[bestbits] Indian Encryption Policy

Raman Jit Singh Chima raman at accessnow.org
Mon Sep 21 15:46:12 EDT 2015 

Happy to add a few brief notes on the background to this if it is helpful:


   - The Indian Govt has had encryption policy discussions ongoing for
   about a decade. Pre-existing telecom sector regulation placed a limit of 40
   bits on the encryption that could be deployed by ISPs or telcos on their
   networks, though that arguably applied only to them directly and was
   unclear as to how it affected third parties
   - A provision in the Information Technology Act (Section 69) allowed the
   Union Government to issue orders forcing decryption of data in addition to
   allowing for interception requests. When the Information Technology Act was
   amended in 2008, another provision was added (Section 84A) which allowed
   the Union Government to specify "modes or methods for encryption" by
   executive rule-making. The text of the provision said that this was
   supposed to be for "secure use of the electronic medium and for promotion
   of e-governance and e-commerce". The internal political context for this
   included strong political pressure from law enforcement and the security
   establishment, who raised concerns about not being able to intercept
   encrypted communications
   - No rules for the above provision was publicly brought up from 2008
   until now, though there have been regular internal discussions - mostly
   with industry and intergovernmental consultation


Additionally - perhaps in response to the initial negative reaction in the
press - the Indian Dept. of Electronics and IT released an addendum document
<http://deity.gov.in/sites/upload_files/dit/files/Addendum%20-%20NEP-1_0.pdf>
today. It essentially appears to be trying to suggest that the draft rules
could exempt "mass use encryption products" along with SSL/TLS products
used for Internet banking (though only those specified by the Reserve Bank
of India) or for e-Commerce passwords.

Sincerely,
Raman.

On 22 September 2015 at 01:12, Mishi Choudhary <mishi at softwarefreedom.org>
wrote:

> Hi Carol,
>
> Thanks for highlighting this. Its a  draft National Encryption Policy
> and public comments are invited by October 16, 2015. Comments are to be
> emailed to Mr A,S.A. Krishnan,  akrishnan at deity.gov.in
>
> The key highlights of the policy are :
>
>
> 1. A stipulation that businesses and citizens are to maintain plain text
> (unencrypted) copies of encrypted content for a period of 90 days, to be
> made available to Law Enforcement Agencies (LEAs) when so directed under
> law.
>
> 2. Vendors of encryption products are required to register their
> products with the Government as a pre-condition to conducting business
> in India. They are also expected to re-register their products with
> every update. This requirement is not limited to vendors of dedicated
> encryption products, and seemingly includes even products that use
> encryption in the course of providing a larger service such as messaging
> or e-commerce. (Service  Providers located  within  and
> outside  India, using  Encryption  technology  for providing any type of
>  services in India must enter  into an agreement with the Government
> for providing such  services in India).
>
> 3. Encryption   algorithms   and key   sizes shall be prescribed
> by   the Government through Notifications from time to time.
>
>
> On 09/21/2015 03:33 PM, Carolina Rossini wrote:
> > Hi folks, I feel this could be a good topic for a coalition response
> through the BB platform. Can the folks for India give some context to the
> folks in this list? Let us know if such an action would be helpful.
> >
> > Carol
> >
> > Sent from my iPhone
> >
> >> On Sep 21, 2015, at 2:24 PM, Mishi Choudhary <mishi at softwarefreedom.org>
> wrote:
> >>
> >> Worrisome development from India through this encryption policy
> >>
> >>
> >>
> http://deity.gov.in/sites/upload_files/dit/files/draft%20Encryption%20Policyv1.pdf
> >>
> >> --
> >> Warm Regards
> >> Mishi Choudhary, Esq.
> >> Legal Director
> >> Software Freedom Law Center
> >> 1995 Broadway Floor 17
> >> New York, NY-10023
> >> (tel) 212-461-1912
> >> (fax) 212-580-0898
> >> www.softwarefreedom.org
> >>
> >>
> >> Executive Director
> >> SFLC.IN
> >> K-9, Second Floor
> >> Jangpura Extn.
> >> New Delhi-110014
> >> (tel) +91-11-43587126
> >> (fax) +91-11-24323530
> >> www.sflc.in
> >>
> >> ____________________________________________________________
> >> You received this message as a subscriber on the list:
> >>     bestbits at lists.bestbits.net.
> >> To unsubscribe or change your settings, visit:
> >>     http://lists.bestbits.net/wws/info/bestbits
> >>
> >>
> >> ____________________________________________________________
> >> You received this message as a subscriber on the list:
> >>      bestbits at lists.bestbits.net.
> >> To unsubscribe or change your settings, visit:
> >>      http://lists.bestbits.net/wws/info/bestbits
>
> --
> Warm Regards
> Mishi Choudhary, Esq.
> Legal Director
> Software Freedom Law Center
> 1995 Broadway Floor 17
> New York, NY-10023
> (tel) 212-461-1912
> (fax) 212-580-0898
> www.softwarefreedom.org
>
>
> Executive Director
> SFLC.IN
> K-9, Second Floor
> Jangpura Extn.
> New Delhi-110014
> (tel) +91-11-43587126
> (fax) +91-11-24323530
> www.sflc.in
>
>
> ____________________________________________________________
> You received this message as a subscriber on the list:
>      bestbits at lists.bestbits.net.
> To unsubscribe or change your settings, visit:
>      http://lists.bestbits.net/wws/info/bestbits
>



-- 
*Raman Jit Singh Chima*
Policy Director
Access | accessnow.org

Email: raman at accessnow.org
Skype: raman.chima
PGP ID: 0x2A186000

*Join the Access team - *we're hiring <https://www.accessnow.org/about/jobs>
!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.igcaucus.org/pipermail/bestbits/attachments/20150922/a4d42434/attachment.htm>

More information about the Bestbits mailing list