India’s Draft Encryption Policy: Too much, too early?

Backlash surrounding a proposed encryption law has come to the fore in India in recent weeks, with members of the Indian security apparatus pitted against multinational corporations and privacy advocates in a clash that could decide the future of India’s cybersecurity infrastructure. The draft policy, which was put forward by a committee of unidentified experts in the Department of Electronics and Information Technology in late September, was met with significant public outcry on the very online forums it sought to regulate. Just days later, India's Minister for Information Technology Ravi Shankar Prasad announced that the government was withdrawing the encryption policy and that if it were to take effect, Indian and multinational social media giants like Viber, Whatsapp, and Facebook were to be exempt. The policy leak was subject to hundreds of thousands of comments and re-posted repeatedly on social media, demonstrating an unprecedented level of citizen engagement and democratic participation.

The policy was initially mandated by the nation’s overhauled telecom legislation, passed in 2008, which called for parliament to establish "modes or methods for encryption" aimed at increasing general Indian cyber-security.

The full text of the amendment is as follows:

“All citizens (C), including personnel of Government / Business (G/B) performing non-official / personal functions, are required to store the plaintexts of the corresponding encrypted information for 90 days from the date of transaction and provide the verifiable Plain Text to Law and Enforcement Agencies as and when required as per the provision of the laws of the country.”

If the amendment were passed, all Indian internet service and application providers would be obligated to preserve copies of communications sent over encrypted services. Foreign companies operating in India would be required to subject their software to scrutiny by Indian government agencies, a provision that was met with considerable international outcry from almost all international technology hyperscales. Moreover, the draft policy would have required users of social messaging services to personally store and hand over unencrypted copies of their communications at the request of the police.

What would this policy actually mean for the average Indian?When a text or Whatsapp message is sent, service providers automatically encrypt the content of these messages, adding a layer of security and to ensure privacy. While this prevents hackers and other unauthorised parties from gaining access to private messages, it also limits the government ability to monitor the content for terrorist threats and criminal network communications.

The policy has been met with such controversy in particular because it would require the average Indian citizen to store an unencrypted version of any message sent through a mobile phone for three months.. While certain nongovernmental organizations acknowledge the need for Indian security officials to have access to some secure data, many argue that the proposed amendment in its current form is overly burdensome, invasive, and difficult to enforce. Some, like the Indian Data Security Council even doubt that the measure will achieve its goal of bolstering cyber-security.

It is also hard to say what the actionable impact of amassing such a vast quantity of data would be, and even how it would be stored. Worse, transmitting and storing unencrypted personal data and communications without proper supporting security infrastructure could potentially open up the Indian government and citizens to a significant hacking threat.

This event is indicative of a larger trend across the developed and developing world. India is the latest country to balancethe need to maintain national security against that of ensuring privacy and limiting burdensome regulation. Since Edward Snowden’s leaks about classified NSA operations in 2013, questions revolving around this tension between national security and private individuals and firms have become increasingly visible in countries across the globe. A similar policy is currently making its rounds in the British Parliament, and would require social messaging services to hand over their communications to the government, or potentially face a ban.

This is but one manifestation of India’s struggle between modernization and protecting national security in the technological age. The controversy cast a dark shadow over Prime Minister Modi’s recent trip to Silicon Valley, where he met with CEOs of large technology companies looking to increase their presence in India. In a similar struggle, Indian authorities have been reluctant to let foreign nuclear companies operate plants in India, despite a comprehensive nuclear agreement reached in 2005, for fear of nuclear accidents. In that case, and in this one, the Indian government has chosen to prioritize national security seemingly at the expense of its citizens and its business climate.

While India has begun to take its need to build a comprehensive national security apparatus seriously, it has considerable work to do in building a cohesive and effective cyber strategy. All prospects are not lost—the legislation is open to public comments until October 16, and citizen involvement might eventually sway the government to promote a more balanced, user-friendly policy in the long run.