The government of India this week rescinded the controversial National Encryption Policy, which would have sharply curtailed Internet freedom and privacy in India. But serious privacy concerns remain.
The proposal would have required computer programs that encrypt data to make it available in plaintext form for at least ninety days after it is created. The policy also granted the police the power to inspect that data at any time.
On Sept. 22, the government withdrew the proposal and promised to rethink its data censorship policies. It also emphasized that it does not expect end users to provide unencrypted data to the authorities upon request. That assurance seemed to placate many original critics of the proposal.
However, the government has maintained a strict stance regarding how businesses and apps store user data. For “those who encrypt” — in other words, companies and apps that encrypt information with their software — “there has to be a policy regulating the manner of their encryption,” a government official said.
That means the same privacy issues will exist under any new proposal that the government drafts. As long as companies and app developers in India are required to share users’ data in unencrypted form with the government, users can’t be sure that the emails, chats, files and other information they upload to the cloud or otherwise feed to computer programs are safe.
Actually, in a way, forcing apps to store data in unencrypted form is even worse than making users do it. At least users would know when the government demands to read their information. When companies are the ones storing it unencrypted and passing it onto the government, the process because even more secretive.
Plus, requiring apps to store data unencrypted creates huge security holes that company employees or hackers could exploit. If data is encrypted, unauthorized parties at least need to get access to the encryption keys to read it. When it’s not encrypted, anyone who can get past basic access barriers like passwords can read the information.
The bottom line: Don’t count on your Internet data to stay private under new regulations that the Indian government is proposing. To protect yourself, your best bet is probably to use a VPN in order to access the Internet through another country with less problematic privacy policies.