Govt pulls out draft encryption policy after backlash
New Delhi: After a massive public outcry, the government today withdrew a contentious draft encryption policy that sought to make it mandatory for everyone to store all messages, including those of WhatsApp, for 90 days.
Telecom and IT Minister Ravi Shankar Prasad said a revised policy will be placed in the public domain again after reworking some of the “expressions” that gave rise to “misgivings”.
A draft encryption policy released yesterday wanted businesses, telcos and Internet companies to store all encrypted data for 90 days in plain text which should be presented before law enforcement agencies whenever asked. Failing to do so would mean legal action as per the law.
Following public backlash over such a move, which is being seen as a threat to privacy, the government through a new addendum this morning clarified that social media sites, including WhatsApp, Facebook and Twitter, payment gateways, e-commerce and password-based transactions are exempt from the policy.
Hours later, the government decided to withdraw the draft encryption policy.
At a news conference to speak on the decisions taken by the Cabinet, Prasad told reporters that the draft National Encryption Policy, which had been released last evening, is not the final view of the government and was placed in the public domain just to seek comments and suggestions from people.
“I wish to make it very clear that it is just a draft and not the view of the government. But I have noted some of the concerns expressed by certain enlightened segments of the public. I have personally seen that some of the expressions used in the draft are giving rise to uncalled-for misgivings,” he said.
“Therefore, I have written to DeitY to withdraw that draft, rework it properly and thereafter, put in the public domain for comments,” he said.
He stressed that common users would not come under the ambit of the encryption policy that will be framed. The new draft to be issued will clearly state which services and creators it would apply to and which ones will be exempt.
The draft policy that was put up on the website of Department of Electronics and Information Technology (DeitY) yesterday meant that the government could access all encrypted information stored on computer servers in India, including personal e-mails, messages or even data.
The draft policy wanted users to store all encrypted communication for at least 90 days and make them available to security agencies, if required, in text form.
The move was criticised on the Internet, with many expressing fears that law enforcement agencies with easy access to encrypted information could easily compromise security and privacy.
Defending the decision, Prasad said the government under the leadership of Prime Minister Narendra Modi has promoted social media activism.
“The right of articulation and freedom we fully respect, but at the same time, we need to acknowledge that cyber space transaction is rising enormously for individuals, businesses, the government and companies,” he said.
The Minister, however, maintained that there is a need for an encryption policy which would apply to those who are involved in encrypting a messaging product “for a variety of reasons”.
“I wish to make it very clear that there are two issues. One, creation of encryption. Many companies send messages in an encrypted form. Other is those who are consumers of applications like WhatsApp, social media and other platforms available in the cyber domain.
“The purpose of this encryption policy relates only and only to those who encrypt. This has to be made very clear. As far as ordinary consumers of applications are concerned, they do not fall in this domain. Because (for) those who encrypt, for a variety of reasons, there has to be a policy regulating the manner of their encryption,” he said.
Prasad said while the government supports freedom on social media, “some sort of encryption policy is being followed all over the world, particularly in free democratic societies”.
Stating that there are obvious concerns of security, he said, “We in India are lacking any sound policy on encryption. A proper expert committee recommended, within the ambit of the Information Technology Act, that we need to have a proper encryption policy.”