Issue Debate #14 Data Encryption Policy : Step in the right direction

edited September 2015 in Issue Debates
Issue Debates Archives

Data encryption is a key pillar for growth of both e-governance and e-commerce. In the light of the above statement, critically analyze the proposed data encryption policy.

Reading List :-
1. Hindustan Times

What are Issue Debates?

Issue Debates are centered around the idea that Forums such as ours should be more relevant to the Examination Process apart from the social connect that we already provide.

Everyday, Issue Debate will come up with questions on issues that are related to the Examination Process - The Mains Examination.

Issue Debates will cover hundreds of issues over a period of time, and will be highly focused on the upcoming Mains Examination.

Covering All Issue debates will ensure that candidates for the Mains examination would have covered a very significant part of their Current Affairs syllabus and would have covered most issues concerning the examination.

Peer Review: Members of the Forum Can review answers and add more angles to the Issue.

Frequency : Issue Debates will be vary between 1-3 in Number and will be posted Everyday

Who can benefit from Issue Debates?
Issue debates will focus on issues that are important for the Mains Examination. Hence candidates appearing for Mains 2015 and 2016 will both benefit from it. Issues are not merely temporal in nature, but span over a significant period of time.

Discussing various aspects of issues helps in gaining a wider perspective of the issue and would be helpful in forming opinions that could hugely benefit aspirants, in their journey towards Civil Services. For newcomers, it will also help in identifying the issues that need to be prepared for the Exam.


Nature of Comments : Nature of comments on this thread are supposed to show depth of knowledge and intellect of the Candidates and should be strictly on - topics. Arguments should be logical and personal opinions or biases should be avoided.


  • The past few months have witnessed debates and discussions centred around citizen's digital rights. Alongside net neutrality, encryption has emerged as the new topic, where the debate is focused on reconciling the need for privacy amidst the demands of surveillance for national security.

    GoI has recently brought about its Draft National Encryption policy, which was supposed to be its answer for the above dilemma. But the draft policy fails on major accounts, even though its intended aims were noble and in line with the needs of the netizens.

    #Encryption: What is it! Applications.

    Date encryption means conversion of data into a form, called cipher-text using an algorithm. This helps avoid unauthorised access to personal data.

    -- E - commerce : Banks and shopping sites make use of encryption to store its user's financial and private data.

    -- E - governance : Encryption used to protect personal data of citizens. Extremely important in over-arching mechanisms like Aadhar.

    -- Communication Apps : WhatsApp, Skype, iMessage all make use of encryption to transmit messages. When a user sends a message, it is automatically transformed into undecipherable symbols using encryption. These symbols are then unscrambled after they are received by the receiver.

    Hence growth of these sectors hinge on an appropriate and industry standard encryption methods. The draft policy aims to provide guidelines in this regard.

    # National Draft Encryption policy - 2015
    Draft sets out to provide:
    -- Confidentiality of info on cyberspace for individuals.
    -- protection of sensitive or proprietary data of individuals and businesses.
    -- Ensuring reliability and integrity of nationally critical info systems and networks.

    But the various provisions of draft policy negate above aims:
    -- Individuals : All individuals are required to store their online activity and data for 90 days in a plain text document.
    * The above is an open invitation for hackers to exploit unaware users. A malware can easily be attached to videos, apps, pop-ups which can then transmit sensitive data in unencrypted form to attackers.
    *Keeping records for 90 days is also unfeasible for low-end users, whose mobile phones have limited data capacity.

    -- Corporates : Every organisation would have to keep its data, transactions and even passwords in plain text format for 90 days.
    * Red carpet rollout for hackers. Every 90 days they will come for fresh content.
    *Organisations generate hundreds of gb of data every day. Cost of maintaining this for 90 days is going to be a huge burden.
    *Also, there is a proposal of asking corporates outside India to follow such proposals if their client base is in India. This is simply asking too much.

    -- Service providers : Service providers located within and outside India, providing any type of services in India, that use encryption must enter into a contract with GoI.
    * This provision is going to stifle innovation. Detrimental to 'digital india'.
    * Also, this might lead to encryption raj, where government favours a select few.

    #Lessons to be learnt for GoI :

    -- Firstly, the initiative to put draft proposals in public domain for a wider debate is a healthy sign for Indian democracy.

    -- But, govt. has to understand that technology is unlike any other sector. It is a hyper-active sector, rapidly changing. What the norm is now, may not be the norm tomorrow. It will become incredibly hard for the govt. to keep track of tech. developments and update its policy side by side.

    -- Govt. should leave room for innovation, and only set the basic minimum standard for encryption.

    -- Also, peace has to be made with the fact that its practically impossible to keep track of all personal interactions. It will be better advised to focus more on linkages directly with the organisations, so that requests of law-enforcement agencies for encrypted info is readily processed, and clauses like that of 90 days is not required.

    -- Consumers do not possess the technical know-how of encryption. Any policy focused on changing the habits of consumers is bound to fail.
    Na mai padheya, Na mai likheya
    Par mai duniya, toh badha sikheya
  • @Captain_Peroxide ji.. dhanyawaad. The two points that you stated are very good and I completely forgot them.

    But I am concerned about the lack of views these issues are getting. Last issue(#13) got just 350 odd views and it was mostly me, captain ji, jigsaw ji and a few others (Sorry! Unable to recall) commenting. Even this issue has got just 50 views and its been up since 20 hrs.

    Can we have the present issue in discussion put in the recents panel on the home page ? So that people who randomly chance upon the thread can also see the initiative. After the issue is done, it can be put into the issues panel for archive viewing.

    @Neyawn ji.. Any help?
    Na mai padheya, Na mai likheya
    Par mai duniya, toh badha sikheya
  • @RasAlGhul Great answer.
    I agree with @Captain_Peroxide that Sec 69 of IT Act already provides the government power to demand decryption of digital information from entities or individuals for national security or public order.
    The amendment of 2008 had mandated the government under Sec 84A to draft a National Encryption Policy for the purpose of e-governance, e-commerce and secure use of electronic medium. So a policy was required to protect such operations from third party elements lack hackers. This recent draft is greatly tangential to the Parliamentary mandate. Instead of ensuring safety in the digital space it threatens to violate peoples right to privacy apart from fear of violating Art 19.
  • Can we also include the fact that data encryption is just one part of cyber security and we probably need to really enforce the National Cyber Security Policy for a holistic picture?
    “It is not in the stars to hold our destiny but in ourselves.”
  • And by the way,brilliantly written!
    “It is not in the stars to hold our destiny but in ourselves.”
  • Can someone please highlight the main points of the National Cyber Security Policy? We might be able to analyse @Manjula 's point better that way.
  • edited September 2015

    India’s National Cyber Security Policy 2013:

    1. Set up a 24×7 National Critical Information Infrastructure Protection Centre (NCIIPC) for protecting critical infrastructure of the country.

    2. Create a taskforce of 5,00,000 cyber security professionals in next five years.

    3. Provide fiscal schemes and benefits to businesses for adoption of standard security practices.

    4. Designate CERT-In as the national nodal agency to co-ordinate cyber security related matters and have the local (state) CERT bodies to co-ordinate at the respective levels.

    5. All organizations to designate a CISO and allot a security budget.

    6.Use of Open Standards for Cyber Security.

    7. Develop a dynamic legal framework to address cyber security challenges (Note: The National Cyber Security Policy 2013 does not have any mention of the IT Act 2000)

    8. Encourage wider use of Public Key Infrastructure (PKI) for government services

    9. Engage infosec professionals / organizations to assist e-Governance initiatives, establish Centers of Excellence, cyber security concept labs for awareness and skill development through PPP - a common theme across all initiatives mentioned in this policy.

    10. Apart from the common theme of PPP across the cyber security initiatives, the policy frequently mentions of developing an infrastructure for evaluating and certifying trustworthy ICT security products.
    "You can't stop the waves, but you can learn to surf"
  • edited September 2015
    Adding to @MD47,
    1. Information sharing and co-operation on a bilateral and multi-lateral level with other countries and nationally, with security agencies, defence forces and law enforcement agencies.
    2. Managing supply chain risks w.r.t IT products, services and systems.
    3. Creating an assurance framework to periodically verify compliance of various systems and protocols.
    “It is not in the stars to hold our destiny but in ourselves.”
  • @Manjula Since the basic thrust of Encryption is prevention of access of information to unauthorised users it is in perfect consonance with Cyber Security concerns. So it will be valuable to mention that data Encryption is essential for successful implementation of NCSP.
  • I would like to add one thing that the main offices of the social media sites are in countries outside the sec 69 it act becomes redundant as taking permission from the offices elsewhere do not yield positive reaponse at times as these companies are not bound to an international consensus shoud be arrived at which will strike the right balance between the right to privacy and national security together
Sign In or Join to comment.

Subscribe to ForumIAS Blog


We are a secret self-moderated community for Civil Services preparation. Feel free to join, start a discussion, answer a question or just to say Thank you.

Just dont spread the word ;)

Sign in or join with Facebook or Google