had a long drawn out battle with Canadian mobile handset maker Blackberry, which gained popularity worldwide -- and particularly with the corporate set -- for its highly encrypted, hard-to-crack Blackberry messenger service, popularly known as BBM. The government had demanded that Blackberry share its encryption keys with Indian security agencies, prompting a months-long stand-off as the Canadian firm refused to do so, citing privacy and patent concerns as its servers were located outside India. Eventually, however, it backed down and said it would set up servers in India that would allow security agencies to access private messages. 

Under the proposed encryption policy, all service providers located within and outside India using such technology for providing any type of services in India will need to register themselves with the government.

"Users in India are allowed to use only the products registered in India. Government reserves the right to take appropriate action as per Law of the country for any violation of this Policy," the draft said.
 

The earlier version of the policy had raised several privacy concerns, with Arun Sukumar, head, Cyber Initiative, saying that the government is following an old mindset in trying to regulate new technology.

Medianama Founder and volunteer for 'Save The Internet' forum, Nikhil Pahwa had said that the problem is that the government could hold users liable for not keeping copies of their data in a 'plain text' format, when 99.99% of users in the country didn't even know the meaning of 'plain text'.

"There is also a possibility that the 'plain text' data can be manipulated by hackers, or by a government official with encryption keys who can manipulate stored data. How will an individual be protected against such attacks? An individual's right to privacy is a fundamental right under Article 21," Pahwa had added.

Internet Service Provider Association Of India (ISPAI) President Rajesh Chharia had said putting responsibility on customers is not acceptable.

"While we welcome 256 bit encryption which we have been demanding from very long time, government needs to consider secrecy of business as well. National security is paramount but government should think that a terrorist is never going to share encryption code of his tool. Government needs to develop capability to handle such issues," Chharia had said.

The last date for public to comment on the draft is October 16, 2015.