The government has blamed a junior official - a scientist — for the encryption policy fiasco, saying he was responsible for the poor and confusing wording of the document and failed to seek advice from his higher ups before making it public.
Several officials in the communications and IT Ministry that ET spoke to admitted that the timing of the release of the draft policy - just before Prime Minister Narendra Modi's US visit — couldn't have been worse, prompting its immediate withdrawal.
Speaking exclusively to ET, telecom minister Ravi Shankar Prasad, however, blamed poor wording for directing withdrawal of the policy, which gave an impression that subscribers could become legally liable to store messages exchanged throug WhatsApp, Facebook and Google among other social media platforms for up-to 90 days, and produce them before authorities if asked. The intent of the government was to make the social media and messaging companies liable to store information for the 90 day period.
"I read the draft. I understand that the manner in which it is written can lead to misconceptions. I have asked for the draft policy to be withdrawn and reworded," Prasad said. "There was a misuse of word 'users' in the draft policy, for which the concerned officer has been taken to task."
He explained that the wrong use of the phrase 'users of encryption' instead of 'creators of encryption' had led to all the confusion. Prasad added that the 'scientist', who was part of the expert committee under the Department of Information and Technology (Dei-TY), was responsible for the confusion. The expert panel had been tasked with framing of a national policy on 'encryption' which is crucial for the national policy on cyber security.
Internally, senior officials in the ministry admitted the timing of the draft policy release was all wrong with Modi set to travel to the US and meet, among others, Facebook CEO Mark Zuckerberg and other tech giants as well as many from the Indian diaspora.
"This is bad timing for sure. Modi would have surely have faced very uncomfortable questions at what is expected to be very high profile visit," one of the officials told ET. Another official said the official tasked with coordinating and putting the policy together should have shown either the joint secretary, secretary or someone in the minister's office before releasing it for public consultation. "This is the basics, especially for something which could be controversial.
But it was messed up," he said, adding that reworking the policy and putting it in the public domain could take around three weeks.
The government Tuesday was forced to withdraw the controversial 'draft encryption policy' just over 12 hours after making it public after it came under severe criticism, especially on social media, for its move to make individuals legally bound to retain personal chats/messages on social networking sites for 90 days and provide to law authorities, if asked.
The draft policy was met with severe criticism, citing invasion of privacy, forcing DeiTY to clarify within a few hours on Monday that chats on popular social networking sites like Whatsapp and Facebook were exempted. And Tuesday it withdrew it in its entirety.
Prasad urged citizens not to misunderstand the policy. "Firstly this is a draft policy not the final policy and we have sought the comments of all stakeholders. There has always been a need for a policy on encryption given the spurt in online transactions through net banking, ecommerce, and so on," Prasad said.
"However, no attempt will ever be made to jeopardize the rights of netizens and this government's commitment to social media and the rights of netizens is unwavering," he added. Dismissing speculation that the government had withdrawn the policy owing to severe media backlash or political pressure, Prasad said the country needed a robust encryption policy for security reasons.
One of the officials cited above said that the essence of the reworked draft policy will remain same, but it will be reworded. "The final policy could also require the companies to set up servers in India," he added.
According to sources, the Intelligence Bureau (IB) had demanded that government make it mandatory for all the companies to make keep data for up-to one year, but the ministry of communications and IT had brought it down to just 90 days.
The policy seeks to bring all creators of 'encryption codes' to register with the government. Secondly the department of IT will from time to time notify standardized algorithms which could be used by companies. "We will only standardize the algorithms based on global practices, the formula of encryption codes will remain with the creators only," the official said.
At present, an internet service provider licence allows for encryption of only up-to 40 bits but banks, e-commerce companies and communication services use much higher levels of encryption codes.