In order to access all encrypted information shared on popular chatting and messaging applications, including WhatsApp, Viber, Line and Google Chat, the Union government is all set to re-introduce the Draft National Encryption Policy, sources have confirmed. According to sources, the government is working on the draft for the National Encryption Policy (NEP) and it may soon publish the draft for public feedback.
Following a public uproar over threat to privacy, last year, the government had called off the Draft National Encryption Policy 2016 which had made storage of all messages mandatory, including social media messages, for 90 days.
According to sources, Telecom Minister Ravi Shankar Prasad had asked the Department of Electronics and Information Technology—recently made into a separate ministry—to re-work a fresh draft to regulate the country’s encryption policy.
Cyber law expert Pawan Duggal said, “The initial draft policy on encryption introduced by the government was draconian and it would have put more burdens on individuals, while service providers, most of whom are based outside India, would have remained out of the policy net.”
According to Duggal, as a sovereign country, India has all rights to protect its security and given the cyber threats in the country, it is necessary for the government to have a “lawful surveillance system” in place.
WhatsApp, in its blog, has said that even the company is unable to decrypt its end-to-end encryption due its intrinsic technology protection. However, many experts have rubbished the claim made by WhatsApp.
Duggal said, “WhatsApp or any other social media platform owners cannot simply get away, saying that it has no decryption key to its end-to-end encryption technology. WhatsApp and other products of the ‘true encryption’ sort could indeed be compelled by Indian law to behave like mobile phone services, and forced to re-implement their software, relapse it to make lawful interception possible on demand.” Neha Sharma, another Delhi-based cyber law expert who teaches cyber law at the Centre of Law, Rajasthan University, said: “Many services we think of as encrypted are subject to what’s called lawful interception, which is supposed to mean that with the right sort of authorisation from the judiciary, supposedly confidential data that was sent or stored using the service can be recovered.”
“Lawful interception may lead to traffic being monitored in real time, or (given the sheer volume of data involved these days) recovered and decrypted later to help an investigation or prosecution. For example, your online banking transactions are typically encrypted end-to-end as you conduct them, but the bank needs to keep a permanent record of what you did — for its own rather obvious commercial reasons, as well as for regulatory purposes,” Neha told The Sunday Guardian. Under the existing regulatory framework, 256-bit encryption is unlawful and prohibited because the retraction made by the government on bulk encryption and a cap of key lengths at 40 bits. However, several experts don’t agree with such an argument and say that 40 bits key cap obligations currently only apply to licence holders themselves (such as ISPs and TSPs) and not to internet.