On Monday, September 21, the Indian Government posted a draft of the National Encryption Policy to the Department of Electronics and Information Technology (DeITY) website. The draft requires Indian businesses:
- to keep all encrypted data for 90 days from the date of transaction and make that data available to Law Enforcement Agencies when demanded;
- to only use algorithms and key sizes for encryption that have been approved by the Indian Government; and
- to provide unencrypted details of communication with foreign companies in readable plaintext.
The draft puts the use of secure messaging, virtual private networks (VPNs), and the deletion of communications earlier than 90 days in jeopardy of becoming illegal.
The new policies will put a substantial burden on consumers to be more cognizant of their use of encryption methods and applications that use such methods. WhatsApp, Snapchat, Facebook, Twitter, and many other social media applications use some form of encryption. Imposing such policies on citizens will require them to know all the communication taking place on their devices (including apps) as well as whether their communication is encrypted or not. The public will also need to store a plaintext version of encrypted communication for 90 days and know how to keep plaintext data secure. Many of India’s citizens will not develop the ability to adhere to all of the draft’s requirements. Having such a large amount of individuals operating illegally may allow the government to selectively enforce the law.
Due to public backlash, the Government has withdrawn the draft National Encryption Policy. However, the Telecom Minister Ravi Shankar Prasad has told reporters that the draft will be reworked and put back in the public domain for comments. It remains to be seen how the draft will be altered, but Prasad made it clear that for “those who encrypt, for a variety of reasons, there has to be a policy regulating the manner of their encryption.”
As many countries attempt to implement cyber security measures to combat “crime and prevent terrorism,” companies may need to alter the way in which they do business throughout the globe. If India’s reworked National Encryption Policy continues to require companies to use encryption methods approved by the Indian Government, inter alia, entities such as Apple and Google, which are already fighting U.S. domestic policies, will not silently accept such restrictions.
———————————————————————————————————————————-
Edward Vaunder is an editor on the Michigan Telecommunications and Technology Law Review, and a member of the University Michigan Law School class of 2017.