India to cripple its tech sector with proposed encryption crackdown
Companies must hand over crypto systems for scrutiny
The Indian government has published a draft of its latest plans for encryption. The proposals spell bad news for domestic software developers and will make other companies looking to do business in the subcontinent very nervous indeed.
The new National Encryption Policy [PDF] proposed by the nation's Department of Electronics and Information Technology states that the government will require applications using encryption to store plain text versions of all data for 90 days so that they can be examined by the police if need be.
"On demand, the user shall be able to reproduce the same plain text and encrypted text pairs using the software/hardware used to produce the encrypted text from the given plain text," the proposed rules read.
In addition, any overseas companies using encryption must submit their full crypto software, along with testing suites and supporting documentation, for scrutiny by the Indian government. No encryption algorithms or key lengths that haven't been approved by the government will be allowed.
The only exception to this is what the document describes as "mass use products like SSL/TLS," a rather confusing statement, since these are standards not products. "Sensitive" government departments are also excluded from the proposed rules.
Even so, this proposed plan makes the widely derided plans of America's law enforcement for a don't-call-it-a-backdoor into encryption look sane and balanced next to the Indian government's plans. Apple and Google are already fighting their domestic security agencies, and aren't likely to play ball with the Indian government either.
For a start, having to make a plain text copy of all data paints a huge hacking target over every company participating in the screen. Such data repositories will be hugely profitable for hackers and spies, and would be very difficult to secure if they are being updated in real time.
Just as worrying is the Indian government's insistence that it knows best when it comes to encryption technology and implementation. Anyone selling to Indian customers will probably have to come up with a country-specific version to avoid breaking the law.
Bear in mind, however, that these are proposed rules only. The public comment period is open until October 16, and it's to be hoped that by then India's large technology sector will have pointed out how stupid and misguided these plans are. ®
Sponsored: 2016 Cyberthreat defense report