India's Government Looking At Mandating Backdoors In Encryption
from the selling-out-the-people-for-the-good-of-the-people dept
Here in the US, the FBI really really really wants to be able to let itself in your backdoor if it feels the urge to paw through your personal communications. (Perhaps the FBI's lack of respect for encryption is due to its own unwillingness to encrypt its communications...) Congress isn't pushing this forward and the administration has indicated it won't back an encryption backdoor mandate. Over in Europe, a mixed bag of terrorism-related legislation is going the other way, pushing for "good guys only" holes in encryption, with any negative use by criminals and foreign governments apparently being the price that must be paid to secure whatever liberty still remains once the "securing" is completed.
India's government -- never one to shy away from overreach, censorship or other bad ideas -- similarly sees encryption backdoors as A Good Thing. A draft proposal from India Department of Electronics and Technology, posted by essential government doc stash Public Intelligence, indicates that the government may be looking to mandate a variety of encryption backdoors in the near future.
It starts out with some positive thinking…
The recognition of the need to protect privacy and increase the security of the Internet and associated information systems have resulted in the development of policies that favour the spread of encryption worldwide. The Information Technology Act 2000 provides for prescribing modes or methods for encryption (Section 84A) and for decryption (Section 69). Taking into account the need to protect information assets, international trends and concerns of national security, the cryptographic policy for domestic use supports the broad use of cryptography in ways that facilitates individual / businesses privacy, international economic competitiveness in all sectors including Government....before cutting the floor away entirely.
This policy is not applicable to sensitive departments / agencies of the government designated for performing sensitive and strategic roles. This policy is applicable to all Central and State Government Departments (including sensitive Departments / Agencies while performing non-strategic & non-operational role), all statutory organizations, executive bodies, business and commercial establishments, including public sector undertakings and academic institutions and all citizens (including Personnel of Government / Business performing non-official / personal functions).The "policy" is mandated backdoors -- not for "sensitive" and "strategic" government agencies, but for everyone else, from other government agencies to "all citizens."
The suggested policy splits up the country's population in three groups, with businesses and citizens designated as "B" and "C." The government says, yes, use encryption for better privacy and security... but don't lock us out.
B / C groups (i.e. B2C, C2B Sectors) may use Encryption for storage and communication. Encryption algorithms and key sizes will be prescribed by the Government through Notification from time to time. On demand, the user shall reproduce the same Plain text and encrypted text pairs using the software / hardware used to produce the encrypted text from the given plain text. All information shall be stored by the concerned B / C entity for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country. In case of communication with foreign entity, the primary responsibility of providing readable plain-text along with the corresponding Encrypted information shall rest on entity (B or C) located in India.And any ISP looking to provide service in India -- including those not actually located in India -- is expected to give the government access to encrypted transmissions.
Service Providers located within and outside India, using Encryption technology for providing any type of services in India must enter into an agreement with the Government for providing such services in India. Government will designate an appropriate agency for entering into such an agreement with the Service provider located within and outside India. The users of any group G,B or C taking such services from Service Providers . are also responsible to provide plain text when demanded.On top of that, creators of encryption products would be required to register with the government and submit to a "security evaluation." Presumably, the evaluation will include discussion of where to best place backdoors and/or involve a handover of Golden Keys.
The proposal also suggests the government take a more active role in the development of "indigenous" encryption products. While not specifically detailed in the draft, one assumes any government-produced, pre-compromised encryption products will make their debut accompanied by mandates requiring use going forward, if not retroactively as well.
For what it's worth, the Indian government is accepting comments on the proposed policy until October 16th. Presumably, the draft will move forward despite any negative feedback, given the country's track record on internet freedom and human rights. Factor in the threat of terrorism, and there's very little chance the government won't find some way to push this through mostly unaltered.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: backdoors, encryption, going dark, india, mandates
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
And as per the usual caste system, it's "everyone but us".
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Loophole
[ link to this | view in thread ]
Actually India is doing a service...
...by providing a cautionary tale to which we can point when our administrators demand the same thing.
[ link to this | view in thread ]
Well this may also inspire public use of encryption with plausible deniability features.
What's better than having your data encrypted? Having your data encrypted in a way that doesn't look like encrypted data.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
[ link to this | view in thread ]
The only positive
P.s out of curiosity how does TD do formatting? I'd take a shot in the dark and guess it uses the same one reddit does?
[ link to this | view in thread ]
Wait for it
India drops off the Internet.
[ link to this | view in thread ]
HTTPS Everywhere
If Indians can't access Google, Wikipedia, Facebook, ... they're going to go as Internet dark as those iconic pictures of North Korea.
[ link to this | view in thread ]
Re: The only positive
[ link to this | view in thread ]
Economic Consequences
/sarc
[ link to this | view in thread ]
Re: Re: The only positive
[ link to this | view in thread ]
International laws
It's perhaps ironic that if the Internet is involved, governments feel they have the right to push their laws over the entire world as well. Obvious examples: copyright, right to be 'forgotten'. Now India is in on it:
And any ISP looking to provide service in India -- including those not actually located in India -- is expected to give the government access to encrypted transmissions.
The overly broad interpretation of this (I understand it's praphrased) is that if a person in America sends a message to a person in Britain via an ISP that offers services to India, then the Indian government feels they have the right to access that message. Never mind that the data never went to India in the first place.
Perhaps this is why more and more governments want data stored in the same country as the user, so they can claim local laws apply to local data. (China, Russia)
Properly encrypted data is indistinguishable from random data. Indeed, if the data is not random (e.g. it has patterns or repeated sequences), this indicates possible flaws in the encryption.
A better example is trying to mask the encrypted data so it looks normal, e.g. as with Tor's Obfsproxy. It's a subtle distinguishment, but it's important.
[ link to this | view in thread ]
Re: Actually India is doing a service...
[ link to this | view in thread ]
Dear India:
[ link to this | view in thread ]
Re: Dear India:
Anyways...
Dear India,
If you are okay with a US citizen such as myself having the backdoor keys to your country's citizens' encryption, then by all means go ahead and mandate it.
Sincerely,
There-are-no-secure-back-doors.
[ link to this | view in thread ]
Re: Economic Consequences
[ link to this | view in thread ]
Re: Re: Dear India:
[ link to this | view in thread ]