The zeal with which the policy was announced was matched only by the speed with which it was withdrawn. It lasted all of Monday morning to Tuesday evening. Meanwhile, a scapegoat was found — a poor low-level scientist — and everyone else washed his or her hands of the draft National Encryption Policy.
It was indeed a draft, but it was a draft of a National Policy that was placed in the public domain to enable stakeholders and the public to offer their comments. Surely, it was approved at a level much above the low-level scientist. Besides, there is the principle of constructive responsibility. Elementary, but it seems to have escaped the Minister and the Secretary concerned.
This is not the first time that the BJP/NDA government has acted first and donned its thinking cap later. Other governments may have also been guilty, but we are concerned with the present, and the tendency to act first and think later raises grave concerns.
Beating the Retreat
The Government had been warned on the Land Acquisition Ordinance, but the Government went ahead and promulgated the Ordinance thrice. After nine months, it abandoned its misconceived exercise.
The Government was warned on “Net neutrality”, but it ignored the warning and ultimately it had to change its position.
At other levels, Maggi noodles was banned, selling and eating beef was banned, meat was banned for several days, and an NGO activist was barred from traveling abroad. In each of those cases, the government concerned was forced to eat humble pie.
The Government of Rajasthan prescribed minimum educational qualifications for candidates in elections to panchayats and municipalities, something that does not apply to candidates in elections to Parliament or the state legislature. One half or more of the electorate was disqualified. Rajasthan got away with holding elections subject to the outcome of the challenge to the new law. But when Haryana tried the same trick, elections have been stopped and the case will be heard soon. The Government of Haryana and the BJP have been warned that the validity of the law is doubtful, but they do not seem to take the warning seriously.
The latest case is the debate on reservation triggered by a conscious statement made by Mr Mohan Bhagwat. The statement was made soon after the three-day “exchange of views” between the RSS and the Government attended by the Prime Minister and senior ministers. It is difficult to believe that reservation was not discussed during the “exchange of views”. The Government hastened to distance itself from Mr Bhagwat’s statement, but that was not the end of the story. On the next day, the RSS’ view on reservation was faithfully reflected in two Bills passed by the legislature of Rajasthan. The Government of Rajasthan and the BJP have been duly warned that the Bills are vulnerable, but there is no sign that they will heed the warning.
“Act first, think later” has become the leitmotif of the BJP/NDA government. The draft National Encryption Policy is a prime example.
Encryption: Whose Right and Responsibility?
The legal basis claimed is Sections 69 and 84A of the Information Technology Act. They confer power on the Government to intercept, monitor or decrypt digital information under certain conditions and to prescribe modes and methods of encryption.
Information — private or public, harmless chatter or highly sensitive — when generated, transmitted, received or stored is encrypted. The key is the encryption codes. Just as a government’s encryption codes are the property of the government, encryption codes of service providers like Google, Apple, Facebook etc are the property of the service providers. Their business depends upon the security of their codes, therefore they constantly innovate, and fight hard to win the perpetual battle between codemakers and codebreakers.
The draft Encryption Policy blithely ignored the realities and challenges of the digital age. It asserted the right of the Government to prescribe encryption standards for the three groups of users: Government, Business and Citizens. Vendors of encryption products were obliged to register their products with a government agency and submit working copies of the encryption hardware/software to that agency. Users were mandated to keep information in plain text format for 90 days and make it available, on demand, to law enforcement agencies.
Imagine a Government prescribing encryption algorithms for all Business and Citizen groups! Or imagine the consequences of working copies of all encryption hardware/software available at one place (the designated agency)! Or imagine the risks of keeping plain texts for 90 days! The tribe of hackers, Chinese and others, will be happy men and women.
The authors of the draft Policy seem to have no understanding of either security or privacy. Securing information in the digital world is dependent on constant research, innovation, design and application — matters that are best left to vendors, service providers, businesses and citizens. The need for privacy, and the degree of privacy that each citizen desires, are best left to the citizens.
The Government’s sole concern should be the breach of security of sensitive or classified information. Hence, the Government’s only right is to prescribe minimum standards of security for different kinds of information and different classes of vendors, service providers and users, and demand that the information be made available if it is connected to a breach of security. I hope the next “scientist” who will draft the policy will bear these in mind.