The addendum to the draft National Encryption Policy might have come late at night, but it did finally allay some of the fears that had gripped Indian internet users after the recommendations of the expert group were made public on Monday.
It was almost a what-were-you-thinking moment for most Internet users who struggled to comprehend what these rules meant for them and their virtual lives. The one thing that bugged them was the fact that they would need to keep a 90-day record of all their encrypted communications, which would mean almost all OTT platforms including WhatsApp — just guess what that would mean given that most of us are on scores of groups and chats on this one platform alone. Also, none of the mobile messaging platforms lend themselves to this kind of an usage, some delete records as soon as it has been read. Thankfully, the addendum has exempted WhatsApp and other social media platforms from the policy’s ambit. But you will still need to keep records of emails — and submit them to security agencies if required — as all of these are encrypted.
The problem here, as cyberlaw expert Pawan Duggal points out, is that whoever drafted the policy was not looking at the ground realities, especially the proliferation of mobile phones which use mass encryption technologies. Also, most of our mobile phone users have no idea what encryption is or that they are also using it in some way or the other.
While general users might be heaving a sigh of relief, there is a fear that the policy will usher in a new registration raj now that all encryption technologies that can be used in India will need to be certified and listed by the agencies concerned. To expect a company based outside India’s jurisdiction to comply to this is the height of optimism, especially when the encryption technology is their USP. A lot of encryption companies might just give the Indian market a miss, while a lot of Indian companies might just give encryption a miss altogether. If this policy was supposed to promote encryption as a technology in India, it defeats that purpose at the very outset.
By clarifying that “mass use encryption products” used in web applications and social media platforms as well as Internet-banking and e-commerce gateways, the government might have steered clear of the public outrage that we saw over the net neutrality debate. But the fact remains that the policy is still ambiguous and gives too much room for misuse and manipulation, while discouraging the use of encryption to secure business and individual privacy.