India's Government Looking At Mandating Backdoors In Encryption
from the selling-out-the-people-for-the-good-of-the-people dept
Here in the US, the FBI really really really wants to be able to let itself in your backdoor if it feels the urge to paw through your personal communications. (Perhaps the FBI’s lack of respect for encryption is due to its own unwillingness to encrypt its communications…) Congress isn’t pushing this forward and the administration has indicated it won’t back an encryption backdoor mandate. Over in Europe, a mixed bag of terrorism-related legislation is going the other way, pushing for “good guys only” holes in encryption, with any negative use by criminals and foreign governments apparently being the price that must be paid to secure whatever liberty still remains once the “securing” is completed.
India’s government — never one to shy away from overreach, censorship or other bad ideas — similarly sees encryption backdoors as A Good Thing. A draft proposal from India Department of Electronics and Technology, posted by essential government doc stash Public Intelligence, indicates that the government may be looking to mandate a variety of encryption backdoors in the near future.
It starts out with some positive thinking…
The recognition of the need to protect privacy and increase the security of the Internet and associated information systems have resulted in the development of policies that favour the spread of encryption worldwide. The Information Technology Act 2000 provides for prescribing modes or methods for encryption (Section 84A) and for decryption (Section 69). Taking into account the need to protect information assets, international trends and concerns of national security, the cryptographic policy for domestic use supports the broad use of cryptography in ways that facilitates individual / businesses privacy, international economic competitiveness in all sectors including Government.
…before cutting the floor away entirely.
This policy is not applicable to sensitive departments / agencies of the government designated for performing sensitive and strategic roles. This policy is applicable to all Central and State Government Departments (including sensitive Departments / Agencies while performing non-strategic & non-operational role), all statutory organizations, executive bodies, business and commercial establishments, including public sector undertakings and academic institutions and all citizens (including Personnel of Government / Business performing non-official / personal functions).
The “policy” is mandated backdoors — not for “sensitive” and “strategic” government agencies, but for everyone else, from other government agencies to “all citizens.”
The suggested policy splits up the country’s population in three groups, with businesses and citizens designated as “B” and “C.” The government says, yes, use encryption for better privacy and security… but don’t lock us out.
B / C groups (i.e. B2C, C2B Sectors) may use Encryption for storage and communication. Encryption algorithms and key sizes will be prescribed by the Government through Notification from time to time. On demand, the user shall reproduce the same Plain text and encrypted text pairs using the software / hardware used to produce the encrypted text from the given plain text. All information shall be stored by the concerned B / C entity for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country. In case of communication with foreign entity, the primary responsibility of providing readable plain-text along with the corresponding Encrypted information shall rest on entity (B or C) located in India.
And any ISP looking to provide service in India — including those not actually located in India — is expected to give the government access to encrypted transmissions.
Service Providers located within and outside India, using Encryption technology for providing any type of services in India must enter into an agreement with the Government for providing such services in India. Government will designate an appropriate agency for entering into such an agreement with the Service provider located within and outside India. The users of any group G,B or C taking such services from Service Providers . are also responsible to provide plain text when demanded.
On top of that, creators of encryption products would be required to register with the government and submit to a “security evaluation.” Presumably, the evaluation will include discussion of where to best place backdoors and/or involve a handover of Golden Keys.
The proposal also suggests the government take a more active role in the development of “indigenous” encryption products. While not specifically detailed in the draft, one assumes any government-produced, pre-compromised encryption products will make their debut accompanied by mandates requiring use going forward, if not retroactively as well.
For what it’s worth, the Indian government is accepting comments on the proposed policy until October 16th. Presumably, the draft will move forward despite any negative feedback, given the country’s track record on internet freedom and human rights. Factor in the threat of terrorism, and there’s very little chance the government won’t find some way to push this through mostly unaltered.
Filed Under: backdoors, encryption, going dark, india, mandates
Comments on “India's Government Looking At Mandating Backdoors In Encryption”
How long until we see an encryption scheme that produces one text if decrypted with one set of keys and another text (presumably the ACTUAL information) with another set of keys?
Re: Re:
It already exists, it is called a one time pad. It has the property that it is always possible to generate a key that gives any message desired of the same length as the encrypted text.
So, the Indian government proposes a caste system for who will be allowed to use encryption…
Re: Re:
No, they are proposing a caste system to determine who gets “backdoored”.
And as per the usual caste system, it’s “everyone but us”.
Re: Re: Re:
I hope they are still able to sit down after all that “backdooring”.
Remember this when contacting customer service
Re: Re:
I can’t remember anything when contacting customer service, I am too busy trying to figure out what the heck they are saying.
Loophole
With public key cryptography, it would be really easy to make sure the “software / hardware used to produce the encrypted text” has no ability to decrypt.
Actually India is doing a service...
…for the rest of us…
…by providing a cautionary tale to which we can point when our administrators demand the same thing.
Re: Actually India is doing a service...
If only. Other governments want to crack encryption too much to pay attention to what happens when it actually happens, so they’d just claim that “India did it wrong, if we were the ones running the mandatory broken encryption, then it would have worked.”
Well this may also inspire public use of encryption with plausible deniability features.
That is encryption steganographed into unused hard-drive sectors.
What’s better than having your data encrypted? Having your data encrypted in a way that doesn’t look like encrypted data.
Good luck with that.
The only positive
At least they’re not looking to backdoor all encryption, just encryption for their citizens and businesses.
P.s out of curiosity how does TD do formatting? I’d take a shot in the dark and guess it uses the same one reddit does?
Re: The only positive
If you meant formatting for comments, TD uses some HTML tags. The allowed ones are listed below the comment window.
Re: Re: The only positive
Ok I’m blind.
Wait for it
Aaaannd…
India drops off the Internet.
HTTPS Everywhere
should go a long way to fixing this problem.
If Indians can’t access Google, Wikipedia, Facebook, … they’re going to go as Internet dark as those iconic pictures of North Korea.
Economic Consequences
I can’t wait for software solutions that come from India.
/sarc
Re: Economic Consequences
And that’s where this whole thing is going to fall down. In the same way that China can’t block access to Github, India can’t do anything that would kill software development or call centre outsourcing.
International laws
The Internet was supposed to connect people on a global scale; to give everyone – no matter where they are in the world – access to information and the ability to communicate. For the most part, it’s achieved that.
It’s perhaps ironic that if the Internet is involved, governments feel they have the right to push their laws over the entire world as well. Obvious examples: copyright, right to be ‘forgotten’. Now India is in on it:
And any ISP looking to provide service in India — including those not actually located in India — is expected to give the government access to encrypted transmissions.
The overly broad interpretation of this (I understand it’s praphrased) is that if a person in America sends a message to a person in Britain via an ISP that offers services to India, then the Indian government feels they have the right to access that message. Never mind that the data never went to India in the first place.
Perhaps this is why more and more governments want data stored in the same country as the user, so they can claim local laws apply to local data. (China, Russia)
Properly encrypted data is indistinguishable from random data. Indeed, if the data is not random (e.g. it has patterns or repeated sequences), this indicates possible flaws in the encryption.
A better example is trying to mask the encrypted data so it looks normal, e.g. as with Tor’s Obfsproxy. It’s a subtle distinguishment, but it’s important.
Dear India:
Re: Dear India:
Whoops, hit enter without a comment.
Anyways…
Dear India,
If you are okay with a US citizen such as myself having the backdoor keys to your country’s citizens’ encryption, then by all means go ahead and mandate it.
Sincerely,
There-are-no-secure-back-doors.
Re: Re: Dear India:
You forgot to include the excuse they trot out in defense of breaking encryption, ‘I promise not to use the key unless I really, really need(or want) to’.