Government exempts WhatsApp, social media from purview of encryption policy
NEW DELHI: Shortly after a controversy erupted over government’s proposal to investigate on every message that an individual will send via WhatsApp, SMS, or Google Hangouts, the Department of Electronics and Information Technology clarified in a draft that social media websites and applications will be exempted from the purview of the Encryption Policy.
According to the draft posted by Deity, there are certain categories of encryption products that will be exempted from the purview of the draft national encryption policy.
The mass-use encryption products, which are currently being used in web applications, social media sites, and social media applications such as WhatsApp, Facebook, Twitter etc are being exempted from the purview of the draft National Encryption Policy, said a proposed addendum to the policy posted on the department’s website.
Encryption products used in Internet banking and payment gateways, and those used for e-commerce and password-based transactions will also be exempted.
Deity had earlier proposed that all messages sent through encrypted messaging services such as WhatsApp (Android version supports encryption), Google Hangouts or Apple’s iMessage, must be stored for 90 days.
The move triggered widespread privacy concerns and generated heated debate.
The draft of New Encryption Policy proposes that users of encrypted messaging service on demand should reproduce same text, transacted during a communication, in plain format before law enforcement agencies and failing to do so may lead to imprisonment of the user as per the provisions.
The proposed policy, issued by the Department of Electronics and Information Technology, would apply on everyone including government departments, academic institutions, citizens and for all kind of communications — be it official or personal.
Generally, all the modern messaging services like WhatsApp, Viber, Line, Google Chat, yahoo messenger etc, come with high level of encryption and many a time security agencies find it hard to intercept these messages.
“All information shall be stored by the concerned B/C entity for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country,” the draft said.
The draft has defined ‘B category’ as all statutory organizations, executive bodies, business and commercial establishments, including all Public Sector Undertakings, Academic institutions.
The ‘C category’ as per the draft are all citizens including personnel of government and business performing non-official or personal functions.
In case of the user has communicated with foreigner or entity abroad then the primary responsibility of providing readable plain text along with the corresponding encrypted information would be that of the user in the country.
Besides this all service providers located within and outside India that use encryption technology for providing any type of services in India must register themselves with the government, as per the draft. .
The draft proposes to introduce the New Encryption Policy under section 84 A of Information Technology Act 2000. This section was introduced through amendment in 2008.
The sub-section 84 C that was also introduced through the amendment has provision of imprisonment for violation of the act.
“Encryption products may be exported but with prior intimation to the designated agency of Government of India. Users in India are allowed to use only the products registered in India. Government reserves the right to take appropriate action as per Law of the country for any violation of this Policy,” the draft said.
The last date for public to comment on the draft is October 16, 2015.
“Having a draft on issue is a welcome step. It looks at everything with prism of law enforcemnnt. It will create a license raj. There is very much concern around privacy of citizen. The policy wants messages to be given on demand. If my private information is sought by government, it should be done through courts,” Arun Sukumar,Head, Cyber Initiative, said.