The government of India has said that it would keep social media applications such as Whatsapp, Facebook and Twitter out of the purview of the National Encryption Policy.
The policy which seeks to control secured online communication would also keep out of the ambit secure banking transactions and passwords on e-commerce sites.
The bone of contention is that the draft National Encryption Policy proposes that digital business save all information in plain text format for 90 days. [Whatsapp, social media exempted, says govt over encryption policy]
How effective will this policy be and its effectiveness now comes under question as more and more people will share information on the social media considering it has been exempted, says expert on cyber laws, Pavan Duggal.
In this interview with OneIndia, Duggal discusses the policy and also points out that it would be subject to legal challenge as it is completely in violation of Article 21 of the Indian Constitution which guarantees right to privacy.
What are your thoughts on the National Encryption Policy?
Before we can discuss the policy, I would like to point out the clarification that the government has issued where social media applications have been exempted.
The government has bowed down to pressure and it is a kind of piece meal approach. The draft speaks about a 90 day retention programme on information on the computer in text format.
This basically would cover every Indian is covered by the said requirement.
This requirement runs contra to the entire objective of encryption since an encryption allows you to put in an algorithm and secure the message so that it cannot be intercepted or modified.
What happens if the 90 day retention programme is not followed?
As I said this provision would cover every Indian. If the programme is not followed it becomes a ground for criminal prosecution and the government is exposing Indians to the potential shadow of criminality.
Further the methodology of how to save such messages has not been defined.
The draft policy is not in account with Section 84 (A) of the IT act 2000. This section enables the government to prescribe the methods and modes of encryption and it is required to be done for secure usage of the electronic format and also for promoting ecommerce and e-governance.
If you look at the objectives of the draft policy it is in variance of the section. The draft policy is effectively something that the parliament did not envisage.
The parliament only required the government to prescribe the methods and modes and not to come up with policy. Now the government wants to come up with a policy and prescribe the modes.
Does it not run to contrary to what the Constitution has enshrined?
If every Indian is required to save in text form all his messages it is violation it is a violation of right to privacy under 21 of the constitution.
The question is this could lead to a legal challenge. Further the policy does not feature the essential elements of implementation.
The draft policy seeks to introduce a licence raj where all companies are required to be mandatorily registered and enter into the agreement with the government. It is very difficult to enforce the policy on companies that are outside India.
The other important issue is that the draft policy is not in tandem with the cyber security policy of the government. We don't have a dedicated cyber security legislation.
On top of it, we are trying to deal with an inter-related subject of encryption in an isolated manner. We need to have a holistic approach to cyber security.
Will it be applicable to government entities?
Yes it will be. It is applicable to government entities hence these entities would have to save the data on governmental networks which are not secure in nature. It invites hackers and information can be stolen.
This would have a very bad impact on cyber security.
I hope this does not turn out to be a paper tiger policy like the cyber security policy. Over all if one looks at the policy and the clarification issued, it would mean that more and more people would go to the social media and share information.
This basically defeats the entire exercise and will not serve any purpose. The issue needs more discussion and better deliberation before the government can think of implementing it.