[bestbits] Update: Indian Encryption Policy
Mishi Choudhary
mishi at softwarefreedom.org
Tue Sep 22 11:03:21 EDT 2015
Post a public outcry, DEITY has withdrawn this policy.
On 09/21/2015 03:46 PM, Raman Jit Singh Chima wrote:
> Happy to add a few brief notes on the background to this if it is helpful:
>
>
> - The Indian Govt has had encryption policy discussions ongoing for
> about a decade. Pre-existing telecom sector regulation placed a limit of 40
> bits on the encryption that could be deployed by ISPs or telcos on their
> networks, though that arguably applied only to them directly and was
> unclear as to how it affected third parties
> - A provision in the Information Technology Act (Section 69) allowed the
> Union Government to issue orders forcing decryption of data in addition to
> allowing for interception requests. When the Information Technology Act was
> amended in 2008, another provision was added (Section 84A) which allowed
> the Union Government to specify "modes or methods for encryption" by
> executive rule-making. The text of the provision said that this was
> supposed to be for "secure use of the electronic medium and for promotion
> of e-governance and e-commerce". The internal political context for this
> included strong political pressure from law enforcement and the security
> establishment, who raised concerns about not being able to intercept
> encrypted communications
> - No rules for the above provision was publicly brought up from 2008
> until now, though there have been regular internal discussions - mostly
> with industry and intergovernmental consultation
>
>
> Additionally - perhaps in response to the initial negative reaction in the
> press - the Indian Dept. of Electronics and IT released an addendum document
> <http://deity.gov.in/sites/upload_files/dit/files/Addendum%20-%20NEP-1_0.pdf>
> today. It essentially appears to be trying to suggest that the draft rules
> could exempt "mass use encryption products" along with SSL/TLS products
> used for Internet banking (though only those specified by the Reserve Bank
> of India) or for e-Commerce passwords.
>
> Sincerely,
> Raman.
>
> On 22 September 2015 at 01:12, Mishi Choudhary <mishi at softwarefreedom.org>
> wrote:
>
>> Hi Carol,
>>
>> Thanks for highlighting this. Its a draft National Encryption Policy
>> and public comments are invited by October 16, 2015. Comments are to be
>> emailed to Mr A,S.A. Krishnan, akrishnan at deity.gov.in
>>
>> The key highlights of the policy are :
>>
>>
>> 1. A stipulation that businesses and citizens are to maintain plain text
>> (unencrypted) copies of encrypted content for a period of 90 days, to be
>> made available to Law Enforcement Agencies (LEAs) when so directed under
>> law.
>>
>> 2. Vendors of encryption products are required to register their
>> products with the Government as a pre-condition to conducting business
>> in India. They are also expected to re-register their products with
>> every update. This requirement is not limited to vendors of dedicated
>> encryption products, and seemingly includes even products that use
>> encryption in the course of providing a larger service such as messaging
>> or e-commerce. (Service Providers located within and
>> outside India, using Encryption technology for providing any type of
>> services in India must enter into an agreement with the Government
>> for providing such services in India).
>>
>> 3. Encryption algorithms and key sizes shall be prescribed
>> by the Government through Notifications from time to time.
>>
>>
>> On 09/21/2015 03:33 PM, Carolina Rossini wrote:
>>> Hi folks, I feel this could be a good topic for a coalition response
>> through the BB platform. Can the folks for India give some context to the
>> folks in this list? Let us know if such an action would be helpful.
>>>
>>> Carol
>>>
>>> Sent from my iPhone
>>>
>>>> On Sep 21, 2015, at 2:24 PM, Mishi Choudhary <mishi at softwarefreedom.org>
>> wrote:
>>>>
>>>> Worrisome development from India through this encryption policy
>>>>
>>>>
>>>>
>> http://deity.gov.in/sites/upload_files/dit/files/draft%20Encryption%20Policyv1.pdf
>>>>
>>>> --
>>>> Warm Regards
>>>> Mishi Choudhary, Esq.
>>>> Legal Director
>>>> Software Freedom Law Center
>>>> 1995 Broadway Floor 17
>>>> New York, NY-10023
>>>> (tel) 212-461-1912
>>>> (fax) 212-580-0898
>>>> www.softwarefreedom.org
>>>>
>>>>
>>>> Executive Director
>>>> SFLC.IN
>>>> K-9, Second Floor
>>>> Jangpura Extn.
>>>> New Delhi-110014
>>>> (tel) +91-11-43587126
>>>> (fax) +91-11-24323530
>>>> www.sflc.in
>>>>
>>>> ____________________________________________________________
>>>> You received this message as a subscriber on the list:
>>>> bestbits at lists.bestbits.net.
>>>> To unsubscribe or change your settings, visit:
>>>> http://lists.bestbits.net/wws/info/bestbits
>>>>
>>>>
>>>> ____________________________________________________________
>>>> You received this message as a subscriber on the list:
>>>> bestbits at lists.bestbits.net.
>>>> To unsubscribe or change your settings, visit:
>>>> http://lists.bestbits.net/wws/info/bestbits
>>
>> --
>> Warm Regards
>> Mishi Choudhary, Esq.
>> Legal Director
>> Software Freedom Law Center
>> 1995 Broadway Floor 17
>> New York, NY-10023
>> (tel) 212-461-1912
>> (fax) 212-580-0898
>> www.softwarefreedom.org
>>
>>
>> Executive Director
>> SFLC.IN
>> K-9, Second Floor
>> Jangpura Extn.
>> New Delhi-110014
>> (tel) +91-11-43587126
>> (fax) +91-11-24323530
>> www.sflc.in
>>
>>
>> ____________________________________________________________
>> You received this message as a subscriber on the list:
>> bestbits at lists.bestbits.net.
>> To unsubscribe or change your settings, visit:
>> http://lists.bestbits.net/wws/info/bestbits
>>
>
>
>
--
Warm Regards
Mishi Choudhary, Esq.
Legal Director
Software Freedom Law Center
1995 Broadway Floor 17
New York, NY-10023
(tel) 212-461-1912
(fax) 212-580-0898
www.softwarefreedom.org
Executive Director
SFLC.IN
K-9, Second Floor
Jangpura Extn.
New Delhi-110014
(tel) +91-11-43587126
(fax) +91-11-24323530
www.sflc.in
More information about the Bestbits
mailing list