October 1, 2015 1:59:31 am
The recent brouhaha over the draft National Encryption Policy (NEP) drew attention to an essential technology that most consumers of the Internet use and take for granted, but rarely spend much time thinking about. Encryption is a way to secure communications online, which includes stuff like emails and more sensitive information like credit card and bank account details, by converting it to garbled number-letter-character combinations so it can be read only by the intended recipient. All our transactions on the Internet involve transmitting a great deal of personal data to various entities, and these days much of it is automatically secured using an encryption algorithm. Only someone (or another computer) with the “key” can decrypt encoded messages or data. Suppose you’re trying to send a sensitive message to a friend. You use a cipher — say, replace every letter with another five letters down, so that “A” becomes “F”, and so on. You tell your friend the key is shift by five, so she’ll be able to understand the message, but to anyone who intercepts it, it will be nonsense.
Of course, such codes involve patterns that can be deciphered, given enough time. And with the massive expansion of computing power, even 56-bit encryption (the first standard developed for computers in the 1970s by the US), which has more than 70 quadrillion combinations, is vulnerable to a brute force attack, where supercomputers automatically run through every possible combination to unlock a message. Today, 128-bit/256-bit encryption, or the Advanced Encryption Standard (AES), is used by the US government, and is thought to be relatively secure.
AES is an example of symmetric key encryption, just like the shift by five cipher mentioned earlier. The key is private, and shared by the parties communicating with each other. There are other forms of encryption, including public-key encryption, in which both public and private keys are used. This is meant to reduce the risk of the key being plucked from the data stream by a third party when the machines are trying to exchange them. So your computer encrypts your message using its private key, and then encrypts the private key with a public key that it shares with any computer that wants to communicate securely with it. To decode such a message, the receiving computer must use its own private key, and the public key. The most commonly used encryption standards today are open standards.
Obviously, at a time when more and more transactions and services are moving online, governments have an interest in protecting their communications infrastructure from attack. But as in several other information technology areas, India’s regulatory regime on encryption is both weak and confusing — the draft NEP was not meant to replace or update a pre-existing policy. The Department of Telecommunications (DoT) in 2002, in issuing licensing guidelines to Internet service providers, set a “40-bit key length in the symmetric key algorithms or its equivalent” as the maximum limit without “having to obtain permission” from the DoT, or deposit the decryption key with it. Most individuals and organisations follow different standards, with sectors even within the government setting different standards (Sebi, for instance, prescribes 64-bit/128-bit encryption for standard network security), because a 40-bit key is technologically obsolete and leaves users susceptible to hacks. Then, under the Information Technology (Certifying Authorities) Rules, 2000, stored passwords must be encrypted using “internationally proven encryption techniques”. And the Information Technology (Amendment) Act, 2008, equips the government to prescribe permissible encryption strength “for the secure use of the electronic medium and for promotion of e-governance and e-commerce”.
So perhaps the purpose of the draft encryption policy was to inject some clarity into this confusing mess of regulation by mandating standards to secure India’s Internet infrastructure, and the data of private citizens, in order to protect it from attacks by hostile agents. In fact, though, an encryption policy is presumably meant to accomplish two goals. The first is to insulate state, military, intelligence and law enforcement agencies from external and internal threats, for which the government would want to mandate high standards on a minimum encryption key. Tellingly, India’s draft policy was “not applicable to sensitive departments/ agencies of the government designated for performing sensitive and strategic roles”.
Second, an encryption policy tries to formulate a (semi-)legal framework to allow intelligence and law enforcement to intercept and/or demand data on private citizens and corporations from service providers. To this end, it is in the state’s interest to mandate weak standards for commercial use, or allow itself the means to decrypt information packets whenever it deems necessary.
The draft NEP wanted the government to set the technical standards, which it is entitled to do, but being too specific on that front not only makes compliance extremely difficult, it also increases vulnerability, rather than decrease it, because it runs the risk of forcing outdated standards on vendors and users. Then, the demand that all entities — individual or otherwise — store data in plaintext for 90 days, to furnish it to the authorities should they ask, is a staggering provision to include in a document that is ostensibly meant to protect that data. As many experts pointed out, storing this information in plaintext would be a security catastrophe, and an open invitation to cyber criminals to pilfer private details.
Also problematic were the requirements that encryption service providers within and outside India “enter into an agreement with the government”, vendors “register their products with the designated agency of the government” and “submit working copies of the encryption software/hardware to the government along with professional quality documentation, test suites and execution platform environments”. First, providers based overseas could simply refuse to comply; and second, this constitutes an expansion of a licensing regime in an area that does not require it and where the government lacks the capacity to enforce its rules.
After the Edward Snowden revelations showed the extent to which the US National Security Agency went to systematically undermine encryption standards to give itself a “backdoor” to access private information whenever it desired, circumventing any legal process, the Government of India must do better if it does not want to be accused of thwarting privacy and enabling mass surveillance.
📣 The Indian Express is now on Telegram. Click here to join our channel (@indianexpress) and stay updated with the latest headlines
- The Indian Express website has been rated GREEN for its credibility and trustworthiness by Newsguard, a global service that rates news sources for their journalistic standards.