Who: Draft National Encryption Policy
What: Released by DeitY
When: Third week of September 2015
Why: To encourage use of encryption technology
The Department of Electronics and Information Technology (DeitY) in the fourth week of September 2015 released the Draft National Encryption Policy.
The purpose of the policy is to encourage use of encryption technologies and products among governmental agencies, businesses and citizens for more secure communications and financial transactions in the cyber space.
The draft policy was framed under Section 84A and Section 69 of Information Technology Act, 2000 that deals with prescribing modes or methods of encryption and decryption respectively.
Highlights of Draft National Encryption Policy
• Its vision is to enable information security environment and secure transactions in Cyber Space for individuals, businesses, Government including nationally critical information systems and networks.
• Its objectives are synchronizing with the emerging global digital economy, encouraging use of encryption for ensuring the security and confidentiality of data and encouraging wider usage of Digital Signature by all entities including government.
• It is applicable to all the Central and State Government Departments, statutory organizations, executive bodies, business and commercial establishments, Public Sector Undertakings, academic institutions, government personnel and citizens.
• It encourages use of encryption for storage and communication among the agencies and individuals covered under it.
• Under the policy, except the central and state government departments, all the organizations and citizens should store plain text information for 90 days from the date of transaction and produce the same to law enforcement agencies as and when demanded.
• However, mass use encryption products, social media applications such as facebook, twitter, etc , and SSL/TLS encryption products being used in Internet-banking and payment gateways, e-commerce and password based transactions were exempted from it purview.
• All vendors of encryption products shall register their products with the designated agency of the Government.
• The Government will notify the list of registered encryption products from time to time, without taking responsibility for security claims made by the vendors.
• Research and Development programs will be initiated for the development of indigenous algorithms and manufacture of indigenous products for Encryption, hashing and other cryptographic functions.
• A Technical Advisory Committee will monitor the technology development in the area of Cryptography to make appropriate recommendations on all aspects of Encryption policies and technologies.