from the selling-out-the-people-for-the-good-of-the-people dept
Here in the US, the FBI really really really wants to be able to let itself in your backdoor if it feels the urge to paw through your personal communications. (Perhaps the FBI's lack of respect for encryption is due to its own unwillingness to encrypt its communications...) Congress isn't pushing this forward and the administration has indicated it won't back an encryption backdoor mandate. Over in Europe, a mixed bag of terrorism-related legislation is going the other way, pushing for "good guys only" holes in encryption, with any negative use by criminals and foreign governments apparently being the price that must be paid to secure whatever liberty still remains once the "securing" is completed.
India's government -- never one to shy away from overreach, censorship or other bad ideas -- similarly sees encryption backdoors as A Good Thing. A draft proposal from India Department of Electronics and Technology, posted by essential government doc stash Public Intelligence, indicates that the government may be looking to mandate a variety of encryption backdoors in the near future.
It starts out with some positive thinking…
The recognition of the need to protect privacy and increase the security of the Internet and associated information systems have resulted in the development of policies that favour the spread of encryption worldwide. The Information Technology Act 2000 provides for prescribing modes or methods for encryption (Section 84A) and for decryption (Section 69). Taking into account the need to protect information assets, international trends and concerns of national security, the cryptographic policy for domestic use supports the broad use of cryptography in ways that facilitates individual / businesses privacy, international economic competitiveness in all sectors including Government....before cutting the floor away entirely.
This policy is not applicable to sensitive departments / agencies of the government designated for performing sensitive and strategic roles. This policy is applicable to all Central and State Government Departments (including sensitive Departments / Agencies while performing non-strategic & non-operational role), all statutory organizations, executive bodies, business and commercial establishments, including public sector undertakings and academic institutions and all citizens (including Personnel of Government / Business performing non-official / personal functions).The "policy" is mandated backdoors -- not for "sensitive" and "strategic" government agencies, but for everyone else, from other government agencies to "all citizens."
The suggested policy splits up the country's population in three groups, with businesses and citizens designated as "B" and "C." The government says, yes, use encryption for better privacy and security... but don't lock us out.
B / C groups (i.e. B2C, C2B Sectors) may use Encryption for storage and communication. Encryption algorithms and key sizes will be prescribed by the Government through Notification from time to time. On demand, the user shall reproduce the same Plain text and encrypted text pairs using the software / hardware used to produce the encrypted text from the given plain text. All information shall be stored by the concerned B / C entity for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country. In case of communication with foreign entity, the primary responsibility of providing readable plain-text along with the corresponding Encrypted information shall rest on entity (B or C) located in India.And any ISP looking to provide service in India -- including those not actually located in India -- is expected to give the government access to encrypted transmissions.
Service Providers located within and outside India, using Encryption technology for providing any type of services in India must enter into an agreement with the Government for providing such services in India. Government will designate an appropriate agency for entering into such an agreement with the Service provider located within and outside India. The users of any group G,B or C taking such services from Service Providers . are also responsible to provide plain text when demanded.On top of that, creators of encryption products would be required to register with the government and submit to a "security evaluation." Presumably, the evaluation will include discussion of where to best place backdoors and/or involve a handover of Golden Keys.
The proposal also suggests the government take a more active role in the development of "indigenous" encryption products. While not specifically detailed in the draft, one assumes any government-produced, pre-compromised encryption products will make their debut accompanied by mandates requiring use going forward, if not retroactively as well.
For what it's worth, the Indian government is accepting comments on the proposed policy until October 16th. Presumably, the draft will move forward despite any negative feedback, given the country's track record on internet freedom and human rights. Factor in the threat of terrorism, and there's very little chance the government won't find some way to push this through mostly unaltered.