Indian govt clamps down on all secure & private communications in draft policy doc


The Dept of Electronics & IT has issued a draft policy doc on #encryption calling for inputs by Oct 16
The draft policy document indicates that the Dept seeks to then frame rules on #cryptography under S.84A of India’s Information Technology Act

Quotes from Document

As per the draft Things that might be illegal soon: secure messaging, VPNs, deleting your communications that isn’t >90 days old


Section 69 of Information Technology Act of 2000 says:

Power to issue directions for interception or monitoring or decryption of any information through any computer resource. -

  1. Where the Central Government or a State Government or any of its officers specially authorised by the Central Government or the State Government, as the case may be, in this behalf may, if satisfied that it is necessary or expedient to do in the interest of the sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence, it may, subject to the provisions of sub-section (2), for reasons to be recorded in writing, by order, direct any agency of the appropriate Government to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information generated, transmitted, received or stored in any computer resource.
  1. The procedure and safeguards subject to which such interception or monitoring or decryption may be carried out, shall be such as may be prescribed.
  1. The subscriber or intermediary or any person in-charge of the computer resource shall, when called upon by any agency referred to in sub-section (1), extend all facilities and technical assistance to-
    (a) provide access to or secure access to the computer resource generating, transmitting, receiving or storing such information; or
    (b) intercept, monitor, or decrypt the information, as the case may be; or
    © provide information stored in computer resource.
  1. The subscriber or intermediary or any person who fails to assist the agency referred to in sub-section (3) shall be punished with imprisonment for a term which may extend to seven years and shall also be liable to fine.

This draft policy seems to suggest no safeguards.


The U.S. Government has already, begrudgingly, reached the conclusion that strong encryption is unavoidable. The Indian government’s pursuit of such a policy provides the surest way of undermining the country’s burgeoning Internet and technology sector. Watch for the government to backtrack once technology companies weigh in and/or communication providers make decisions about serving Indian customers.

The degree to which a government embraces encryption as public policy is the surest measure of its trust in its people and strength.


After backlash, govt exempts WhatsApp, Facebook, payment gateways from encryption policy

It says following

The following categories of encryption products are being exempted from the purview of the draft national encryption policy:

  1. The mass use encryption products, which are currently being used in web applications, social media sites, and social media applications such as Whatsapp, Facebook, Twitter, etc.
  2. SSL/TLS encryption products being used in Internet-banking and payment gateways as directed by the Reserve Bank of India.
  3. SSL/TLS encryption products being used for e-commerce and password based transactions.
  1. The usage of the phrase ‘currently in use’ renders the policy vague: Firstly, when is “currently”?

  2. Will a new service that uses a different kind of encryption to protect its users, still be covered? Why should users be “restricted to encryption currently in use”? Why should services like Whatsapp, Facebook and Twitter define our security standards?

  3. What about, operating systems that encrypt hard disks for security? Those aren’t currently being used in web applications.

  4. Also they they address SSL, TLS as “mass-use products” rather than the encryption standards

  5. Business to Business communications, Business to consumer and consumer to business as well as consumer to consumer services that are not commonly in use are still likely to be covered by this policy: it means that those who want to secure data more than the common users using consumer products are actually more open to attack then.


**Update : Govt Withdrwan the Draft Encryption Policy after backlash **

Communications and information technology minister Ravi Shankar
Prasad announced the government’s decision at a news conference, saying
the draft National Encryption Policy will be reviewed before it is again
presented to the public for their suggestions.

“I read the draft. I understand that the manner in which it is
written can lead to misconceptions. I have asked for the draft policy to
be withdrawn and reworded,” Prasad said. He said the draft would be
re-released, but did not say when it would be made public.
“Experts had framed a draft policy…This draft policy is not the
government’s final view,” he added. “There were concerns in some
quarters. There were some words (in the draft policy) that caused

The draft will be reviewed and experts will be asked to specify to
whom the policy will be applicable, Prasad said. He did not say when the
new draft will be made public.

Those using social media platforms and web applications fell outside the scope of an encryption policy, Prasad said.
Several countries have felt the need for an encryption policy because
of the boom in e-commerce and e-governance, he remarked. “Cyber space
interactions are on the rise. There are concerns about security. We need
a sound encryption policy,” he said.

Govt seems to be testing waters . We need to proactively engage now to prevent similar one again.