Slashdot Mirror
India's Worrying Draft Encryption Policy
knwny writes: The government of India is working on a new National Encryption Policy the contents of which have raised a few alarms.Among other things, the policy states that citizens and businesses must save all encrypted messages (including personal or unofficial ones) and their plaintext copies for 90 days and make them available to law enforcement agencies as and when demanded. The policy also specifies that only the government of India shall define the algorithms and key sizes for encryption in India. The policy is posted on this website.
What happens if, by accident or malicious intent, the storage medium you are using is destroyed? Or ironically enough, if you are attacked with malware that encrypts your drive. How do you explain that you can't decrypt the drive to so they can decrypt your messages? Or that the cloud solution provider you were using is down for a undetermined amount of time?
Restore the madness of youth's lechery
They are trying to make it easier for their enemies to disrupt them?
... or can you simply store some arbitrary log, and tell them it's your actual communication data?
the use of Indian consultants is about to drop dramatically.
Until you require your citizens to bathe at least once a week, you don't get any say on technology.
And here we go with yet another example of politicians and other assholes with no technical understanding deciding to legislate "solutions" for their needs without the barest understanding of reality.
Yet another country who has decided their need to spy magically changes how technology works.
And, as usual, this will never work in practice.
Lost at C:>. Found at C.
What's worrying about draft encryption ? ...
It's this kind of foolishness which means that countries like India and China will never advance into the first rank of nations. It is part of a pattern of meddling, obstructiveness, distrust and plain lack of freedom that causes backwardness. I chuckle whenever a pundit proclaims that India is the future.
I hasten to add that American politicians, regulators and the general public now seem intent on thrusting the US backwards, by the same means. America will never be overtaken, but it may fall by the wayside.
Prove anything by multiplying Huge Number times Tiny Number
You forgot to point out what exactly is for cows this time... India? Encryption?
This'll just drive the use of steganography, and then the government won't even know when there ARE messages.
Why have this
The policy also specifies that only the government of India shall define the algorithms and key sizes for encryption in India.
When they have enforced key escrow and mandated plaintext retention of said encrypted data?
If I'm accessing an https website in India that would mean that I would have to copy everything I typed in and save it for 90 days. That's every web search, amazon review, etc.
I see nothing about the number of iterations. There are going to be an awful lot of pissed off spys when they find that decrypting a messages gives them another encrypted message
Wouldn't Hindu Indians that believe in reincarnation be happy to be cows? Since cows in India are sacred and all.
I wonder how this'll affect the companies that outsource stuff over to India and how badly this screw over their customers. I mean, I would imagine many of these outsourced services will need access to customer records and stuff from the company that hired them, but if the government insists on downgrading encryption and stuff it'll make it much easier for attackers to gain unauthorized access or for them to eavesdrop on stuff.
What I need is encryption that makes my encrypted data look like plain text, pdf reports, etc.
Hear that? That's the sound of technology companies closing up their offices in India and Indian businesses looking to move to another country.
Supply working copies of the encryption hardware and software along with full professional documentation? Yeah, sure. Buh bye.
Won't tell it, but for until next time, you can look at these cute calves:
https://d3h9j6pjreamyv.cloudfr...
http://static1.squarespace.com...
http://3.bp.blogspot.com/-Wjum...
http://cdn.cutestpaw.com/wp-co...
http://thumbs.dreamstime.com/x...
http://goo.gl/AXG9B0
Did you know cows are worshipped in India?
texas than i do about india
It will be ineffective and it will be wielded against people who haven't even abused the law.
What's interesting about this proposal is that it actually includes a proviso that makes some sense. They want you to retain the unencrypted copy so that they can sniff through it, but shockingly, they don't want you to retain it forever. That seems like an admission that there are some secrets which should be protected by cryptography.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
...always trying to invade the privacy of their citizens. I'm just thankful that I Iive in the U.S.A. where that kind of thing... Oh, wait...
Let's say for example you have some data you want encrypted from point A to point B. You're not using a tunnel/VPN because the thought police is going to break down your door.
Encrypt the data with asymmetric crypto, and then encrypt the encrypted payload with whatever broken, master keyed encryption they want you to use. They can break their weak mandatory encryption and just see some high entropy garbage that might or might not be encrypted data. You're technically following the rules.
Will they start taking a very hard look at the person using any data format they can't identify without cryptanalysis? Maybe go the China Firewall route and make using encryption slow and disconnect prone, if not outright blocked?
I assume you can get away with this for low amount of data.
"are required to store the plaintexts of the corresponding encrypted information for 90 days"
So if I send a encrypted picture I must store it in plaintext? Do I convert the unencrypted pictures bytes to Unicode-text/ASCII?
How are the cricket teams going to know which young cricket players are available if the draft is encrypted?
Steganography in cow pictures?
Have gnu, will travel.
They are inviting comments. Presumably, they want comments from citizens, but my email address doesn't proclaim me to be a non-citizen.
To: akrishnan@deity.gov.in
"Such plain text information shall be stored by the user/organisation/agency for 90 days from the date of transaction and made available to Law Enforcement Agencies"
I suppose that the next proposition will be that people must save their mail, notes, and memos for ninety days, so that the police may look at them.
Government has NO RIGHT to mandate what encryption methods a private citizen may or may not use. Nor does it have any right to mandate how or when a private citizen disposes of unwanted messages.
Arrogant, pompous fools in politics presume to pass meaningless laws. Are you competing with the United States, United Kingdom, and Russia to see who can create the most fascist government?
So, the Indian Govt thinks that intentionally weak crypto and forced plain text long term storage is a good idea? Never mind what the US might do with this. India's strategic and economic competitor is China, which will thus get so much more info product with so much less effort.
On the flip side, this may be so unacceptable to the business sector that it'll become another source of graft for officials to look the other way. Aka, The "Bureaucrat Bonus" Bill. Something for everyone.
Luke, help me take this mask off
AyòíÄí{ßpÄê$hGÿ2UÒvï;KÔôöõhÇoQ
You misspelled "cat".
... with the NSA.
Calling this worrying means worrying for who? those who have been spying on us illegally/
Government has NO RIGHT to mandate what encryption methods a private citizen may or may not use. Nor does it have any right to mandate how or when a private citizen disposes of unwanted messages.
Stopping a law like this is probably expensive to some major industrialist out there. A fair few Crores Rs I would wager :)
Waitaminute. If an Indian watches a DRMed movie, he'll be required by law to have cracked it and ripped it? If I sell DRMed media to Indians, am I going to automatically be a conspirator, if my customer doesn't crack it?
There needs to be a DRM exception.
And I'd rather not discuss the consequences of such an exception. ;-)
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
> India's Worrying Draft Encryption Policy
This sentence means India wants to protect data on the selectively enforced mandatory military service of its citizens, which is a highly laudable aim!
Draft: a form of conscription, where not every male reaching the military age are pressed into mandatory armed service, but only those unlucky ones who "win" the associated lottery draw. Such a policy may be warranted by the large population of various countries, which have relatively short defence-worthy border lines, eg. India is almost entirely surrounded by oceans and extremely tall mountains on the borders, while USA is entirely bordered by oceans and underdogs.
has the common courtesy to build secret backdoors into the encryption and automatically archive all your messages for you ;)
India is just trying to make their citizens do all the busy work for them.
There's not even a passing mention of why this is being done, like um .. protecting from teh badd guyzz
This hilariously blatant, technologically stupid and never going to work. ... goes and gets some popcorn.
It would appear that India is choosing to squander its immense talent pool, and forego its future as a major world IT player. (Or, as others have pointed out, it's covertly encouraging a new boom in steganography technology.)
-- In the beginning was the WORD, and the WORD was UNSIGNED, and the main(){} was without form and void...
Does a message in obscure language count as encrypted?
Will it create new work places for translators?
"Symmetric Cryptographic Encryption products with AES, Triple DES and RC4 encryption algorithms and key sizes up to 256 bits are prescribed by the Government for use for protecting information by stakeholders."
RFC 7465 *prohibits* the continued use of RC4. "RC4 has long been known to have a variety of cryptographic weaknesses."
AES was re-named by a USA government agency. If I were wanting to keep my data secret from such agencies, I'd be investigating alternatives. Omitting Camellia, Twofish, Serpent, Blowfish, IDEA and taking RC4 over all of them just should remind us all how legislatures ought to keep their opinions out of things they don't understand.
Tell Narenra Modi regime to fuck off https://www.change.org/p/prime...
Casteism