Slashdot Mirror

← Back to Stories (view on slashdot.org)

India's Worrying Draft Encryption Policy

Posted by timothy on from the they'll-take-a-kilometer dept.

knwny writes: The government of India is working on a new National Encryption Policy the contents of which have raised a few alarms.Among other things, the policy states that citizens and businesses must save all encrypted messages (including personal or unofficial ones) and their plaintext copies for 90 days and make them available to law enforcement agencies as and when demanded. The policy also specifies that only the government of India shall define the algorithms and key sizes for encryption in India. The policy is posted on this website.

47 of 114 comments (clear)

  1. This should be interesting. by allaunjsilverfox2 · · Score: 4, Interesting

    What happens if, by accident or malicious intent, the storage medium you are using is destroyed? Or ironically enough, if you are attacked with malware that encrypts your drive. How do you explain that you can't decrypt the drive to so they can decrypt your messages? Or that the cloud solution provider you were using is down for a undetermined amount of time?

    --
    Restore the madness of youth's lechery
    1. Re:This should be interesting. by bigpat · · Score: 4, Interesting

      What happens if, by accident or malicious intent, the storage medium you are using is destroyed? Or ironically enough, if you are attacked with malware that encrypts your drive. How do you explain that you can't decrypt the drive to so they can decrypt your messages? Or that the cloud solution provider you were using is down for a undetermined amount of time?

      It depends what you are accused of and how politically connected or rich you are. Seriously, a law like this is meant as a catch all that nobody will be able to ensure their compliance with. Basically it outlaws encryption for all practical purposes. So if you are accused of something, anything, and you happened to use encryption then at least they can jail or fine you on a technicality when they can't prove that any real crime has been committed.

    2. Re:This should be interesting. by Anonymous Coward · · Score: 1

      This is like the UK's RIPA law. Say you do a SSL transaction with PFS enabled, you can be hauled into Crown Court, the judge asks for the session key (which is obviously long gone), and the dialog goes like this:

      Magistrate: "What is the session key to your web browsing session at www.cowsrus.com?"
      Arrestee: "No clue."
      Magistrate: "That is another four years to your sentence. Now what is the session key to your web browsing session at www.cowsrus.com?"

      Repeat until a life sentence is achieved. This is an easy legal tactic to keep someone (or their family members) locked up.

      The US is about as bad, but at least there are some Constitutional protections that are invokable.

      How does one protect against this? I wouldn't be surprised to see steganography tools (successors to TrueCrypt and VeraCrypt) advance, as well as offline methods of transporting information. Good old fashioned couriers are a lot harder to intercept as well.

    3. Re:This should be interesting. by tapspace · · Score: 2

      If you are attacked with malware that encrypts your drive, the government questioning your encryption probably is the least of your concerns.

      Uhhh. What?

      Plus, you cannot be held responsible for things that you have no control over.

      False.

    4. Re:This should be interesting. by INT_QRK · · Score: 1

      Worse yet, what happens if you're a company doing business with Indian partners or subsidiaries and want to protect trade secrets and proprietary information? I would be further discouraged from doing such future business.

    5. Re:This should be interesting. by johanw · · Score: 2

      If you're interested in protecting that you would not do any buisiness with India in the first place.

    6. Re:This should be interesting. by INT_QRK · · Score: 1

      Correct, which India will need to assess to determine a law that works for them, and I, as a business, will need to assess how my risk tolerance bears on any decision to do further business with India.

    7. Re:This should be interesting. by gweihir · · Score: 1

      And that may be the kicker. Outsourcing to India is dead if this gets to law and common practice.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  2. Do you have to prove they are no fake by NotInHere · · Score: 1

    ... or can you simply store some arbitrary log, and tell them it's your actual communication data?

  3. In other news... by Jon.Burgin · · Score: 4, Insightful

    the use of Indian consultants is about to drop dramatically.

    1. Re:In other news... by houstonbofh · · Score: 2

      "Dears, could you set the encryption on your tunnel to 56 bit please, sir? It is the maximum allowed by law, sir."

      The scary part is that many people will...

  4. Yet another failed attempt ... by gstoddart · · Score: 4, Insightful

    And here we go with yet another example of politicians and other assholes with no technical understanding deciding to legislate "solutions" for their needs without the barest understanding of reality.

    Yet another country who has decided their need to spy magically changes how technology works.

    And, as usual, this will never work in practice.

    --
    Lost at C:>. Found at C.
    1. Re:Yet another failed attempt ... by Anonymous Coward · · Score: 2, Interesting

      You're under the mistaken impression that this legislation has anything to do with encryption, technology, or is in any way designed to solve a problem for the public.

      Short, un-pc but painfully true answer: India is an apartheid state run by privileged class. (Cue shill posters in 3..2..1.. Sorry. India's been like this for 5-10x longer than most other countries have flown their flags period. Its not changing any time soon.)

      They've got two goals: 1. Make sure that the lower classes stay impoverished by limiting their access to private communications. 2. Have a bludgeon that, through selective enforcement, they can use to help keep lower classes impoverished.

      Welcome to geopolitics 101. Try not to stay too long or you'll end up hating humanity.

    2. Re:Yet another failed attempt ... by aminorex · · Score: 1

      What do you expect from a country run by Tata consultants?

      --
      -I like my women like I like my tea: green-
  5. No Exceptionalism For You! by Tokolosh · · Score: 1

    It's this kind of foolishness which means that countries like India and China will never advance into the first rank of nations. It is part of a pattern of meddling, obstructiveness, distrust and plain lack of freedom that causes backwardness. I chuckle whenever a pundit proclaims that India is the future.

    I hasten to add that American politicians, regulators and the general public now seem intent on thrusting the US backwards, by the same means. America will never be overtaken, but it may fall by the wayside.

    --
    Prove anything by multiplying Huge Number times Tiny Number
    1. Re:No Exceptionalism For You! by PlusFiveTroll · · Score: 1

      You forget about the BS America has pushed in it's past? Clipper chip? PGP fight? 40-bit export encryption.

    2. Re:No Exceptionalism For You! by Tokolosh · · Score: 1

      You did not bother to read my second paragraph??

      --
      Prove anything by multiplying Huge Number times Tiny Number
  6. reactions by DriveDog · · Score: 3, Insightful

    This'll just drive the use of steganography, and then the government won't even know when there ARE messages.

    1. Re:reactions by U2xhc2hkb3QgU3Vja3M · · Score: 4, Funny

      Agent 1: Wow, this guy sure likes sending photos of kittens.
      Agent 2: Oh, look how cute this one is!

    2. Re:reactions by swb · · Score: 1

      What is the state of steganography these days?

      Hiding in plain sight seems to be a pretty good technique in the physical world and in the computer world it would seem to be a terrific to combine with encryption to make the encrypted data hard to identify.

      Especially in today's world where people are constantly sharing images, videos, etc.

      I'm also curious about using steganography in transport protocols -- steganographic data or parameters in HTTP/S requests and responses that would otherwise decode as meaningful, but contain hidden encrypted information.

    3. Re:reactions by theendlessnow · · Score: 2

      Agent 1: Wow, this guy sure likes sending photos of kittens. Agent 2: Oh, look how cute this one is!

      Wonder why the second picture file is named operation_curry_storm.jpg?

    4. Re:reactions by zlives · · Score: 1

      LOL, however google search did not reveal anything..

  7. Doesn't make sense by Chrisq · · Score: 4, Interesting

    If I'm accessing an https website in India that would mean that I would have to copy everything I typed in and save it for 90 days. That's every web search, amazon review, etc.

    1. Re:Doesn't make sense by Jason+Levine · · Score: 3, Funny

      Not to mention all of your spam e-mails that you looked at via HTTPS webmail. Because if you don't keep an unencrypted copy of "herbal viagra for sale by nigerian princes whose daughters want to video chat with you" for 90 days then you're breaking the law!

      --
      My sci-fi novel, Ghost Thief, is now available from Amazon.com.
    2. Re:Doesn't make sense by drinkypoo · · Score: 2

      If I'm accessing an https website in India that would mean that I would have to copy everything I typed in and save it for 90 days.

      And the other end would have to save all your form data in plaintext for 90 days, too. (I presume you mean "If I'm in India, accessing a https website" and not what you actually said; if you're not in India, or an Indian citizen, you're not bound by these laws.)

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  8. Algorythms and Key Sizes but... by ComputerGeek01 · · Score: 3, Interesting

    I see nothing about the number of iterations. There are going to be an awful lot of pissed off spys when they find that decrypting a messages gives them another encrypted message

  9. Outsourcing to India? by Gaygirlie · · Score: 2

    I wonder how this'll affect the companies that outsource stuff over to India and how badly this screw over their customers. I mean, I would imagine many of these outsourced services will need access to customer records and stuff from the company that hired them, but if the government insists on downgrading encryption and stuff it'll make it much easier for attackers to gain unauthorized access or for them to eavesdrop on stuff.

    1. Re:Outsourcing to India? by TheGratefulNet · · Score: 1

      anyone outsourcing to india or china already has shown their hand:

      1) they care nothing about quality and are there ENTIRELY because of low-cost labor

      2) they care nothing about security; they never did. its only about #1

      --

      --
      "It is now safe to switch off your computer."
  10. Re:hmm by U2xhc2hkb3QgU3Vja3M · · Score: 1

    In case of war, your encryption will be drafted.

  11. Re:India needs a policy on bathing by CRCulver · · Score: 1, Offtopic

    Until you require your citizens to bathe at least once a week

    Look, I would be the first person to criticize Indian standards of hygiene and make one of those "Fix your problems X before doing Y, India" posts: after traveling around India for half a year, and just before I was supposed to fly out, I ended up spending nearly a month in a Delhi hospital after either drinking bad water or eating food that wasn't prepared in a sanitary fashion. The country has a big problem with ensuring treated water, disposing of sewage, and washing hands well when serving food.

    But where foreigners have no right to criticize Indians is bathing. Indians bathe regularly, and I've been impressed to see even the poorest of the poor using any public source of water they could to thoroughly scrub every morning. Indians know how much sweat and odor a tropical or sub-tropical climate could produce. It is often Westerners who are considered the unwashed there.

  12. As usual by drinkypoo · · Score: 1

    It will be ineffective and it will be wielded against people who haven't even abused the law.

    What's interesting about this proposal is that it actually includes a proviso that makes some sense. They want you to retain the unencrypted copy so that they can sniff through it, but shockingly, they don't want you to retain it forever. That seems like an admission that there are some secrets which should be protected by cryptography.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    1. Re:As usual by Jason+Levine · · Score: 2

      The problem, though, that even the 90 day limit is too much to require. Suppose you go to check your Gmail account. You've accessed it via HTTPS which means it's encrypted which means you now need to keep unencrypted versions of all of your e-mails for 90 days. Yes, even that Nigerian prince e-mail that you immediately went to delete as spam. First, you must save it without encryption and only then can you delete it. This will either a) make using any form of encryption too much of a hassle thus leaving communications open for "security agencies" to look through or b) will result in mass violation of the law which means anyone who runs afoul of the wrong official can be jailed for failing to keep unencrypted copies.

      --
      My sci-fi novel, Ghost Thief, is now available from Amazon.com.
  13. These backwards countries... by Jawnn · · Score: 3, Funny

    ...always trying to invade the privacy of their citizens. I'm just thankful that I Iive in the U.S.A. where that kind of thing... Oh, wait...

  14. Re:You certainly know the content of this message by PPH · · Score: 1, Offtopic

    Steganography in cow pictures?

    --
    Have gnu, will travel.
  15. Aka, The "China, Please Snarf My Data" Bill by cmholm · · Score: 3, Insightful

    So, the Indian Govt thinks that intentionally weak crypto and forced plain text long term storage is a good idea? Never mind what the US might do with this. India's strategic and economic competitor is China, which will thus get so much more info product with so much less effort.

    On the flip side, this may be so unacceptable to the business sector that it'll become another source of graft for officials to look the other way. Aka, The "Bureaucrat Bonus" Bill. Something for everyone.

    --
    Luke, help me take this mask off ... Just for once, let me butterfly kiss you with my own eyes.
  16. Re:So send an email by Anonymous Coward · · Score: 1

    Governments have no rights. . They only have power and authority and chains of obedience.

  17. Re:Easy by MightyMartian · · Score: 1

    They're authoritarian morons, like most politicians and government officials in the security theater industry. Simpering, contemptible, evil morons.

    --
    The world's burning. Moped Jesus spotted on I50. Details at 11.
  18. Re:hmm by TheGratefulNet · · Score: 2

    too late for me, I already burned my rot13 card.

    try getting THAT data back, suckers!

    --

    --
    "It is now safe to switch off your computer."
  19. Government to industry: Empy wallet by Air-conditioned+cowh · · Score: 1

    Stopping a law like this is probably expensive to some major industrialist out there. A fair few Crores Rs I would wager :)

  20. Re:So send an email by zlives · · Score: 1

    India is a democracy, government has all the rights the people give it.

  21. Re:So send an email by Impy+the+Impiuos+Imp · · Score: 1

    No. Democracies with no constitutional restrictions on government presume to possess all possible powers, limited only by The People getting outraged over something and demanding revokation.

    The People haven't given them a damned thing -- those in power just took it.

    A proper government is formed by granting a list of powers to it, "and none others".

    --
    (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
  22. Any DRM exceptions? by Sloppy · · Score: 5, Funny

    Waitaminute. If an Indian watches a DRMed movie, he'll be required by law to have cracked it and ripped it? If I sell DRMed media to Indians, am I going to automatically be a conspirator, if my customer doesn't crack it?

    There needs to be a DRM exception.

    And I'd rather not discuss the consequences of such an exception. ;-)

    --
    As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
  23. Re:India needs a policy on bathing by CRCulver · · Score: 1

    You just prove my point, my man. The issue isn't whether you are comfortable with your body odour, it's about how the people around you feel. Even when millions of people have limited access to water, they still think about other people.

  24. Strange Decision by heretic108 · · Score: 1

    It would appear that India is choosing to squander its immense talent pool, and forego its future as a major world IT player. (Or, as others have pointed out, it's covertly encouraging a new boom in steganography technology.)

    --
    -- In the beginning was the WORD, and the WORD was UNSIGNED, and the main(){} was without form and void...
  25. Re:So send an email by zlives · · Score: 1

    so you are not arguing if its a democracy.. just not one you consider proper... again power is still with the people, what they choose to do with it... then again encryption is not really on the radar for most indians and much more immediate quality of life issues probably are... not much traction on those either. so ... lets just blame the culture :)

  26. Re:Contradictory.. by Ungrounded+Lightning · · Score: 1

    Why have [key size and algorithm limitations] When they have enforced key escrow and mandated plaintext retention of said encrypted data?

    1) So they can eavesdrop without warning the target.
    2) So they can (try to) crack the saved info when somebody says the dog ate his retained data.
    3) So they can have evidence to bust people who don't provide "retained data" that matches what was sent.
    4) The two sets of requirements are belt-and-suspenders. The retention/delivery requirements help cover for times the wiretap decryption fails or the data is lost through some mishandling, equipment failure, or failure to get the wiretap started in time to capture what was of interest to law enforcement.

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  27. Tell Narenra Modi regime to fuck off by NewYork · · Score: 1

    Tell Narenra Modi regime to fuck off https://www.change.org/p/prime...

    --
    Casteism