Following public outcry, the central government on Tuesday made a U-Turn on a proposed policy and exempted users of social media sites, apps, as also net banking and password-based e-commerce from saving data for a minimum of 90 days from the date of transaction.
In a clarification issued to what it called as Draft National Encryption Policy, the Department of Electronics and Information Technology said the following categories of encryption products were being exempted from its purview:
– The mass use encryption products, which are currently being used in web aplications, social media sites, and social media applications such as Whatsapp, Facebook, Twitter, etc.
– SSL/TLS (Secure Sockets Layer/ Transport Layer Security) encryption products being used in Internet-banking and payment gateways as directed by the Reserve Bank of India (RBI).
– SSL/TLS encryption products being used for e-commerce and password-based transactions.
“The draft encryption policy is only a proposal. It is not a final document of the government,” Communications and IT Minister Ravi Shankar Prasad told reporters here. “The policy will consider the views of the public.”
Earlier, as per the new draft, every message that is sent, through e-mail, Whatsapp or SMS was required to be stored in plain text format for 90 days from the date of transaction and made available to the law enforcement agencies on demand.
The draft proposed to introduce a New Encryption Policy under Section 84A of the Information Technology Act, 2000, and called for public comments by Oct 16.
The stated mission of the policy is to provide confidentiality of information in cyber space for individuals, protect sensitive or proprietary information, ensure reliability and integrity of nationally-critical information systems and networks.
“Users or organisations within B group (that is business-to-business sector) may use encryption for storage and communication. Encryption algorithms and key sizes shall be prescribed by the government through notifications from time to time,” the draft said.
“On demand, the user shall be able to reproduce the same plain text and encrypted text pairs using the software or hardware used to produce the encrypted text from the given plain text,” it added.
“Such plain text information shall be stored by the user or organisation or agency for 90 days from the date of transaction and made available to law enforcement agencies as and when demanded in line with the provisions of the laws of the country.”
The objectives of the policy is to synchronise with the emerging global digital economy, network society and use of encryption for security, date confidentiality and protect privacy in the electronic information space without unduly affecting public safety and national security.