Deleting WhatsApp, Google Hangouts messages could become illegal in India

[Capricorn]

http://timesofindia.indiatimes.com/...ome-illegal-in-India/articleshow/49046713.cms


NEW DELHI: You may soon need to keep a copy of all messages sent through encrypted messaging services such as WhatsApp (Android version supports encryption), Google Hangouts or Apple's iMessage, for 90 days, if the proposed National Encryption Policy is implemented in its current form. Online businesses too would need to keep your sensitive information including passwords in plain text for the same period of time, thus exposing your information to potential hacking attacks.

The government has published a draft of the policy document online to seek feedback from citizens and organisations. It details methods of encryption of data and communication used by the government, businesses and citizens.

Here are some implications for citizens and companies if the policy is implemented in its current form ...

According to the draft, citizens may use encryption technology for storage and communication. However, encryption algorithms and key sizes will be prescribed by the government through Notification from time to time. This means that the government will determine the encryption standards for all and entities like Google and WhatsApp will have to follow the encryption standards prescribed by the Indian government.

What's bizarre is that the draft lists specific guidelines for all citizens who use encryption services including instructions that individuals should store in plain text versions of communication for 90 days. So this may imply that you'll have to store your WhatsApp messages for 90 days or face action in case asked to reproduce.

What's appalling is that the government expects all citizens to be aware of encrypted communication and the way to store messages in plain text securely. A large number of users may in fact not even know that WhatsApp and iMessage use encryption.

As per the draft, "all citizens including personnel of Government / Business (G/B) performing non-official / personal functions, are required to store the plaintexts of the corresponding encrypted information for 90 days from the date of transaction and provide the verifiable Plain Text to Law and Enforcement Agencies as and when required as per the provision of the laws of the country."

The draft also proposes similar guidelines for B2B or enterprise users where data exchange is even more critical and for B2C communication. "On demand, the user shall be able to reproduce the same Plain text and encrypted text pairs using the software / hardware used to produce the encrypted text from the given plain text. Such plain text information shall be stored by the user/organisation/agency for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country," it adds. This implies that e-commerce websites will have to keep a plain-text copy of user details leaving their information vulnerable to hackers.

The policy also mentions that Service Providers located within and outside India, using encryption technology for providing any type of services in India must enter into an agreement with the government for providing such services in India. The government will designate an appropriate agency for entering into such an agreement with the service provider located within and outside India. This means WhatsApp, Apple and Google will have to sign agreements with the Indian government to provide services in the country as they use encryption technology. This will make the process more bureaucratic and create roadblocks for app providers. In its current form the policy could have a detrimental effect on the privacy of citizens and expose sensitive data to potential abuse.

"All vendors of encryption products shall register their products with the designated agency of the government. While seeking registration, the vendors shall submit working copies of the encryption software / hardware to the Government along with professional quality documentation, test suites and execution platform environments. The vendors shall work with the designated Government Agencies in security evaluation of their encryption products," the draft adds.

However, mass use products like SSL/TLS that are used for financial transactions are exempted from registration. Users in India are allowed to use only the products registered in India though. So using a service not registered with the government will be illegal. "Government reserves the right to take appropriate action as per Law of the country for any violation of this Policy," the draft categorically states.

The document has been drafted by an expert group set up under the Department of Electronics and Information Technology (DeitY) which comes under the union ministry of communications and information technology. All citizens can send their comments on the draft policy to [email protected] by October 16 and give suggestions.

 

[Alien]

WTF? This is insane!

If govt. is so concerned about the security, why impose restrictions on common users? Provide an alternatives like what China has did for their citizens and ban these services completely from India instead of drafting these utter useless draconian laws.

Why should an innocent user bother about keeping messages for 90 days?

I agree that Whatsapp, Google Hangout etc... poses a threat and traitors use them as a secure mode of communication. however, what a common bloke has done so as to impose this ridiculous law on him/her?

On one hand, govt talks about Digital India and on the other hand, formulates such idiotic laws full of drivel.

I am disappointed

 

[thethinker]

Not mandatory to save WhatsApp chats, e-banking, e-commerce exempted from encryption policy, clarifies government


http://www.ibnlive.com/news/tech/no...tion-policy-clarifies-government-1107673.html

Hours after reports that deleting WhatsApp and Google Hangouts messages could soon become illegal, the government has done a u-turn. It has issued a clarification saying that a new draft encryption policy will not apply to social media. The clarification from the government comes after public outrage.

In its latest addendum, the government has said that apart from social networking, internet banking and e-commerce are also exempt from the policy.

he original draft of the policy said that users of services that use encryption to secure communication, such as WhatsApp and other instant messaging services, could be required to store all their communication for as long as 90 days and make them available to law enforcement agencies when legally asked to.

The draft policy further said that that service providers using encryption technology or those providing such services in India "must enter into an agreement with the government for providing such services in India."

A large number of communication and other services use some form of encryption. This means thousands of companies around the world providing such services will be required to enter into an agreement with the Indian government, something that experts think is unrealistic.

The policy also requires businesses and users to store communication in both unencrypted and encrypted forms. This defeats the very purpose of encryption.

According to the draft policy, the government will also prescribe the algorithms and key sizes for encryption. The government's choices of encryption technology has also invited criticism.

DeitY, had last week, posted the Draft National Encryption Policy on its website inviting comments from the public. The purpose of the policy is to frame rules under Section 84A of the Information Technology Act, 2000, regarding use of encryption methods. Comments on the Draft National Encryption Policy have to be sent in by October 16, 2015.

The draft New Encryption Policy had triggered privacy concerns. Legal action that could also include imprisonment had been proposed in the draft policy unveiled by the government for failure to store and produce on demand the encrypted messages sent from any mobile device or computer. The policy also wanted everyone to hand over their encryption keys to the Government.

The draft proposes that users of encrypted messaging service on demand should reproduce same text, transacted during a communication, in plain format before law enforcement agencies and failing which the government can take legal action as per the laws of the country.

The proposed policy, issued by the Department of Electronics and Information Technology, would apply to everyone including government departments, academic institutions, citizens and for all kind of communications -- be it official or personal.

Generally, all the modern messaging services like WhatsApp, Viber, Line, Google Chat, Yahoo messenger etc, come with high level of encryption and many a time security agencies find it hard to intercept these messages.

"All information shall be stored by the concerned B/C entity for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country," the draft said.

The draft defined 'B category' as all statutory organizations, executive bodies, business and commercial establishments, including all Public Sector Undertakings, Academic institutions. The 'C category' as per the draft are all citizens including personnel of government and business performing non-official or personal functions.

In case of the user having communicated with foreigner or entity abroad then the primary responsibility of providing readable plain text along with the corresponding encrypted information would be that of the user in the country. Besides this, all service providers located within and outside India that use encryption technology for providing any type of services in India must register themselves with the government, as per the draft.

The last date for public to comment on the draft is October 16, 2015.

 

[jackprince]

It is nothing but a mis-information campaign to tarnish BJP govt. Also, I don't see any harm if Govt. gets access to the SM message services, provided they can only access them with a court-order. I do think that giving all encompassing power to any agency would be opening roads for abuse of the power. A court monitoring by the way of having to get an warrant for specific access to individual's account should be made mandatory.

 

[DingDong]

This is perfectly legitimate because most of these service providers have their servers located in the US. While they provide unrestricted access to the US agencies, they make other countries virtually beg for the data.

Just in case the media fools do not know, all Cypher Standards are Open (Source Code Publicly Available), that is because every one of them undergoes peer review by a large number of people including academicians, cryptologists, security analysts (ethical hackers) during standardization. Hence the GOI asking for submission of standards doesn't have any impact over the data security/privacy. All companies are following the NIST (US Government) standards anyways.

 

[I_PLAY_BAD]

The Government will have access to all encrypted information, including personal emails, messages or even data stored on a private business server, according to the draft of a new encryption policy. The Draft National Encryption Policy wants users to store all encrypted communication for at least 90 days and make it available to security agencies, if required, in text form. It also wants everyone to hand over their encryption keys to the government.

The draft was formulated by an expert group set up by the Department of Electronics and Information Technology (DeitY) under Section 84A of the Information Technology Act, 2000. Since every messaging service and email, including WhatsApp and Gmail, use some form of encryption, this draft would cover almost all instant messages and emails.

As the issue started snowballing on social media, DeitY issued an addendum to the draft policy exempting “mass use encryption products, which are currently being used in web applications, social media sites, and social media applications such as Whatsapp, Facebook, Twitter etc”. It also exempted SSL/TLS encryption products used in Internet-banking and payment gateways as well as SSL/TLS encryption products being used for e-commerce and password based transactions.
Cyberlaw expert Pawan Duggal has described the policy as “draconian” and “misplaced”. “Almost everyone using the Internet will find themselves in violation of these rules. It is hence detached from the ground realities. This policy has been drafted for the PC era and does not take into consideration the mobile revolution in the country,” he said.

According to Duggal, the policy presumes that everyone will fall in line, while the technology providers, most of whom are based outside India, will not conform to these rules. “In fact, the policy will be counter productive and only discourage people from using encryption,” he said, adding that the draft was also in contrast to the objectives of the IT Act under which it has been framed.

The draft policy, for which the DeitY has invited comments from the public till October 16, has suggested that “all vendors of encryption products shall register their products with the designated agency of the Government”.

The final policy will be drafted only after the feedback is taken into account. At the moment, it seems the public reaction to the policy will be aggressive as it will affect almost all Internet users — a majority is not even aware that it is using encryption technologies.

The preamble of the draft says “the cryptographic policy for domestic use supports the broad use of cryptography” in ways that facilitate privacy and international economic competitiveness. However, in its objectives, it lists the “use of encryption for ensuring the security/ confidentiality of data and to protect privacy in information and communication infrastructure without unduly affecting public safety and National Security”.

The Government will regularly notify a list of registered encryption products and only these services will be able to conduct business in the country. Duggal said this will restart a “registration raj” and isolate India further.

Unlike the US, which prevents the export of encryption products, India will allow this with “prior intimation to the designated agency”. But again, “users in India are allowed to use only the products registered in India”.

When contacted, representatives of OTT messaging and email services refused to react to the draft policy.

Earlier this year, a debate over net neutrality gathered steam in India when Airtel proposed a zero rating plan where app developers paid to make data consumption free for users. But a public backlash saw apps like Flipkart which were part of the Zero rating scheme as well as Facebook’s Internet.org, the so-called free gateway to the Internet, pulling out.

The Department of Telecommunications’ net neutrality report released in July said “the core principles of Net Neutrality must be adhered to” and that user rights on the Internet need to be protected. The government has so far received over 60,000 responses on the policy framework.

Link : http://indianexpress.com/article/te...-need-to-store-whatsapp-messages-for-90-days/

So no need to worry much as of now.....

 

[Bangalorean]

@DingDong , @jackprince etc.:

Government monitoring of communication isn't such a good thing. At the end of the day, the "government" is comprised of babus and morons. Basically human beings just like you and me. And remember, governments change all the time. Today you might be cool with this. When Cong-AMIM govt. comes in (God forbid) a decade down the line, you wouldn't want to be caught with such laws.

Regarding the point of servers being located in India: frankly, lot of companies would love to have servers in India. But our services/infra are so shitty, we practically make it impossible. Amazon web services wanted to have huge cloud farms in Bangalore (so far they have it only in Singapore/Tokyo/Sydney/Dublin/Frankfurt/Oregon/etc.). But there are such immense roadblocks on the way, its really not cost-effective.

The way the IT outsourcing boom kicked off in India, servers will automatically follow, due to critical mass here, and cost differential. But look at the situation - in Karnataka we had several power cuts last week. The central grid has a power surplus, but Siddaramiah has squandered all the money on dole schemes like "Shaadi bhagya", "Burqa bhagya", etc. They have no money to purchase from the grid.

With this kind of shit going on, where is the hope to set up cloud servers in India? I tell you - the day the base issues are resolved, these things will automatically follow.

 

[tharikiran]

From what I understand it is for Blackberry to Blackberry.And even for that they will first take cout order also called as subpoena if I am not wrong. More of a dis information campaign. B2B has already been implemented in 50 countries.

 

[jackprince]

@DingDong , @jackprince etc.:

Government monitoring of communication isn't such a good thing. At the end of the day, the "government" is comprised of babus and morons. Basically human beings just like you and me. And remember, governments change all the time. Today you might be cool with this. When Cong-AMIM govt. comes in (God forbid) a decade down the line, you wouldn't want to be caught with such laws.

Regarding the point of servers being located in India: frankly, lot of companies would love to have servers in India. But our services/infra are so shitty, we practically make it impossible. Amazon web services wanted to have huge cloud farms in Bangalore (so far they have it only in Singapore/Tokyo/Sydney/Dublin/Frankfurt/Oregon/etc.). But there are such immense roadblocks on the way, its really not cost-effective.

The way the IT outsourcing boom kicked off in India, servers will automatically follow, due to critical mass here, and cost differential. But look at the situation - in Karnataka we had several power cuts last week. The central grid has a power surplus, but Siddaramiah has squandered all the money on dole schemes like "Shaadi bhagya", "Burqa bhagya", etc. They have no money to purchase from the grid.

With this kind of shit going on, where is the hope to set up cloud servers in India? I tell you - the day the base issues are resolved, these things will automatically follow.

You have to keep faith in judiciary. I am not asking about trusting Govt., but am in favour of Govt. having the power to access data when required, subject to jusicial permission which is not possible now due to servers being outside if India. The contracts with Govt would make it mandatory for the services to provide data and access when asked and needed by Govt. But judicial supervision must be there, as you said I dont trust even this govt completely.

 

[FRYCRY]

Bhakts can defend anything even if modi will order to drink cow urine they will somehow defend it

 

[Bangalorean]

You have to keep faith in judiciary. I am not asking about trusting Govt., but am in favour of Govt. having the power to access data when required, subject to jusicial permission which is not possible now due to servers being outside if India. The contracts with Govt would make it mandatory for the services to provide data and access when asked and needed by Govt. But judicial supervision must be there, as you said I dont trust even this govt completely.

Even today, your call records etc. can be accessed only with the order of an enforcement authority (Police, CBI, ED, etc.) - and your phone can be tapped only with a court order.

The issue, as you have rightly pointed out, is that most companies have servers outside India and our enforcement authorities cannot force them to hand over data. The solution is to get servers moved to India which is not possible due to infrastructural reasons.

I am the founder of a company which deals with a lot of ultra-sensitive user financial information like credit card details, transactions, payment history, etc. The servers are located in Singapore and Dublin (Amazon cloud). Though there is no explicit rule against storing such data of Indian nationals in servers outside India, there are occasional noises by regulatory authorities against such a practice. Personally I would love to have a server within India.

I asked Amazon about their plans to have a server in India. They have been trying for a long time, but it's horrendously tough. With the kind of infra that these morons provide, let alone servers, it's a miracle that even the outsourcing boom took place.

 

[sob]

Bhakts can defend anything even if modi will order to drink cow urine they will somehow defend it

Wise guy if there is nothing sensible to offer then keep shut. You do not have to butt in everywhere.

Post something sensible.

 

[DingDong]

Bhakts can defend anything even if modi will order to drink cow urine they will somehow defend it

Why are you scared? Plotting Jihad against the state?

 

[Alien]

You have to keep faith in judiciary. I am not asking about trusting Govt., but am in favour of Govt. having the power to access data when required, subject to jusicial permission which is not possible now due to servers being outside if India. The contracts with Govt would make it mandatory for the services to provide data and access when asked and needed by Govt. But judicial supervision must be there, as you said I dont trust even this govt completely.

First of all, today, govt has no mechanism to snoop the user data and they are asking users to keep the data for records! What an insane thought?

Tomorrow, if some govt servant comes to you and demands to reveal your personnel data and says, you are a suspect, would you going to comply?

BTW, Who is going to decide what data needs to be accessed? How are they going to filter the data?

It's not an Income Tax audit wherein a person have to comply on the audit request. Social media chats, conservations are an individuals personal things and govt must not interfere in one's personal matters.

If the govt. need to access the data, they need to develop a mechanism to do that just like what NSA have done in USA. Instead of finding a way, these morons are formulating laws.

 

[DingDong]

@DingDong , @jackprince etc.:

Government monitoring of communication isn't such a good thing. At the end of the day, the "government" is comprised of babus and morons. Basically human beings just like you and me. And remember, governments change all the time. Today you might be cool with this. When Cong-AMIM govt. comes in (God forbid) a decade down the line, you wouldn't want to be caught with such laws.

Regarding the point of servers being located in India: frankly, lot of companies would love to have servers in India. But our services/infra are so shitty, we practically make it impossible. Amazon web services wanted to have huge cloud farms in Bangalore (so far they have it only in Singapore/Tokyo/Sydney/Dublin/Frankfurt/Oregon/etc.). But there are such immense roadblocks on the way, its really not cost-effective.

The way the IT outsourcing boom kicked off in India, servers will automatically follow, due to critical mass here, and cost differential. But look at the situation - in Karnataka we had several power cuts last week. The central grid has a power surplus, but Siddaramiah has squandered all the money on dole schemes like "Shaadi bhagya", "Burqa bhagya", etc. They have no money to purchase from the grid.

With this kind of shit going on, where is the hope to set up cloud servers in India? I tell you - the day the base issues are resolved, these things will automatically follow.

Media made huge controversy on the basis of a public draft, the government was seeking public opinion and received undue criticism in response. Who tells you that the government will not do it silently, all the GOI needs to do is to set aside sufficient funds for the NTRO. Media has effectively scuttled the public debate, what follows may be even more dangerous because the Babus will run it the way they like. Good job Media.

 

[Bangalorean]

Media made huge controversy on the basis of a public draft, the government was seeking public opinion and received undue criticism in response. Who tells you that the government will not do it silently, all the GOI needs to do is to set aside sufficient funds for the NTRO. Media has effectively scuttled the public debate, what follows may be even more dangerous because the Babus will run it the way they like. Good job Media.

Good point... anyway, I hope the babus actually focus on power and internet infrastructure, at least in top 8 cities. Most of these issues will automatically be resolved then.

 

[Mad Indian]

Indian libtards are hilarious. So they have no problem with USA snooping them through SM but have concerns of Indian govt snooping on them.

I am for free speech, but I don't think monitoring of SM is acting against free speech. If the govt comes up with a stupid plan to criticise free speech, then I will be against it. Till then no issues.

 

[Abhijat]

If we could just step aside from C2C communication , and looked into other beneficial points of the policy for the moment , those are :

1. Adoption of information security best practices by all entities , which are consistent with industrial standards , thus integration in digital global economy,

2. Standardize encryption products , also ensuring their reliability and integrity,

3. Compulsory encryption for all Government department including PSU's and such,

4. Use of Digital Signature by government entities , thus providing reliability of information,

5. Development of requisite infrastructure by government to test and evaluate these encryption products ,

6. Also, encouraging R&D in indigenous algorithms , hashing and other cryptography

 

[Abhijat]

Indian libtards are hilarious. So they have no problem with USA snooping them through SM but have concerns of Indian govt snooping on them.

I am for free speech, but I don't think monitoring of SM is acting against free speech. If the govt comes up with a stupid plan to criticise free speech, then I will be against it. Till then no issues.

Nowhere in the draft policy , seems to be intention of government to snoop on citizen as per se.
But , what I inferred from the same was that , it was for the promotion of encryption in every field and also providing government with requisite tool to obtain information/data as per Indian law.

But, we do know about the habit of media and their hidden agenda , don't we ! :biggrin2:

 

[jackprince]

First of all, today, govt has no mechanism to snoop the user data and they are asking users to keep the data for records! What an insane thought?

Tomorrow, if some govt servant comes to you and demands to reveal your personnel data and says, you are a suspect, would you going to comply?

BTW, Who is going to decide what data needs to be accessed? How are they going to filter the data?

It's not an Income Tax audit wherein a person have to comply on the audit request. Social media chats, conservations are an individuals personal things and govt must not interfere in one's personal matters.

If the govt. need to access the data, they need to develop a mechanism to do that just like what NSA have done in USA. Instead of finding a way, these morons are formulating laws.

Actually, the rumour of everybody having to save data is only that - a rumour. Possibly spread by anti-BJP interests.

Secondly, when a person is suspected to be guilty of some criminal activities and the judiciary is satisfied with the application by the law enforcement agencies, there's nothing that can be called personal even today, which the law enforcement agencies cannot take a look into. If a warrant is issued against you, anything that you possess, is within limit of investigation of law enforcement. Even the personal diaries or letters or anything. So, if the physical things that are private can be brought within the purview of investigation, why should the virtual presence be left out? Given that, more action these days are in virtual worlds, it is of paramount importance that when needed, with judicial supervision i.e. with warrant, the investigation agencies should be able to access the online data.

I am completely against indiscriminate snooping by govt., however when called for the agencies should be able to access them.

The key word is with explicit permission in form of WARRANT ISSUED BY JUDICIARY, the access should be there.

Even today, your call records etc. can be accessed only with the order of an enforcement authority (Police, CBI, ED, etc.) - and your phone can be tapped only with a court order.

The issue, as you have rightly pointed out, is that most companies have servers outside India and our enforcement authorities cannot force them to hand over data. The solution is to get servers moved to India which is not possible due to infrastructural reasons.

I am the founder of a company which deals with a lot of ultra-sensitive user financial information like credit card details, transactions, payment history, etc. The servers are located in Singapore and Dublin (Amazon cloud). Though there is no explicit rule against storing such data of Indian nationals in servers outside India, there are occasional noises by regulatory authorities against such a practice. Personally I would love to have a server within India.

I asked Amazon about their plans to have a server in India. They have been trying for a long time, but it's horrendously tough. With the kind of infra that these morons provide, let alone servers, it's a miracle that even the outsourcing boom took place.

Man, I am moving to Kolkata permanently in few months, and I am already upset that I couldn't find a decent BB connection even with reasonable higher price. How could there a flourishing IT business go up in WB, has become a wonder to me!!!