Slashdot Mirror

← Back to Stories (view on slashdot.org)

India's Worrying Draft Encryption Policy

Posted by timothy on from the they'll-take-a-kilometer dept.

knwny writes: The government of India is working on a new National Encryption Policy the contents of which have raised a few alarms.Among other things, the policy states that citizens and businesses must save all encrypted messages (including personal or unofficial ones) and their plaintext copies for 90 days and make them available to law enforcement agencies as and when demanded. The policy also specifies that only the government of India shall define the algorithms and key sizes for encryption in India. The policy is posted on this website.

21 of 114 comments (clear)

  1. This should be interesting. by allaunjsilverfox2 · · Score: 4, Interesting

    What happens if, by accident or malicious intent, the storage medium you are using is destroyed? Or ironically enough, if you are attacked with malware that encrypts your drive. How do you explain that you can't decrypt the drive to so they can decrypt your messages? Or that the cloud solution provider you were using is down for a undetermined amount of time?

    --
    Restore the madness of youth's lechery
    1. Re:This should be interesting. by bigpat · · Score: 4, Interesting

      What happens if, by accident or malicious intent, the storage medium you are using is destroyed? Or ironically enough, if you are attacked with malware that encrypts your drive. How do you explain that you can't decrypt the drive to so they can decrypt your messages? Or that the cloud solution provider you were using is down for a undetermined amount of time?

      It depends what you are accused of and how politically connected or rich you are. Seriously, a law like this is meant as a catch all that nobody will be able to ensure their compliance with. Basically it outlaws encryption for all practical purposes. So if you are accused of something, anything, and you happened to use encryption then at least they can jail or fine you on a technicality when they can't prove that any real crime has been committed.

    2. Re:This should be interesting. by tapspace · · Score: 2

      If you are attacked with malware that encrypts your drive, the government questioning your encryption probably is the least of your concerns.

      Uhhh. What?

      Plus, you cannot be held responsible for things that you have no control over.

      False.

    3. Re:This should be interesting. by johanw · · Score: 2

      If you're interested in protecting that you would not do any buisiness with India in the first place.

  2. In other news... by Jon.Burgin · · Score: 4, Insightful

    the use of Indian consultants is about to drop dramatically.

    1. Re:In other news... by houstonbofh · · Score: 2

      "Dears, could you set the encryption on your tunnel to 56 bit please, sir? It is the maximum allowed by law, sir."

      The scary part is that many people will...

  3. Yet another failed attempt ... by gstoddart · · Score: 4, Insightful

    And here we go with yet another example of politicians and other assholes with no technical understanding deciding to legislate "solutions" for their needs without the barest understanding of reality.

    Yet another country who has decided their need to spy magically changes how technology works.

    And, as usual, this will never work in practice.

    --
    Lost at C:>. Found at C.
    1. Re:Yet another failed attempt ... by Anonymous Coward · · Score: 2, Interesting

      You're under the mistaken impression that this legislation has anything to do with encryption, technology, or is in any way designed to solve a problem for the public.

      Short, un-pc but painfully true answer: India is an apartheid state run by privileged class. (Cue shill posters in 3..2..1.. Sorry. India's been like this for 5-10x longer than most other countries have flown their flags period. Its not changing any time soon.)

      They've got two goals: 1. Make sure that the lower classes stay impoverished by limiting their access to private communications. 2. Have a bludgeon that, through selective enforcement, they can use to help keep lower classes impoverished.

      Welcome to geopolitics 101. Try not to stay too long or you'll end up hating humanity.

  4. reactions by DriveDog · · Score: 3, Insightful

    This'll just drive the use of steganography, and then the government won't even know when there ARE messages.

    1. Re:reactions by U2xhc2hkb3QgU3Vja3M · · Score: 4, Funny

      Agent 1: Wow, this guy sure likes sending photos of kittens.
      Agent 2: Oh, look how cute this one is!

    2. Re:reactions by theendlessnow · · Score: 2

      Agent 1: Wow, this guy sure likes sending photos of kittens. Agent 2: Oh, look how cute this one is!

      Wonder why the second picture file is named operation_curry_storm.jpg?

  5. Doesn't make sense by Chrisq · · Score: 4, Interesting

    If I'm accessing an https website in India that would mean that I would have to copy everything I typed in and save it for 90 days. That's every web search, amazon review, etc.

    1. Re:Doesn't make sense by Jason+Levine · · Score: 3, Funny

      Not to mention all of your spam e-mails that you looked at via HTTPS webmail. Because if you don't keep an unencrypted copy of "herbal viagra for sale by nigerian princes whose daughters want to video chat with you" for 90 days then you're breaking the law!

      --
      My sci-fi novel, Ghost Thief, is now available from Amazon.com.
    2. Re:Doesn't make sense by drinkypoo · · Score: 2

      If I'm accessing an https website in India that would mean that I would have to copy everything I typed in and save it for 90 days.

      And the other end would have to save all your form data in plaintext for 90 days, too. (I presume you mean "If I'm in India, accessing a https website" and not what you actually said; if you're not in India, or an Indian citizen, you're not bound by these laws.)

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  6. Algorythms and Key Sizes but... by ComputerGeek01 · · Score: 3, Interesting

    I see nothing about the number of iterations. There are going to be an awful lot of pissed off spys when they find that decrypting a messages gives them another encrypted message

  7. Outsourcing to India? by Gaygirlie · · Score: 2

    I wonder how this'll affect the companies that outsource stuff over to India and how badly this screw over their customers. I mean, I would imagine many of these outsourced services will need access to customer records and stuff from the company that hired them, but if the government insists on downgrading encryption and stuff it'll make it much easier for attackers to gain unauthorized access or for them to eavesdrop on stuff.

  8. These backwards countries... by Jawnn · · Score: 3, Funny

    ...always trying to invade the privacy of their citizens. I'm just thankful that I Iive in the U.S.A. where that kind of thing... Oh, wait...

  9. Re:As usual by Jason+Levine · · Score: 2

    The problem, though, that even the 90 day limit is too much to require. Suppose you go to check your Gmail account. You've accessed it via HTTPS which means it's encrypted which means you now need to keep unencrypted versions of all of your e-mails for 90 days. Yes, even that Nigerian prince e-mail that you immediately went to delete as spam. First, you must save it without encryption and only then can you delete it. This will either a) make using any form of encryption too much of a hassle thus leaving communications open for "security agencies" to look through or b) will result in mass violation of the law which means anyone who runs afoul of the wrong official can be jailed for failing to keep unencrypted copies.

    --
    My sci-fi novel, Ghost Thief, is now available from Amazon.com.
  10. Aka, The "China, Please Snarf My Data" Bill by cmholm · · Score: 3, Insightful

    So, the Indian Govt thinks that intentionally weak crypto and forced plain text long term storage is a good idea? Never mind what the US might do with this. India's strategic and economic competitor is China, which will thus get so much more info product with so much less effort.

    On the flip side, this may be so unacceptable to the business sector that it'll become another source of graft for officials to look the other way. Aka, The "Bureaucrat Bonus" Bill. Something for everyone.

    --
    Luke, help me take this mask off ... Just for once, let me butterfly kiss you with my own eyes.
  11. Re:hmm by TheGratefulNet · · Score: 2

    too late for me, I already burned my rot13 card.

    try getting THAT data back, suckers!

    --

    --
    "It is now safe to switch off your computer."
  12. Any DRM exceptions? by Sloppy · · Score: 5, Funny

    Waitaminute. If an Indian watches a DRMed movie, he'll be required by law to have cracked it and ripped it? If I sell DRMed media to Indians, am I going to automatically be a conspirator, if my customer doesn't crack it?

    There needs to be a DRM exception.

    And I'd rather not discuss the consequences of such an exception. ;-)

    --
    As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.