Shortly after a controversy erupted over government's plans to snoop on every message sent through WhatsApp, SMS, e-mail or any such service, the Department of Electronics and Information Technology clarified that social media websites and applications will be exempted from the purview of the draft National Encryption Policy.
The mass-use encryption products, which are currently being used in web applications, social media sites, and social media applications such as WhatsApp, Facebook, Twitter etc are being exempted from the purview of the draft National Encryption Policy, said a proposed addendum to the policy posted on the department's website.
Encryption products used in Internet banking and payment gateways, and those used for e-commerce and password-based transactions will also be exempted.
The draft new encryption policy had originally envisaged that every message sent through WhatsApp, SMS, e-mail or any such service must be mandatorily stored in plain text format for 90 days and made available on demand to security agencies.
The move triggered widespread privacy concerns and generated heated debate.
The draft of New Encryption Policy proposes that users of encrypted messaging service on demand should reproduce same text, transacted during a communication, in plain format before law enforcement agencies and failing to do so may lead to imprisonment of the user as per the provisions.
The proposed policy, issued by the Department of Electronics and Information Technology, would apply on everyone including government departments, academic institutions, citizens and for all kind of communications -- be it official or personal.
Generally, all the modern messaging services like WhatsApp, Viber, Line, Google Chat, yahoo messenger etc, come with high level of encryption and many a time security agencies find it hard to intercept these messages.
"All information shall be stored by the concerned B/C entity for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country," the draft said.
The draft has defined 'B category' as all statutory organizations, executive bodies, business and commercial establishments, including all Public Sector Undertakings and academic institutions.
The 'C category' as per the draft are all citizens including personnel of government and business performing non-official or personal functions.
In case of the user has communicated with foreigner or entity abroad then the primary responsibility of providing readable plain text along with the corresponding encrypted information would be that of the user in the country.
Besides this all service providers located within and outside India that use encryption technology for providing any type of services in India must register themselves with the government, as per the draft.
Sukumuar said the government is following old mindset in trying to regulate new technology.
Medianama Founder and volunteer for 'Save The Internet' forum, Nikhil Pahwa said that the problem is that the government can hold users liable for not keeping copies of their data in a 'plain text' format, when 99.99 per cent of users in the country don't know the meaning of plain text.
"There is also a possibility that the 'plain text' data can be manipulated by hackers, or by a government official with encryption keys who can manipulate stored data. How will an individual be protected against such attacks? An individual's right to privacy is a fundamental right under Article 21," Pahwa said.
The vision of the policy is to "enable information security environment and secure transactions in Cyber Space for individuals, businesses, government, including nationally critical information systems and networks," the draft said.
Internet Service Provider Association Of India President Rajesh Chharia said putting responsibility on customers is not acceptable.
"While we welcome 256 bit encryption which we have been demanding from very long time, government needs to consider secrecy of business as well. National security is paramount but government should think that a terrorist is never going to share encryption code of his tool. Government needs to develop capability to handle such issues," Chharia said.
