Skip to Content

Cybersecurity & Standards, Government Surveillance

Encryption looms large over first strategic dialog between the U.S. and India

Daily Dot:

When two of President Barack Obama’s Cabinet secretaries meet Tuesday with their Indian counterparts, one important topic they may avoid is the Indian government’s controversial new plan to restrict its citizens and businesses’ use of encryption.

India released a draft of its new encryption policy over the weekend, just days before the first U.S.-India Strategic and Commerce Dialogue, and the document is already earning scorn from privacy activists and security experts. The policy would require companies that operate in India—as well as local, but not national, government departments—to install “backdoors” in their systems to let law-enforcement agencies bypass their encryption. It would also mandate the retention of unencrypted data for 90 days, essentially creating massive hacker-friendly honeypots of unsecured private communications.

“The Obama administration hasn’t made up its public mind as to where they’ll lean going forward, so it is probably not reasonable to expect administration staff to push hard against backdoors,” Joseph Hall, chief technologist at the Center for Democracy and Technology, told the Daily Dot in an email.

Even so, Hall said, India’s new policy invited other criticisms too. “Data retention of cleartext of communications for 90 days poses a serious security risk for data breaches and makes more modern kinds of cryptography impossible,” Hall said. A mandate to retain unencrypted data, he pointed out, would preclude the use of “perfect forward secrecy,” a powerful encryption scheme that is growing more popular in the U.S.

India’s encryption policy also sets specifications for the encryption that companies can use, such as the bit length of their encryption keys and the types of algorithms that can power the encryption. Hall called this “a horrible idea” and connected it to failed U.S. law-enforcement proposals in the 1990s, during the first phase of the so-called “Crypto Wars.”

Encryption restrictions like the ones that India is proposing “will result in more actual compromise of secure services and transactions and will chill engagement in e-commerce as well as sensitive services in finance, health, and critical infrastructure,” Hall said.

Full article here.