India withdraws draft encryption policy following controversy

The draft policy was criticized as meeting the needs mainly of law enforcement agencies

ransomware hardware security embedded circuit board integrated controller
Credit: IDGNS

The Indian government has withdrawn a controversial draft encryption policy, with a minister stating that the document was not the final view of the government.

Under the policy, consumers would have been required to store the plain texts of encrypted information for 90 days from the date of a transaction and provide the text to law enforcement agencies when required under the laws of the country. The government would have also specified the algorithms and the length of the encryption keys used by different categories of people.

The policy was largely seen as meeting the need for access to information by law enforcement agencies, and included similar restrictions on business users as well. It also called for Internet services providers to enter into unspecified agreements with the government.

On Tuesday, after criticism online of the government's proposed policy, Ravi Shankar Prasad, the country's minister for communications and information technology, said the document had been misunderstood and was being withdrawn until a reworded draft document could be prepared, according to the country's Press Information Bureau.

Following criticism that the measures would expose people to hacks and also compromise privacy, the government released late Monday a "proposed addendum" to its original document in which it clarified that the encryption policy did not apply to "mass use encryption products" such as WhatsApp, Facebook and Twitter.

The addendum also exempted from the rules the use of SSL/TSL encryption in e-commerce, online banking and other password-based transactions.

The government had asked for public feedback on the policy before Oct. 16.

The growth of transactions in cyberspace has created a need for an encryption policy, Prasad said.