India's Government Looking At Mandating Backdoors In Encryption

from the selling-out-the-people-for-the-good-of-the-people dept

Here in the US, the FBI really really really wants to be able to let itself in your backdoor if it feels the urge to paw through your personal communications. (Perhaps the FBI’s lack of respect for encryption is due to its own unwillingness to encrypt its communications…) Congress isn’t pushing this forward and the administration has indicated it won’t back an encryption backdoor mandate. Over in Europe, a mixed bag of terrorism-related legislation is going the other way, pushing for “good guys only” holes in encryption, with any negative use by criminals and foreign governments apparently being the price that must be paid to secure whatever liberty still remains once the “securing” is completed.

India’s government — never one to shy away from overreach, censorship or other bad ideas — similarly sees encryption backdoors as A Good Thing. A draft proposal from India Department of Electronics and Technology, posted by essential government doc stash Public Intelligence, indicates that the government may be looking to mandate a variety of encryption backdoors in the near future.

It starts out with some positive thinking…

The recognition of the need to protect privacy and increase the security of the Internet and associated information systems have resulted in the development of policies that favour the spread of encryption worldwide. The Information Technology Act 2000 provides for prescribing modes or methods for encryption (Section 84A) and for decryption (Section 69). Taking into account the need to protect information assets, international trends and concerns of national security, the cryptographic policy for domestic use supports the broad use of cryptography in ways that facilitates individual / businesses privacy, international economic competitiveness in all sectors including Government.

…before cutting the floor away entirely.

This policy is not applicable to sensitive departments / agencies of the government designated for performing sensitive and strategic roles. This policy is applicable to all Central and State Government Departments (including sensitive Departments / Agencies while performing non-strategic & non-operational role), all statutory organizations, executive bodies, business and commercial establishments, including public sector undertakings and academic institutions and all citizens (including Personnel of Government / Business performing non-official / personal functions).

The “policy” is mandated backdoors — not for “sensitive” and “strategic” government agencies, but for everyone else, from other government agencies to “all citizens.”

The suggested policy splits up the country’s population in three groups, with businesses and citizens designated as “B” and “C.” The government says, yes, use encryption for better privacy and security… but don’t lock us out.

B / C groups (i.e. B2C, C2B Sectors) may use Encryption for storage and communication. Encryption algorithms and key sizes will be prescribed by the Government through Notification from time to time. On demand, the user shall reproduce the same Plain text and encrypted text pairs using the software / hardware used to produce the encrypted text from the given plain text. All information shall be stored by the concerned B / C entity for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country. In case of communication with foreign entity, the primary responsibility of providing readable plain-text along with the corresponding Encrypted information shall rest on entity (B or C) located in India.

And any ISP looking to provide service in India — including those not actually located in India — is expected to give the government access to encrypted transmissions.

Service Providers located within and outside India, using Encryption technology for providing any type of services in India must enter into an agreement with the Government for providing such services in India. Government will designate an appropriate agency for entering into such an agreement with the Service provider located within and outside India. The users of any group G,B or C taking such services from Service Providers . are also responsible to provide plain text when demanded.

On top of that, creators of encryption products would be required to register with the government and submit to a “security evaluation.” Presumably, the evaluation will include discussion of where to best place backdoors and/or involve a handover of Golden Keys.

The proposal also suggests the government take a more active role in the development of “indigenous” encryption products. While not specifically detailed in the draft, one assumes any government-produced, pre-compromised encryption products will make their debut accompanied by mandates requiring use going forward, if not retroactively as well.

For what it’s worth, the Indian government is accepting comments on the proposed policy until October 16th. Presumably, the draft will move forward despite any negative feedback, given the country’s track record on internet freedom and human rights. Factor in the threat of terrorism, and there’s very little chance the government won’t find some way to push this through mostly unaltered.

Filed Under: , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “India's Government Looking At Mandating Backdoors In Encryption”

Subscribe: RSS Leave a comment
Anonymous Coward says:

International laws

The Internet was supposed to connect people on a global scale; to give everyone – no matter where they are in the world – access to information and the ability to communicate. For the most part, it’s achieved that.

It’s perhaps ironic that if the Internet is involved, governments feel they have the right to push their laws over the entire world as well. Obvious examples: copyright, right to be ‘forgotten’. Now India is in on it:
And any ISP looking to provide service in India — including those not actually located in India — is expected to give the government access to encrypted transmissions.

The overly broad interpretation of this (I understand it’s praphrased) is that if a person in America sends a message to a person in Britain via an ISP that offers services to India, then the Indian government feels they have the right to access that message. Never mind that the data never went to India in the first place.

Perhaps this is why more and more governments want data stored in the same country as the user, so they can claim local laws apply to local data. (China, Russia)

What’s better than having your data encrypted? Having your data encrypted in a way that doesn’t look like encrypted data.

Properly encrypted data is indistinguishable from random data. Indeed, if the data is not random (e.g. it has patterns or repeated sequences), this indicates possible flaws in the encryption.
A better example is trying to mask the encrypted data so it looks normal, e.g. as with Tor’s Obfsproxy. It’s a subtle distinguishment, but it’s important.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...