The government of india published a new draft encryption policy . Frankly a part of me still imagines this to be an April fools prank gone awry. And that I will wake up tomorrow to news, that this was a screwup and we can all forget about it.
[EDIT: The government has since published an addendum, issuing clarifications. PROPOSED ADDENDUM TO THE DRAFT ENCRYPTION POLICY This post has been updated at the end to reflect the same. In brief while it has reduced the coverage of the applications and services, the essential implementation issues as pointed out to in this post still remain and the policy seems just as silly and onerous after the addendum was published.]
Be as it may, this policy has received substantial criticism early on, not the least of which is about the various privacy issues. This post attempts to look at this policy within the context of security, practicality and law.
Note that encryption as referred to in this policy applies to encryption as used for transmission AND storage. Also the quoted policy text may refer to G, B and C. This refers to Government, Business and Citizens respectively.
An imaginary conversation
I am frankly dumbstruck by the policy draft. I wonder how it even resulted into its current state. My best guess is somewhere in the policy corridor a conversation along the lines below happened. Once again, to emphasise, the conversation below is imaginary.
Politician: We need to have a better ability to intercept all the messages flowing on the internet. Very needed to take on terrorism and is also useful for political intelligence and rapid reaction.
Bureaucrat: Sir, most of the internet sites and mobile apps encrypt all the conversations. So even as we can readily intercept the messages, we cannot easily decrypt them.
Politician: But the US does it. Why can't we as well?
Bureaucrat: Ahh, but they have the NSA and all its resources, and they can arm twist the large internet giants into making backdoor concessions via programs such as PRISM as Edward Snowden showed. They even introduced backdoors into the Dual Elliptic Curve random number generation written by RSA to easily crack the encryption. We cannot do that.
Politician: Lets have the chinese model then.
Bureaucrat: Ahh .. but there there is far more interception of messages and an ability to do better offline monitoring of suspicious citizens, and the government can easily get to the data of a suspicious guy, because there is lesser judicial oversight. We being a democracy with an active judiciary cannot implement that model either.
Politician: OK, I don't really care for the encryption per se. And I don't wish to be lambasted for too much snooping. Just make sure that we can easily access the non encrypted data directly from one of the parties when we need to and there is enough of a legal framework to support that.
Bureaucrat: OK Sir.
The said bureaucrat then sets in motion a series of actions which results in this new draft policy document
The document in its preamble lays down its vision, mission, and objectives. And yet after reading the rest of the document, one wonders if the government even remotely understood that its policy is almost entirely inconsistent with what it set out to do. Thus either it was not entirely honest in setting out its goals properly, or it did a rather shoddy job by actually undermining these very goals. Let us take a look at the goals themselves.
To enable information security environment and secure transactions in Cyber Space for individuals, businesses, Government including nationally critical information systems and networks.
To provide confidentiality of information in cyber space for individuals, protection of sensitive or proprietary information for individuals & businesses, ensuring continuing reliability and integrity of nationally critical information systems and networks.
- To synchronize with the emerging global digital economy / network society and use of Encryption for ensuring the Security / confidentiality of data and to protect privacy in information and communication infrastructure without unduly affecting public safety and National Security.
- To encourage wider usage of Digital Signature by all entities including Government for trusted communication, transactions and authentication.
- To encourage the adoption of information security best practices by all entities and Stakeholders in the Government, public & private sector and citizens that are consistent with industry practice.
I don't think a further discussion is really required as to the incogruity between the goals as set out and the implementation directives.
Implementation difficulties with this policy
Lets just run through the number of issues this creates.
What does it mean to store plain text information. Does it need to be stored as a plain text? Many mobiles and computers have fully encrypted file systems or fully encrypted databases. Will storing plain text information on such file systems or databases be allowed ? If not, will organisations and end users need to change to unencrypted file systems thus substantially compromising their security?
Continuing from above, many users (including yours truly) use full disk encryption as a mechanism to guard against accidental data leakage in case of mobile/laptop theft, loss etc. Will end users have to give up on that security? And will theft or loss of a mobile / laptop now mean someone else can easily access all the data?
If a service provider is registered, does it absolve the end user citizen from maintaining encryption logs? It does not seem so.
It seems a new market is being unintentionally created for transparently logging plain text data, encrypted text and keys used for encryption every time encryption is used for storage or transmission. This could be done at various levels
- End users - Clearly end users cannot hope to maintain a log of all this stuff. They are more likely to give up using computers and start using and the pure mobile handsets (non smartphones) thus reversing any attempts at increasing digitisation.
- Applications - There are again literally thousands if not hundreds of thousands of desktop and mobile applications. Does each one need to be modified now? Again exceptionally unlikely
- Operating systems - Perhaps Windows and Android and iOS could be enhanced. But will they? And really, why should they? And that will only cover those scenarios where such encryption is done using system level libraries. Rest of the apps are still on their own.
Citizens will not be able to use web services and mobile apps that are not compliant. I mean if I edit and save an email 20 times before sending it from a mail service which stores all emails as encrypted, would an extreme interpretation mean web mail client has to save 20 triplets of plain text, encrypted text and key used for encryption? Or at least plain text and encrypted pairs? Unless the internet application or mobile application does it, no end user will be able to use it for fear of being termed a criminal
There's a deep conflict with good practices and internationals standards. As an example PCI standards. They have a substantial focus on encryption including not storing data in plain text and using random keys and securely encrypting any key information that must be stored. A credit card processor could not find a way to obey the law of the land and the mandatory requirements of secure processing as laid down by the industry. There's no way to run that business within the territorial boundaries of India.
Keys are often stored in Hardware Security Modules (HSMs) for storing them securely. No HSM manufacturer worth his salt will ever condescend to create an HSM that complies with the directives in this policy simply because it is incredibly stupid to do so. Thus enterprises would not be able to use HSMs. Even normal key storage itself would need to be extraordinarily insecure to be consistent with this policy.
I think the general extrapolation of the last two points will suggest that software engineers will need to throw out of the window all known best practices for ensuring data security and privacy, and make sure data is fully open or at least open enough to be just one step away from disclosure as and when required (which also makes it far far more easily accessible to hackers)
Assuming one does log the data, how does one ensure its availability. What happens in case of disk crash? Do mobiles now need to have RAID 5 storage?
What happens with cloud based systems like google chrome? There is little if any storage on the local systems. Do such OS's now require to be modified to cater to the encryption policy?
There are some other serious implications in terms of required professional confidentiality (eg. with doctors and lawyers), having secure protected communications with say a spouse, whistleblowing activities, communication with journalists, political dissidence et. al. These are all communications that must be protected within any self respecting democracy.
In addition there is the very basic fundamental right citizens have to privacy.
For a government which claims to promote digitisation, it is setting out to impose a huge cost on the same. Is the policy consistent with the ambitions?
This is an explosive can of worms that threatens civil rights and encourage movement to a orwelian state.
Basically this policy document justs seems like a really bad dream. However this being a technical blog, this entire issue is not explored or commented upon further.
As mentioned earlier this policy draft does not live up to its stated goals. As also further pointed out this draft basically destroys any notion of secure data storage and encourages rejecting decades of improvements in data storage best practices. But most importantly this policy if implemented (which it should not ever get there hopefully) will headline India for having a regulatory framework which totally compromises data management best practices.
This will make it hard for businesses to outsource data to Indian companies because their data will now be stored in plain text along with the necessary encryption keys. This could be disastrous for the IT, BPO and all Knowledge Processing industries.
The government has since published the addendum to the policy following the media uproar. PROPOSED ADDENDUM TO THE DRAFT ENCRYPTION POLICY
Since it substantially impacts this post, am documenting my thoughts regarding the same separately as follows.
What is the definition of "The mass use encryption products, which are currently being used in web applications, social media sites, and social media applications"? This is such a large category that it is impossible to imagine those who authored the original document did not think of this class of services. So I suspect this was essentially a knee jerk reaction to the uproar rather than having been thought of in the first place. Also does gmail qualify for the exemption above? Lets presume for a moment it does, does my webmail client as offered by my web host provider qualify? It is unlikely to. So some webmail clients are exempt and some aren't. Does telegram, another app similar to whatsapp qualify? The above definition does not make it clear. If I wrote a similar app for my family, Will it? If not, why not?
In short this clarification makes the whole thing even more murky.
I presume by SSL/TSL based products it means corresponding web sites. Why call them products? And there are tons of other apps which may not qualify. eg. a health care management system, or a logistics routing application. One might argue that if they are password based, then they should also be exempt. Assuming all password based services are exempt then what is the whole policy for? What non password based services need such a disturbing policy around it? And if all password based services are not exempt, then all the issues I've pointed to are still relevant. Thus leading to a scenario where a large number of internet based services and mobile apps having to deal with a real ton of issues to sort through.
What about outsourced IT, BPO and other backoffice services to India ? Do they qualify for exemption. Many of them will not meet the addendum requirement for exemption. And yet they will deal with very important sensitive data. Will the data owners continue to allow their Indian outsourcing partners to continue dealing with their data?
This whole addendum sounds like a knee jerk reaction to a really deficient policy in the first place. Seems to me this policy was a very very bad idea to begin with, something that the government simply did not think through. And now it is trying to put up a face saver using an addendum. Sadly that only deals with the issues raised in the popular media. It still does not address many of the implementation issues I have referred to. Perhaps the policy makers simply have very little clue about what is it that they are attempting to regulate. And leaving us very very confused, and very very scared.