Follow Us:
Thursday, January 27, 2022

Codes And Conundrums

Information security, law enforcement goals of encryption policy need reconciling.

Written by Chinmayi Arun |
Updated: September 25, 2015 12:25:23 am
ravi shankar prasad, encryption, Encryption policy, encryption policy india, encryption policy news, national Encryption policy, Encryption policy withdrawn, encryption, whatsapp, facebook, whatsapp messages, private whatsapp messages,  latest news The government may need to face the fact that it will never be able to control and access all information. There will always be outliers. Since these outliers are few in number and will continuously innovate, policies directed at them.

Earlier this week, the Centre released a draft encryption policy, only to modify it and then withdraw it. There are many things to learn from this incident. It is important to remember that this was only a draft released for public feedback. The practice of putting up policies for public feedback, and following a consultative governance model, is commendable and the government should get some credit for its efforts. However, the overwhelming negative feedback that the policy received highlights certain basic truths that the government must bear in mind while regulating technology.

First, when the regulation is of technology, it is important never to dictate what technology must be used. This is because technology, especially in digital media, moves very fast. Even if the technological standard specified is the best available at that point, it may soon become obsolete. A good policy will always leave room for innovation. In the context of encryption, this is especially important since industry leaders have incentives to innovate and offer consumers more secure information services.

Second, the best that regulation can ever do is get most people to change their behaviour. For regulation that concerns the adoption of technology, a well-publicised government policy may be useful to help new or under-resourced players understand what technology to use. In addition, enforcement of a minimum standard may even help incentivise those who hold information to secure it. This is also a useful role such a policy can play, since consumers do not usually have the power to insist their information be stored securely. A policy aimed at forcing changes in the behaviour of all players is do-omed to fail. Regulators must face the simple truth that there will always be outliers — a small set of well-informed regulatory subjects who will successfully resist all attempts to change their behaviour.

The encryption policy was complicated by the fact that it was trying to achieve two objectives simultaneously. It was trying to set and enforce a technological standard that would ensure all information is stored with some degree of security. If the policy tried to achieve the securing of information through a minimum standard, instead of rendering it insecure by dictating a standard that might get obsolete, it might have handled this objective better.

The other objective is more difficult to manage efficiently. In the age of encryption, the government also needs to be able to access information needed to investigate national security threats and crimes. This is why the policy attempted to specify that information be stored for a certain length of time, and in formats easily accessible. It is in the context of this objective that the government may need to face the fact that it will never be able to control and access all information. There will always be outliers. Since these outliers are few in number and will continuously innovate, policies directed at them may result in great information security costs for all other citizens. The plain-text storage obligation within the encryption policy was a classic example. If the state is able to reconcile itself to the idea of outliers, it might direct its energies more productively in streamlining the processes and formats through which law enforcement agencies ask for encrypted information, so that their requests are processed more easily and quickly.

It is encouraging to see the government take steps towards securing information. However, it will need to work on reconciling the information security and law enforcement goals better, and take on board basic truths about regulation of technology and behaviour. I hope it will continue to be consultative. It may help to begin with conversations with industry, academia, law enforcement agencies and privacy experts to ensure that the new encryption policy is built on the right principles.

The writer is research director, Centre for Communication Governance, National Law University, Delhi

📣 The Indian Express is now on Telegram. Click here to join our channel (@indianexpress) and stay updated with the latest headlines

For all the latest Opinion News, download Indian Express App.

  • Newsguard
  • The Indian Express website has been rated GREEN for its credibility and trustworthiness by Newsguard, a global service that rates news sources for their journalistic standards.
  • Newsguard
0 Comment(s) *
* The moderation of comments is automated and not cleared manually by