The government of india published a new draft encryption policy .
Frankly a part of me still imagines this to be an April fools prank gone awry.
And that I will wake up tomorrow to news, that this was a screwup and we can
all forget about it.
[EDIT: The government has since published an addendum, issuing clarifications.
PROPOSED ADDENDUM TO THE DRAFT ENCRYPTION POLICY
This post has been updated at the end to reflect the same. In brief while it
has reduced the coverage of the applications and services, the essential
implementation issues as pointed out to in this post still remain and the policy
seems just as silly and onerous after the addendum was published.]
Be as it may, this policy has received substantial criticism early on, not the
least of which is about the various privacy issues. This post attempts to
look at this policy within the context of security, practicality and law.
Note that encryption as referred to in this policy applies to encryption as
used for transmission AND storage. Also the quoted policy text may refer to
G, B and C. This refers to Government, Business and Citizens respectively.
An imaginary conversation
I am frankly dumbstruck by the policy draft. I wonder how it even resulted into
its current state. My best guess is somewhere in the policy corridor a
conversation along the lines below happened. Once again, to emphasise, the
conversation below is imaginary.
Politician: We need to have a better ability to intercept all the messages
flowing on the internet. Very needed to take on terrorism and is also
useful for political intelligence and rapid reaction.
Bureaucrat: Sir, most of the internet sites and mobile apps encrypt all the
conversations. So even as we can readily intercept the messages, we cannot
easily decrypt them.
Politician: But the US does it. Why can't we as well?
Bureaucrat: Ahh, but they have the NSA and all its resources, and they can
arm twist the large internet giants into making backdoor concessions via
programs such as PRISM as Edward Snowden showed. They even introduced
backdoors into the Dual Elliptic Curve random number generation written by
RSA to easily crack the encryption. We cannot do that.
Politician: Lets have the chinese model then.
Bureaucrat: Ahh .. but there there is far more interception of messages and
an ability to do better offline monitoring of suspicious citizens, and the
government can easily get to the data of a suspicious guy, because there is
lesser judicial oversight. We being a democracy with an active judiciary
cannot implement that model either.
Politician: OK, I don't really care for the encryption per se. And I don't
wish to be lambasted for too much snooping. Just make sure that we can
easily access the non encrypted data directly from one of the parties when
we need to and there is enough of a legal framework to support that.
Bureaucrat: OK Sir.
The said bureaucrat then sets in motion a series of actions which results
in this new draft policy document
Disingenious Objectives
The document in its preamble lays down its vision, mission, and objectives.
And yet after reading the rest of the document, one wonders if the government
even remotely understood that its policy is almost entirely inconsistent with
what it set out to do. Thus either it was not entirely honest in setting out
its goals properly, or it did a rather shoddy job by actually undermining these
very goals. Let us take a look at the goals themselves.
Vision
To enable information security environment and secure transactions in Cyber
Space for individuals, businesses, Government including nationally critical
information systems and networks.
Mission
To provide confidentiality of information in cyber space for individuals,
protection of sensitive or proprietary information for individuals &
businesses, ensuring continuing reliability and integrity of nationally
critical information systems and networks.
Objectives
- To synchronize with the emerging global digital economy / network society
and use of Encryption for ensuring the Security / confidentiality of data
and to protect privacy in information and communication infrastructure
without unduly affecting public safety and National Security.
- To encourage wider usage of Digital Signature by all entities including
Government for trusted communication, transactions and authentication.
- To encourage the adoption of information security best practices by all
entities and Stakeholders in the Government, public & private sector and
citizens that are consistent with industry practice.
I don't think a further discussion is really required as to the incogruity
between the goals as set out and the implementation directives.
Implementation difficulties with this policy
Lets just run through the number of issues this creates.
What does it mean to store plain text information. Does it need to be stored
as a plain text? Many mobiles and computers have fully encrypted file systems
or fully encrypted databases. Will storing plain text information on such
file systems or databases be allowed ? If not, will organisations and end
users need to change to unencrypted file systems thus substantially
compromising their security?
Continuing from above, many users (including yours truly) use full disk
encryption as a mechanism to guard against accidental data leakage in case
of mobile/laptop theft, loss etc. Will end users have to give up on that
security? And will theft or loss of a mobile / laptop now mean someone else
can easily access all the data?
If a service provider is registered, does it absolve the end user citizen
from maintaining encryption logs? It does not seem so.
It seems a new market is being unintentionally created for transparently
logging plain text data, encrypted text and keys used for encryption every
time encryption is used for storage or transmission. This could be done at
various levels
- End users - Clearly end users cannot hope to maintain a log of all this
stuff. They are more likely to give up using computers and start using
and the pure mobile handsets (non smartphones) thus reversing any
attempts at increasing digitisation.
- Applications - There are again literally thousands if not hundreds of
thousands of desktop and mobile applications. Does each one need to be
modified now? Again exceptionally unlikely
- Operating systems - Perhaps Windows and Android and iOS could be
enhanced. But will they? And really, why should they? And that will only
cover those scenarios where such encryption is done using system level
libraries. Rest of the apps are still on their own.
Citizens will not be able to use web services and mobile apps that are not
compliant. I mean if I edit and save an email 20 times before sending it from
a mail service which stores all emails as encrypted, would an extreme
interpretation mean web mail client has to save 20 triplets of plain
text, encrypted text and key used for encryption? Or at least plain text
and encrypted pairs? Unless the internet application or mobile application
does it, no end user will be able to use it for fear of being termed a
criminal
There's a deep conflict with good practices and internationals standards. As
an example PCI standards. They have a substantial focus on encryption
including not storing data in plain text and using random keys and securely
encrypting any key information that must be stored. A credit card processor
could not find a way to obey the law of the land and the mandatory
requirements of secure processing as laid down by the industry. There's no
way to run that business within the territorial boundaries of India.
Keys are often stored in Hardware Security Modules (HSMs) for storing them
securely. No HSM manufacturer worth his salt will ever condescend to create
an HSM that complies with the directives in this policy simply because it is
incredibly stupid to do so. Thus enterprises would not be able to use HSMs.
Even normal key storage itself would need to be extraordinarily insecure to
be consistent with this policy.
I think the general extrapolation of the last two points will suggest that
software engineers will need to throw out of the window all known best
practices for ensuring data security and privacy, and make sure data is fully
open or at least open enough to be just one step away from disclosure as and
when required (which also makes it far far more easily accessible to hackers)
Assuming one does log the data, how does one ensure its availability. What
happens in case of disk crash? Do mobiles now need to have RAID 5 storage?
What happens with cloud based systems like google chrome? There is little if
any storage on the local systems. Do such OS's now require to be modified
to cater to the encryption policy?
Political implications
There are some other serious implications in terms of required professional
confidentiality (eg. with doctors and lawyers), having secure protected
communications with say a spouse, whistleblowing activities, communication with
journalists, political dissidence et. al. These are all communications that must
be protected within any self respecting democracy.
In addition there is the very basic fundamental right citizens have to privacy.
For a government which claims to promote digitisation, it is setting out to
impose a huge cost on the same. Is the policy consistent with the ambitions?
This is an explosive can of worms that threatens civil rights and encourage
movement to a orwelian state.
Basically this policy document justs seems like a really bad dream. However
this being a technical blog, this entire issue is not explored or commented
upon further.
Commercial implications
As mentioned earlier this policy draft does not live up to its stated goals. As
also further pointed out this draft basically destroys any notion of secure data
storage and encourages rejecting decades of improvements in data storage best
practices. But most importantly this policy if implemented (which it should not
ever get there hopefully) will headline India for having a regulatory framework
which totally compromises data management best practices.
This will make it hard for businesses to
outsource data to Indian companies because their data will now be stored in
plain text along with the necessary encryption keys. This could be disastrous
for the IT, BPO and all Knowledge Processing industries.
EDIT:
The government has since published the addendum to the policy following the
media uproar.
PROPOSED ADDENDUM TO THE DRAFT ENCRYPTION POLICY
Since it substantially impacts this post, am documenting my thoughts
regarding the same separately as follows.
What is the definition of "The mass use encryption products, which are
currently being used in web applications, social media sites, and social
media applications"? This is such a large category that it is impossible
to imagine those who authored the original document did not think of this
class of services. So I suspect this was essentially a knee jerk reaction to
the uproar rather than having been thought of in the first place. Also does
gmail qualify for the exemption above? Lets presume for a moment it does,
does my webmail client as offered by my web host provider qualify? It is
unlikely to. So some webmail clients are exempt and some aren't. Does
telegram, another app similar to whatsapp qualify? The above definition does
not make it clear. If I wrote a similar app for my family, Will it? If not,
why not?
In short this clarification makes the whole thing even more murky.
I presume by SSL/TSL based products it means corresponding web sites. Why
call them products? And there are tons of other apps which may not qualify.
eg. a health care management system, or a logistics routing application.
One might argue that if they are password based, then they should also be
exempt. Assuming all password based services are exempt then what is the
whole policy for? What non password based services need such a disturbing
policy around it? And if all password based services are not exempt, then all
the issues I've pointed to are still relevant. Thus leading to a scenario
where a large number of internet based services and mobile apps having to
deal with a real ton of issues to sort through.
What about outsourced IT, BPO and other backoffice services to India ? Do
they qualify for exemption. Many of them will not meet the addendum
requirement for exemption. And yet they will deal with very important
sensitive data. Will the data owners continue to allow their Indian
outsourcing partners to continue dealing with their data?
This whole addendum sounds like a knee jerk reaction to a really deficient
policy in the first place. Seems to me this policy was a very very bad idea to
begin with, something that the government simply did not think through. And now
it is trying to put up a face saver using an addendum. Sadly that only deals
with the issues raised in the popular media. It still does not address many
of the implementation issues I have referred to. Perhaps the policy makers
simply have very little clue about what is it that they are attempting to
regulate. And leaving us very very confused, and very very scared.