Draft Encryption Policy

How encryption standards evolve

Open standards
Developed by industry, academia and governments in standard setting organisations (SSOs)
'Rough Consensus' and 'running code'
Voluntary adoption

Mandates on high quality encryption standards and minimum key-sizes are an excellent idea within the government
Based on a national security imperative.

Mandates for corporations and ordinary citizens are based on the imperative of Surveillance
Standards prescribed by that governments can compromise usually via a brute force method
Interferes with the market-based voluntary adoption of standards
Inappropriate regulation will undermine the security and stability of information societies

Storage of equivalent plain text (decrypted versions) of their encrypted communications
For a period of 90 days from date of transaction

"Service providers located within and outside India, using encryption” shall provide readable plain-text along with the corresponding encrypted information using the same software/hardware used to produce the encrypted information when demanded in line with the provisions of the laws of the country.
Solutions based on end-to-end encryption and therefore do not hold the private keys that are required for decryption
FOSS communities like the TOR project which don’t retain any user data

Citizens only use “encryption algorithms and key sizes will be prescribed by the government through notification from time to time.”
Near impossible to enforce given the burgeoning multiplicity of encryption technologies available and the number of citizens that will get online in the coming years.

“service providers located within and outside India…must enter into an agreement with the government”,
“vendors of encryption products shall register their products with the designated agency of the government”
“vendors shall submit working copies of the encryption software / hardware to the government along with professional quality documentation, test suites and execution platform environments”