A welcome withdrawal

New encryption policy should keep in mind privacy concerns

The Union department of electronics and information technology has withdrawn the draft National Encryption Policy after its proposals triggered a public outcry. The draft, which was released over the weekend, had framed rules regarding the use of encryption methods under Section 84A of the Information Technology Act, 2000. Despite being supposedly put together by an expert group, it had proposed norms that were unrealistic and even dangerous in view of their implications. It had also made excessive demands in terms of compliance, and sought far too much private information. Users were required to employ only algorithms and keys provided by the government. All electronic communications, including personal communications between two private citizens about their private affairs, had to be stored, unencrypted, for 90 days and made available on demand.

Not surprisingly, the draft was criticised by security experts, civil liberty advocates, companies and ordinary citizens. Indeed, the draft betrayed a tendency on the part of the government to excessively micro-manage and use discretion, thereby crippling entrepreneurship. For instance, the draft had given the government the discretionary power to clear some encryption algorithms and exempt some service providers from its norms. Its quick withdrawal, therefore, is a relief.

In national encryption policies, such as those in the US and other developed countries, upper limits are imposed on the strength of non-military encryption. Within those limits, users are free to deploy whatever they like. They may invent and deploy new cryptography systems, provided those are below the stipulated limit, which is reviewed from time to time. There is no obligation to keep personal communications on record. There is no obligation to store unencrypted data, though the authorities may ask for clear copies in specific cases.

The fact is that encryption is encountered at some level in most data. It is a huge gap in security if information is stored en clair as this draft had demanded. There have been countless scandals and huge financial losses associated with the hacking of unencrypted databases. Every operating system, all internet service providers and cloud storage services employ encryption - at the very least, to compress data, and conceal details of clients and databases. Lawyers and accountants protect privileged communications and of course, so do e-commerce players, banks, credit card companies and other financial service providers. Businesses which provide email, instant messaging and social media services also use encryption to secure data. There are many encryption systems available for free use and download on the internet. It is plain absurd to expect every encryption system to be registered and cleared.

Going beyond technology, the draft reflected a disturbing mindset. It demanded huge amounts of private and personal information. It is an attitude reminiscent of the proposed income-tax return forms that had demanded granular details about every foreign trip of a taxpayer. As good sense prevailed, that form was withdrawn. Such incidents also raise larger questions on the government's approach to protecting the individual's privacy. It is to be hoped that when the revised encryption norms are released, they address such privacy concerns. More importantly, the government should move quickly to draft a comprehensive privacy protection law so that it can adequately deal with such intrusive regulations.