Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Censorship Communications Encryption Privacy Social Networks Your Rights Online

India's Worrying Draft Encryption Policy 114

knwny writes: The government of India is working on a new National Encryption Policy the contents of which have raised a few alarms.Among other things, the policy states that citizens and businesses must save all encrypted messages (including personal or unofficial ones) and their plaintext copies for 90 days and make them available to law enforcement agencies as and when demanded. The policy also specifies that only the government of India shall define the algorithms and key sizes for encryption in India. The policy is posted on this website.
This discussion has been archived. No new comments can be posted.

India's Worrying Draft Encryption Policy

Comments Filter:
  • by allaunjsilverfox2 ( 882195 ) on Monday September 21, 2015 @08:32AM (#50566109) Homepage Journal
    What happens if, by accident or malicious intent, the storage medium you are using is destroyed? Or ironically enough, if you are attacked with malware that encrypts your drive. How do you explain that you can't decrypt the drive to so they can decrypt your messages? Or that the cloud solution provider you were using is down for a undetermined amount of time?
    • by bigpat ( 158134 ) on Monday September 21, 2015 @09:06AM (#50566357)

      What happens if, by accident or malicious intent, the storage medium you are using is destroyed? Or ironically enough, if you are attacked with malware that encrypts your drive. How do you explain that you can't decrypt the drive to so they can decrypt your messages? Or that the cloud solution provider you were using is down for a undetermined amount of time?

      It depends what you are accused of and how politically connected or rich you are. Seriously, a law like this is meant as a catch all that nobody will be able to ensure their compliance with. Basically it outlaws encryption for all practical purposes. So if you are accused of something, anything, and you happened to use encryption then at least they can jail or fine you on a technicality when they can't prove that any real crime has been committed.

      • by Anonymous Coward

        This is like the UK's RIPA law. Say you do a SSL transaction with PFS enabled, you can be hauled into Crown Court, the judge asks for the session key (which is obviously long gone), and the dialog goes like this:

        Magistrate: "What is the session key to your web browsing session at www.cowsrus.com?"
        Arrestee: "No clue."
        Magistrate: "That is another four years to your sentence. Now what is the session key to your web browsing session at www.cowsrus.com?"

        Repeat until a life sentence is achieved. This is an

    • Worse yet, what happens if you're a company doing business with Indian partners or subsidiaries and want to protect trade secrets and proprietary information? I would be further discouraged from doing such future business.
      • by johanw ( 1001493 )

        If you're interested in protecting that you would not do any buisiness with India in the first place.

        • Correct, which India will need to assess to determine a law that works for them, and I, as a business, will need to assess how my risk tolerance bears on any decision to do further business with India.
      • by gweihir ( 88907 )

        And that may be the kicker. Outsourcing to India is dead if this gets to law and common practice.

  • ... or can you simply store some arbitrary log, and tell them it's your actual communication data?

  • In other news... (Score:4, Insightful)

    by Jon.Burgin ( 1136665 ) on Monday September 21, 2015 @08:35AM (#50566139)
    the use of Indian consultants is about to drop dramatically.
    • "Dears, could you set the encryption on your tunnel to 56 bit please, sir? It is the maximum allowed by law, sir."

      The scary part is that many people will...
  • by gstoddart ( 321705 ) on Monday September 21, 2015 @08:40AM (#50566169) Homepage

    And here we go with yet another example of politicians and other assholes with no technical understanding deciding to legislate "solutions" for their needs without the barest understanding of reality.

    Yet another country who has decided their need to spy magically changes how technology works.

    And, as usual, this will never work in practice.

    • What are you talking about?! You can bet your ass that the Obama administration and India will develop a coalition of nations to agree on this as treaty binding. This will force Apple and Google and the rest of the software industry to create back-door government APIs into the OS and applications. COUNT ON IT!!!!!

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      You're under the mistaken impression that this legislation has anything to do with encryption, technology, or is in any way designed to solve a problem for the public.

      Short, un-pc but painfully true answer: India is an apartheid state run by privileged class. (Cue shill posters in 3..2..1.. Sorry. India's been like this for 5-10x longer than most other countries have flown their flags period. Its not changing any time soon.)

      They've got two goals: 1. Make sure that the lower classes stay impoverished by limi

    • What do you expect from a country run by Tata consultants?

  • It's this kind of foolishness which means that countries like India and China will never advance into the first rank of nations. It is part of a pattern of meddling, obstructiveness, distrust and plain lack of freedom that causes backwardness. I chuckle whenever a pundit proclaims that India is the future.

    I hasten to add that American politicians, regulators and the general public now seem intent on thrusting the US backwards, by the same means. America will never be overtaken, but it may fall by the waysid

  • reactions (Score:4, Insightful)

    by DriveDog ( 822962 ) on Monday September 21, 2015 @08:50AM (#50566253)
    This'll just drive the use of steganography, and then the government won't even know when there ARE messages.
    • by U2xhc2hkb3QgU3Vja3M ( 4212163 ) on Monday September 21, 2015 @09:09AM (#50566387)
      Agent 1: Wow, this guy sure likes sending photos of kittens.
      Agent 2: Oh, look how cute this one is!
      • Agent 1: Wow, this guy sure likes sending photos of kittens. Agent 2: Oh, look how cute this one is!

        Wonder why the second picture file is named operation_curry_storm.jpg?

    • by swb ( 14022 )

      What is the state of steganography these days?

      Hiding in plain sight seems to be a pretty good technique in the physical world and in the computer world it would seem to be a terrific to combine with encryption to make the encrypted data hard to identify.

      Especially in today's world where people are constantly sharing images, videos, etc.

      I'm also curious about using steganography in transport protocols -- steganographic data or parameters in HTTP/S requests and responses that would otherwise decode as meaning

  • Doesn't make sense (Score:5, Interesting)

    by Chrisq ( 894406 ) on Monday September 21, 2015 @08:54AM (#50566277)
    If I'm accessing an https website in India that would mean that I would have to copy everything I typed in and save it for 90 days. That's every web search, amazon review, etc.
    • by Jason Levine ( 196982 ) on Monday September 21, 2015 @09:38AM (#50566557) Homepage

      Not to mention all of your spam e-mails that you looked at via HTTPS webmail. Because if you don't keep an unencrypted copy of "herbal viagra for sale by nigerian princes whose daughters want to video chat with you" for 90 days then you're breaking the law!

    • If I'm accessing an https website in India that would mean that I would have to copy everything I typed in and save it for 90 days.

      And the other end would have to save all your form data in plaintext for 90 days, too. (I presume you mean "If I'm in India, accessing a https website" and not what you actually said; if you're not in India, or an Indian citizen, you're not bound by these laws.)

  • by ComputerGeek01 ( 1182793 ) on Monday September 21, 2015 @08:54AM (#50566283)

    I see nothing about the number of iterations. There are going to be an awful lot of pissed off spys when they find that decrypting a messages gives them another encrypted message

  • I wonder how this'll affect the companies that outsource stuff over to India and how badly this screw over their customers. I mean, I would imagine many of these outsourced services will need access to customer records and stuff from the company that hired them, but if the government insists on downgrading encryption and stuff it'll make it much easier for attackers to gain unauthorized access or for them to eavesdrop on stuff.

    • anyone outsourcing to india or china already has shown their hand:

      1) they care nothing about quality and are there ENTIRELY because of low-cost labor

      2) they care nothing about security; they never did. its only about #1

  • It will be ineffective and it will be wielded against people who haven't even abused the law.

    What's interesting about this proposal is that it actually includes a proviso that makes some sense. They want you to retain the unencrypted copy so that they can sniff through it, but shockingly, they don't want you to retain it forever. That seems like an admission that there are some secrets which should be protected by cryptography.

    • The problem, though, that even the 90 day limit is too much to require. Suppose you go to check your Gmail account. You've accessed it via HTTPS which means it's encrypted which means you now need to keep unencrypted versions of all of your e-mails for 90 days. Yes, even that Nigerian prince e-mail that you immediately went to delete as spam. First, you must save it without encryption and only then can you delete it. This will either a) make using any form of encryption too much of a hassle thus leavin

  • by Jawnn ( 445279 ) on Monday September 21, 2015 @09:25AM (#50566485)
    ...always trying to invade the privacy of their citizens. I'm just thankful that I Iive in the U.S.A. where that kind of thing... Oh, wait...
  • So, the Indian Govt thinks that intentionally weak crypto and forced plain text long term storage is a good idea? Never mind what the US might do with this. India's strategic and economic competitor is China, which will thus get so much more info product with so much less effort.

    On the flip side, this may be so unacceptable to the business sector that it'll become another source of graft for officials to look the other way. Aka, The "Bureaucrat Bonus" Bill. Something for everyone.

  • Stopping a law like this is probably expensive to some major industrialist out there. A fair few Crores Rs I would wager :)
  • by Sloppy ( 14984 ) on Monday September 21, 2015 @12:10PM (#50567629) Homepage Journal

    Waitaminute. If an Indian watches a DRMed movie, he'll be required by law to have cracked it and ripped it? If I sell DRMed media to Indians, am I going to automatically be a conspirator, if my customer doesn't crack it?

    There needs to be a DRM exception.

    And I'd rather not discuss the consequences of such an exception. ;-)

  • It would appear that India is choosing to squander its immense talent pool, and forego its future as a major world IT player. (Or, as others have pointed out, it's covertly encouraging a new boom in steganography technology.)
  • Tell Narenra Modi regime to fuck off https://www.change.org/p/prime... [change.org]

Stupidity, like virtue, is its own reward.

Working...