India's Government Looking At Mandating Backdoors In Encryption

from the selling-out-the-people-for-the-good-of-the-people dept

Here in the US, the FBI really really really wants to be able to let itself in your backdoor if it feels the urge to paw through your personal communications. (Perhaps the FBI's lack of respect for encryption is due to its own unwillingness to encrypt its communications...) Congress isn't pushing this forward and the administration has indicated it won't back an encryption backdoor mandate. Over in Europe, a mixed bag of terrorism-related legislation is going the other way, pushing for "good guys only" holes in encryption, with any negative use by criminals and foreign governments apparently being the price that must be paid to secure whatever liberty still remains once the "securing" is completed.

India's government -- never one to shy away from overreach, censorship or other bad ideas -- similarly sees encryption backdoors as A Good Thing. A draft proposal from India Department of Electronics and Technology, posted by essential government doc stash Public Intelligence, indicates that the government may be looking to mandate a variety of encryption backdoors in the near future.

It starts out with some positive thinking…

The recognition of the need to protect privacy and increase the security of the Internet and associated information systems have resulted in the development of policies that favour the spread of encryption worldwide. The Information Technology Act 2000 provides for prescribing modes or methods for encryption (Section 84A) and for decryption (Section 69). Taking into account the need to protect information assets, international trends and concerns of national security, the cryptographic policy for domestic use supports the broad use of cryptography in ways that facilitates individual / businesses privacy, international economic competitiveness in all sectors including Government.
...before cutting the floor away entirely.
This policy is not applicable to sensitive departments / agencies of the government designated for performing sensitive and strategic roles. This policy is applicable to all Central and State Government Departments (including sensitive Departments / Agencies while performing non-strategic & non-operational role), all statutory organizations, executive bodies, business and commercial establishments, including public sector undertakings and academic institutions and all citizens (including Personnel of Government / Business performing non-official / personal functions).
The "policy" is mandated backdoors -- not for "sensitive" and "strategic" government agencies, but for everyone else, from other government agencies to "all citizens."

The suggested policy splits up the country's population in three groups, with businesses and citizens designated as "B" and "C." The government says, yes, use encryption for better privacy and security... but don't lock us out.
B / C groups (i.e. B2C, C2B Sectors) may use Encryption for storage and communication. Encryption algorithms and key sizes will be prescribed by the Government through Notification from time to time. On demand, the user shall reproduce the same Plain text and encrypted text pairs using the software / hardware used to produce the encrypted text from the given plain text. All information shall be stored by the concerned B / C entity for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country. In case of communication with foreign entity, the primary responsibility of providing readable plain-text along with the corresponding Encrypted information shall rest on entity (B or C) located in India.
And any ISP looking to provide service in India -- including those not actually located in India -- is expected to give the government access to encrypted transmissions.
Service Providers located within and outside India, using Encryption technology for providing any type of services in India must enter into an agreement with the Government for providing such services in India. Government will designate an appropriate agency for entering into such an agreement with the Service provider located within and outside India. The users of any group G,B or C taking such services from Service Providers . are also responsible to provide plain text when demanded.
On top of that, creators of encryption products would be required to register with the government and submit to a "security evaluation." Presumably, the evaluation will include discussion of where to best place backdoors and/or involve a handover of Golden Keys.

The proposal also suggests the government take a more active role in the development of "indigenous" encryption products. While not specifically detailed in the draft, one assumes any government-produced, pre-compromised encryption products will make their debut accompanied by mandates requiring use going forward, if not retroactively as well.

For what it's worth, the Indian government is accepting comments on the proposed policy until October 16th. Presumably, the draft will move forward despite any negative feedback, given the country's track record on internet freedom and human rights. Factor in the threat of terrorism, and there's very little chance the government won't find some way to push this through mostly unaltered.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Michael, 21 Sep 2015 @ 10:49am

    How long until we see an encryption scheme that produces one text if decrypted with one set of keys and another text (presumably the ACTUAL information) with another set of keys?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 Sep 2015 @ 11:03am

      Re:

      It already exists, it is called a one time pad. It has the property that it is always possible to generate a key that gives any message desired of the same length as the encrypted text.

      reply to this | link to this | view in chronology ]

  • identicon
    Scote, 21 Sep 2015 @ 10:50am

    So, the Indian government proposes a caste system for who will be allowed to use encryption...

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Sep 2015 @ 10:54am

    Remember this when contacting customer service

    reply to this | link to this | view in chronology ]

    • identicon
      Michael, 21 Sep 2015 @ 10:55am

      Re:

      I can't remember anything when contacting customer service, I am too busy trying to figure out what the heck they are saying.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Sep 2015 @ 11:05am

    Loophole

    On demand, the user shall reproduce the same Plain text and encrypted text pairs using the software / hardware used to produce the encrypted text from the given plain text.
    With public key cryptography, it would be really easy to make sure the "software / hardware used to produce the encrypted text" has no ability to decrypt.

    reply to this | link to this | view in chronology ]

  • icon
    Uriel-238 (profile), 21 Sep 2015 @ 11:40am

    Actually India is doing a service...

    ...for the rest of us...

    ...by providing a cautionary tale to which we can point when our administrators demand the same thing.

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 21 Sep 2015 @ 7:02pm

      Re: Actually India is doing a service...

      If only. Other governments want to crack encryption too much to pay attention to what happens when it actually happens, so they'd just claim that "India did it wrong, if we were the ones running the mandatory broken encryption, then it would have worked."

      reply to this | link to this | view in chronology ]

  • icon
    Uriel-238 (profile), 21 Sep 2015 @ 11:44am

    Well this may also inspire public use of encryption with plausible deniability features.

    That is encryption steganographed into unused hard-drive sectors.

    What's better than having your data encrypted? Having your data encrypted in a way that doesn't look like encrypted data.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Sep 2015 @ 12:22pm

    Good luck with that.

    reply to this | link to this | view in chronology ]

  • icon
    Blackfiredragon13 (profile), 21 Sep 2015 @ 12:31pm

    The only positive

    At least they're not looking to backdoor all encryption, just encryption for their citizens and businesses.
    P.s out of curiosity how does TD do formatting? I'd take a shot in the dark and guess it uses the same one reddit does?

    reply to this | link to this | view in chronology ]

  • icon
    Arthur (profile), 21 Sep 2015 @ 1:23pm

    Wait for it

    Aaaannd...
    India drops off the Internet.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Sep 2015 @ 2:12pm

    HTTPS Everywhere

    should go a long way to fixing this problem.

    If Indians can't access Google, Wikipedia, Facebook, ... they're going to go as Internet dark as those iconic pictures of North Korea.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Sep 2015 @ 2:29pm

    Economic Consequences

    I can't wait for software solutions that come from India.

    /sarc

    reply to this | link to this | view in chronology ]

    • icon
      MrTroy (profile), 21 Sep 2015 @ 10:28pm

      Re: Economic Consequences

      And that's where this whole thing is going to fall down. In the same way that China can't block access to Github, India can't do anything that would kill software development or call centre outsourcing.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Sep 2015 @ 6:13pm

    International laws

    The Internet was supposed to connect people on a global scale; to give everyone - no matter where they are in the world - access to information and the ability to communicate. For the most part, it's achieved that.

    It's perhaps ironic that if the Internet is involved, governments feel they have the right to push their laws over the entire world as well. Obvious examples: copyright, right to be 'forgotten'. Now India is in on it:
    And any ISP looking to provide service in India -- including those not actually located in India -- is expected to give the government access to encrypted transmissions.

    The overly broad interpretation of this (I understand it's praphrased) is that if a person in America sends a message to a person in Britain via an ISP that offers services to India, then the Indian government feels they have the right to access that message. Never mind that the data never went to India in the first place.

    Perhaps this is why more and more governments want data stored in the same country as the user, so they can claim local laws apply to local data. (China, Russia)

    What's better than having your data encrypted? Having your data encrypted in a way that doesn't look like encrypted data.

    Properly encrypted data is indistinguishable from random data. Indeed, if the data is not random (e.g. it has patterns or repeated sequences), this indicates possible flaws in the encryption.
    A better example is trying to mask the encrypted data so it looks normal, e.g. as with Tor's Obfsproxy. It's a subtle distinguishment, but it's important.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Sep 2015 @ 8:07pm

    Dear India:

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 Sep 2015 @ 8:09pm

      Re: Dear India:

      Whoops, hit enter without a comment.

      Anyways...

      Dear India,
      If you are okay with a US citizen such as myself having the backdoor keys to your country's citizens' encryption, then by all means go ahead and mandate it.

      Sincerely,
      There-are-no-secure-back-doors.

      reply to this | link to this | view in chronology ]

      • icon
        That One Guy (profile), 22 Sep 2015 @ 7:03am

        Re: Re: Dear India:

        You forgot to include the excuse they trot out in defense of breaking encryption, 'I promise not to use the key unless I really, really need(or want) to'.

        reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.