/vnd/media/agency_attachments/bGjnvN2ncYDdhj74yP9p.png)
/vnd/media/post_banners/wp-content/uploads/2016/05/Interest-of-Internet-users.jpg)
NEW DELHI: Encryption is a fundamental and necessary tool to safeguard the digital communication infrastructure. The interests of Internet users should be foremost in framing any encryption policy, according to a "discussion paper" released by the Internet and Mobile Association of India (IAMAI).
"Trust, convenience and confidence of users are the keywords to designing an ideal encryption policy that will help in getting more people online with safe and secured internet platforms." said Dr. Subho Ray, president, IAMAI.
The association has published this discussion paper with the view to encourage discussions and debates around the issue, and has suggested that a broad-based public consultation with all stakeholders including users groups should precede the making of an encryption policy.
According to the paper, the foundation of a user centric Encryption Policy consists of: Freedom of Encryption, Strong Encryption Base Standard, No Plaintext storage and Mandatory legal monitoring or No Backdoor Entry.
The most essential element in the paper suggests that support for strong encryption is critical to counter cyber security issues around the globe. Mandating a framework of legal monitoring or building backdoors will affect the users' trust in the internet. It will make the system weak and prone to illegal hacking without eliminating the real concerns. There is no point in having the world's best lock if the keys are kept under the doormat.
In addition, the paper suggests the importance of freedom of encryption for the users, organizations and the business entities. Prescribing a minimum standard is quite retrograde considering various users and internet companies need different encryption strength given the fast pace at which technology is changing.
Instead of a low ceiling, a high base should be specified based on the internationally proven encryption standards viz., AES-128 and 3DES and 256-bit. In India at present a low ceiling of 40-bit standard is prescribed, beyond which prior approval of the government and handing over the keys is mandatory. This standard is the weakest, outdated and can be easily hacked.
Antiquated policies such as mandatory plaintext storage and key disclosure violate the objectives of a strong encryption policy. It burdens the users and internet companies while not affecting the actual offender. Instead practices such as forward secrecy and authenticated encryption should be adopted where decryption keys are deleted immediately after use so that stealing encryption keys used would not compromise data protection and privacy.
Careful consideration should be given to the impact and effectiveness of any proposed policy so that it does not compromise the existing robust system in place or pose unnecessary burdens on the internet users and firms.