India Takes a Step Backward for Privacy

In a move that seems to counter the current privacy trends, India has drafted new laws that help law enforcement. They also fail to protect users’ rights. These new laws will dictate the algorithms and assign the lengths of encryption keys that may be used for most of the public. Some of these rules include policies on buying things online.

Computer Login

The laws state for non-strategic government users, consumers, and businesses must keep plain text versions of any encrypted data for 90 days. In the case of a purchase, 90 days from the date of the transaction. Then, they must also provide that information to government agencies should they ask for it. That does not apply to agencies that are designed to deal sensitive data, but everyone else is fair game.

The intent of these rules as stated by the government is to “provide confidentiality of information in cyber space for individuals”. That said, the lawmakers seem to be uninterested in how vulnerable these laws make their citizens. Do they realize these laws nearly hand the plain text data to hackers on a silver platter? There is no way to verify the data would be protected once it got in to government hands. If they do, it becomes clear that the rights of the user are not the first item on their agenda.

Many internet security consultants in India are surprised by these new requirements. They agree that these laws do not have users’ rights in mind. In theory, that means data could be altered at the convenience of the government. As with any law, there is always a chance for abuse.

Ultimately, the ongoing battle over encryption rages on. On one side, you have the law enforcement organizations. They would like easier access to encrypted data, including back door entry points. One the other side, you have companies like Apple And Google that provide end-to-end encryption. These companies have become less cooperative in helping law enforcement over the last several years.

Though the law enforcement agencies do make a point, the line has to be drawn somewhere. From my point of view, there have been too many freedoms given up already under guise of “protecting the people”. I understand that law enforcement needs to do their job, but that does not mean it is OK to violate the rights of citizens to do it. Why do our rights need to become collateral damage because law enforcement wants an easier time gathering information?