The Department of Electronics and Information Technology had proposed a new draft National Encryption Policy that makes it mandatory for Internet users to store all encrypted information, –messages sent through gmail, messaging services or social media platforms – in plain text for 90 days and provide it to Law Enforcement Agencies as and when needed.

However, the government withdrew the draft policy following outrage over sharing personal details with security agencies. Telecom Minister Ravi Shankar Prasad on Tuesday said that he has written for the draft to be withdrawn and it will be released once again after changes are made to it.

"I want to make it clear that what was released yesterday was just a draft and not the view of the government... I have written for that draft to be withdrawn, made changes to it and then re-released," ANI quoted Prasad as saying at a press meet.

WhatsApp, Facebook and Twitter was exempted

The government had reviewed the policy following the outrage on social media in the last two days. The Department of Electronics and Information Technology or DeitY proposed an addendum to the draft encryption policy, exempting social media platforms and WhatsApp.

According to the addendum, the new draft policy will not be applicable to encryption products used in Internet-banking, payment gateways, e-commerce and password based transactions as well.

  • The mass use encryption products, which are currently being used in web applications, social media sites, and social media applications such as Whatsapp,Facebook,Twitter etc.
  • SSL/TLS encryption products being used in Internet-banking and payment gateways as directed by the Reserve Bank of India.
  • SSL/TLS encryption products being used for e-commerce and password based transactions.

The draft policy had earlier stated that all encrypted messages shared on google chat, WhatsApp, yahoo messenger and social media platforms, including Facebook and Twitter, need to be stored in plain text form for 90 days "from the date of transaction" and provide it to security agencies when required.

"... the user shall be able to reproduce the same Plain text and encrypted text pairs using the software/hardware used to produce the encrypted text from the given plain text. Such plain text information shall be stored by the user/organisation/agency for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country," the draft policy said.

The new draft policy, proposed under section 84 A of Information Technology Act 2000, applies to everyone, including citizens, organisations and government officials. The DeitY has defined the individuals in three different categories – G, C and B.

G Govt. – All Central and State Government Departments (including sensitive departments / agencies while performing non-strategic and non-operational role).

B All statutory organizations, executive bodies, business and commercial establishments, including all Public Sector Undertakings, Academic institutions.

C All citizens (including personnel of Government / Business (G/B) performing nonofficial / personal functions).

The draft policy, before the amendment, also stated that "Service Providers located within and outside India, using Encryption technology for providing any type of services in India must enter into an agreement with the Government for providing such services in India".

The proposed policy, if made mandatory for monetary transactions would have posed legal threats for Indian citizen. According to Medianama Founder and volunteer for 'Save The Internet' forum Nikhil Pahwa, at least 99.99% users in India do not know the meaning of plain text and in such a case they can be held liable for not storing their encrypted data in plain text format.

Pahwa also expressed concern over manipulation of plain text data by hackers, Daily News & Analysis reported.

"There is also a possibility that the 'plain text' data can be manipulated by hackers, or by a government official with encryption keys who can manipulate stored data. How will an individual be protected against such attacks? An individual's right to privacy is a fundamental right under Article 21," he said.

Meanwhile, Internet Service Provider Association Of India (ISPAI) President Rajesh Chharia said that government cannot put responsibility for information security on customers.

"While we welcome 256 bit encryption which we have been demanding from very long time, government needs to consider secrecy of business as well. National security is paramount but government should think that a terrorist is never going to share encryption code of his tool. Government needs to develop capability to handle such issues," Chharia said.