The Indian government said it would withdraw a controversial draft National Encryption Policy Tuesday after facing backlash for provisions that called for Indians to store plain-text versions of their encrypted data for 90 days and make it available to security agencies on demand. Internet experts and online activists had criticized the provision -- ostensibly proposed to enhance cybersecurity in India -- for being self-defeating.
"I have written for that draft to be withdrawn, made changes to and then re-released," Ravi Shankar Prasad, India's minister of communications and information technology, reportedly said at a press conference Tuesday, adding that the draft was "not the view of the government."
Earlier Tuesday, the government had, in a proposed addendum to the draft, exempted online banking and purchases, and messaging and social media services like WhatsApp, Facebook and Twitter, from the purview of the law. The government also said that the draft would only be enacted after taking the feedback into account.
“The mission of the policy is to promote national security and increase confidentiality of information, but it specifically excludes ‘sensitive departments/agencies’, which most need such protection … the policy, in fact, decreases security and confidentiality of information,” Pranesh Prakash, policy director at the Centre for Internet and Society -- an Indian research and advocacy group -- told the Economic Times.
Plain-text files, such as word documents, which are not encrypted, can be read by anyone. The fears are that if every file is kept in a plain-text version for 90 days, it would provide a wide window for hackers to find and read them.
“If our emails, for example, are required to be kept in plain text rather than in encrypted form, then that makes it easier for hackers and foreign agencies to spy on our government, businesses, and on all Indian citizens,” Prakash added.
The draft also had provisions allowing the government to define and specify all algorithms and key sizes for encryption in India -- another provision that faced criticism.
The draft was formulated by an expert group set up by India’s Department of Electronics and Information Technology under Section 84A of the Information Technology Act, 2000. In the past, other sections of the act, including the deeply controversial Section 66A -- which criminalizes sending “offensive” messages through online messaging services -- have also faced flak.