India withdraws draft encryption policy

Mobile Internet
Following a public outcry, the government on Tuesday withdrew altogether the draft encryption policy. Earlier in the day, it exempted social media sites and apps users, as also net banking and password-based e-commerce, from saving data for 90 days from the date of transaction.

“There was concern about the draft in certain sections. When I went through the draft policy, I found that there were two-three words which were giving rise to unnecessary misgivings,” said Communications and IT Minister Ravi Shankar Prasad.

“Hence I have directed the department to withdraw the draft policy, review it and then make it clear that on whom it is applicable and on whom it is not,” he said.

“I want to make one thing clear, the people who use the social media – they will be out of the ambit of encryption. It concerns those who encrypt their messages,” he added.

Earlier in the day, in a clarification to what it called as Draft National Encryption Policy, the Department of Electronics and Information Technology said the following categories of encryption products were being exempted from its purview:

– The mass use encryption products, which are currently being used in web aplications, social media sites, and social media applications such as Whatsapp, Facebook, Twitter, etc.

– SSL/TLS (Secure Sockets Layer/ Transport Layer Security) encryption products being used in Internet-banking and payment gateways as directed by the Reserve Bank of India (RBI).

– SSL/TLS encryption products being used for e-commerce and password-based transactions.

“I want to make it very clear this draft policy is not the final view of the government. Our government is in favour of freedom of social media. But it is also a truth that cyber commerce, cyber dialogue and administrative work through cyber space has increased in the country,” Prasad said.

“In countries across the world, it has been felt that there should be an encryption policy. Hence an expert committee deliberated that there should be an encryption policy in India,” he added.

Earlier, the draft policy requirede every message that is sent, through e-mail, Whatsapp or SMS to be stored in plain text format for 90 days from the date of transaction and made available to the law enforcement agencies on demand.

The draft proposed to introduce a New Encryption Policy under Section 84A of the Information Technology Act, 2000, and called for public comments by Oct 16.

The stated mission of the policy is to provide confidentiality of information in cyber space for individuals, protect sensitive or proprietary information, ensure reliability and integrity of nationally-critical information systems and networks.

“On demand, the user shall be able to reproduce the same plain text and encrypted text pairs using the software or hardware used to produce the encrypted text from the given plain text,” the earlier draft said.

“Such plain text information shall be stored by the user or organisation or agency for 90 days from the date of transaction and made available to law enforcement agencies as and when demanded in line with the provisions of the laws of the country,” it added.