After nearshoring, farshoring, outshoring, cross-shoring, backshoring....
...cryptoshoring!
The Indian government has published a draft of its latest plans for encryption. The proposals spell bad news for domestic software developers and will make other companies looking to do business in the subcontinent very nervous indeed. The new National Encryption Policy [PDF] proposed by the nation's Department of Electronics …
Essentially that would be "data havens", as in one of the primary plotlines of Cryptonomicon.
On a related note, as homomorphic encryption, probabilistically-correct proofs of work, and similar techniques are gradually approaching practicality for real work, we may see a day where cheap-labor nations are doing IT processing blindly for rich ones, and it won't matter how hostile to privacy their regimes are.
It's a twist on Searle's classic "Chinese Room" argument against strong-AI-by-symbolic-manipulation1 : create a system that does work, but with no possibility of deriving significant additional information from its inputs and outputs (within a certain limit and with a certain probability). It manipulates opaque tokens according to predefined rules but neither the tokens nor rules leak information.
1Many people think Searle advanced this thought experiment against any possibility of strong AI. Not so; Searle was publicly a believer in the possibility of strong AI, as he believed the mind was a mechanical effect, and so could in principle be reproduced by a human-designed machine. He just didn't think 70's-style probabilistic-mucking-about-with-symbols would do the trick.
This post has been deleted by its author
Probably be more cliff-face than "start to drop". After the Snowden stuff first broke; my clients were out of the US that weekend...if rendering yourself liable to having your face sued off is involved, you'd be amazed at how even large companies can get dead nimble and perky.
Your clients were utter retards. Snowden showed that while the NSA takes a few liberties in the US, they operate with impunity everywhere else. Of course, China and Russia reach vandalism level hacking everywhere; if you think moving countries actually makes you safer, you are a retard squared.
The issue with the USA isn't so much NSA vs. SVR it's a question of tort lawyers. In the vast majority of cases businesses aren't really concerned with government spooks tapping into data per se, they're concerned with class action law suits and astronomic tort costs. That isn't going to happen in Russia or China unless the plaintiffs have some serious political connections.
@DanielN - I'm assuming you had a bad day; are completely missing the point; or didn't actually read my comment.
If state-level hackers get on my case; I am but a wax effigy of an extended middle finger in front of a blowtorch. I accept that. I don't fucking like it; but that's the way things are. Nothing to do with safety.
Part of it was legality. Learning that the NSA was rummaging through our pockets at will put us in a rather tricky position as far as Data Protection Acts and similar goes. Something needed to be done about that.
Part of it was pure outrage. We voted with our wallets. If the US -as a body- were going to behave like dicks, then they don't get our business. Simple as.
It also didn't hurt that when client's customers came to us (and quite a few did) and said "Have you heard....", we could answer "Yep. We moved all our web holdings out of the country over the weekend". Looking after customer's interests (and being seen doing so) is how you stay in business.
Hacker-proofing wasn't even a factor. At the time, and in retrospect too, it was the right thing to do. Now you could point out that we have simply substituted GCHQ for NSA, and this is true. They may be a bunch of lying self-serving scumbag weasels; but they're our bunch of lying self-serving scumbag weasels and that makes a difference, however slight.
This post has been deleted by its author
Here's a thought...
The point of encryption, is that any data, even that housed locally, can be transformed so that only specific people may have access to it, ever. Now that one-time-pad encryption-chains have been invented and verified scientifically, we have encryption that is not only quantum-secure, its secure against any computational device which may ever be invented (think 99th century and beyond). What is considered "security" today, won't be around in 2 years time.
The Indian government appears to forget that organisations that have outsourced to India have obligations of security and privacy of their own. If Indian outsourcing creates a risk of non-compliance I can see their corporate lawyers end the use of it rather swiftly.
But, hey, if they want to kill off their entire outsourcing industry, go ahead. I'm sure another developing nation will gladly pick up the slack.
"My reading of that rule is you need the keys, to be able to re-generate plain-text, not to keep the plaintext ready to hand..."
Does it matter? Governments have proved again and again they play fast and loose with their country's data.
It's only a very tiny step from there to "everyone" getting said data for themselves.
What if you only have the encryption key and not the decryption key? You can recreate an encrypted sequence given the plain text, but not produce the plain text from just the encrypted version. So when 'they' show up asking to see the plain text and the key that generates the encrypted sequence they are waving at you, you need the last 90 days worth of plain text to re-encrypt to scan to find the match.
Also, as this applies to hardware, will kids who use a caesar cipher disc be breaking the rules until someone gets the design certified. And then only discs manufactured by certified companies will be allowed and the kids will have to keep all their messages for 90 days.
Yeah, yeah, very good.
Now try doing that with an SSH session, which has been carefully designed NOT to keep hold of session keys and NOT to hold onto session data. Quite a lot of design work in SSH has been based around making it really quite incredibly difficult to save this data.
If you mandate that this data be retained, you have to fork the SSH source and build in new functionality, make sure this works, make sure it doesn't introduce any new vulnerabilities other than the honking great big one that this has to introduce, and keep up with all the patches that occur in the mainstream product.
This is a hell of a lot of work, more so because the session data has to be stored securely somewhere (local strong encryption of these sessions as they are stored would be my preferred option) and also because the amendments and add-ons may well introduce bugs and vulnerabilities.
On the other hand, outsourcing to an Eastern European country and training the locals in speaking vaguely intelligible English is another option. With the massed exodus from India to, say, Elbonia as an object lesson it is pretty certain that the Elbonian authorities will be most careful not to cause a repeat occurrence of the exodus.
As I read it, you need to be able to show that the cyphertext you stored is exactly the one you can generate from the plaintext using the software and keys in use. Otherwise you could store fake plaintext not corresponding to the real encrypted data.
Anyway the idea of keeping ninety days of data in clear text shows how deep the IT culture is spread in India...
As I read it, you need to be able to show that the cyphertext you stored is exactly the one you can generate from the plaintext using the software and keys in use. Otherwise you could store fake plaintext not corresponding to the real encrypted data.
There are cryptographic deniability protocols that provide this feature (N plaintexts map to 1 ciphertext), albeit with some overhead. A really clever service company could implement one, but it'd shave those margins, and I expect they're pretty thin already.
Companies already storing encrypted data already keep the encryption keys so they can unencrypt their encrypted data, otherwise what would be the point? keeping unencrypted, encrypted and the keys is just plain stupid waste of time and something someone who has no clue would come up with. How long before some MP, law enforcement busy body or childrens charity pipes up that Britain should be demanding similar, think of the children etc. Someone not having the plain text or keys is not automatically guilty.
Maybe the UK and the USA (and possibly the EU) have put the Indian government up to this to see how it flies? This isn't gong to end well for someone.
I know a lot of US companies (insurance, etc.) outsource a lot of their "grunt" work in claims, etc. to India and encryption at both ends and in the middle even with VPN. They won't stand for it since they get hit if there's any attack and data grab.
I'm going to miss those prats
They're coming to Amazon, so you'll have the option of buying more.
I confess that I too have enjoyed their antics from time to time. Supercars don't interest me, but minor disasters wrought through half-assed vehicle modification does, for some reason. No accounting for taste I suppose.
So in a country plagued by poverty, corruption and bureaucratic incompetence and with such a backward, and often tragic, attitude to social and sexual equality it turns out the biggest problem government and law enforcement face is people encrypting data. Their insistence should set alarm bells ringing - it's pretty obvious they are the biggest threat the good people of India need protection from!
http://forums.theregister.co.uk/forum/1/2015/09/21/indias_proposed_rules_on_encryption/
"So in a country plagued by poverty, corruption and bureaucratic incompetence and with such a backward, and often tragic, attitude to social and sexual equality it turns out the biggest problem government and law enforcement face is people encrypting data. " - YoungDog
ermmm... how does this statement NOT apply to the UK, Europe, or the USA?
Yes, it is true that many 3rd world countries have these problems, but it is amusing how many "1st worlders" do not realise that they have the same problems. The main difference?
The perpetrators are much better trained at HIDING such discriminatory behavior.
Though, of course you are "free" to keep thinking in this delusional manner if it makes you feel better as you bask in the pleasure of sending paltry amounts of AID for catastrophic political interference in other countries sovereign affairs; both historical and current.
ElReg: The new National Encryption Policy [PDF] proposed by the nation's Department of Electronics and Information Technology states that ...
Let the Department of Electronics and Information Technology = The Deity.
The Deity wants state-controlled encryption, as ElReg tell us.
But that's not all.
India Today: New Delhi, Sep 18 (PTI) The Unique Identification Authority of India (UIDAI), which issues Aadhaar cards [= ID cards], has been shifted to the administrative control of the Ministry of Communication and Information Technology from Niti Aayog [new name for the Planning Commission].
And which Department has the Ministry put UIDAI into?
The Deity.
Reading this it seems that all they want is the AES code and the test messages that are used to verify that your implementation works. All standard stuff.
We won't bother talking them about session keys, key exchange and distribution mechanisms and the like. They're still at the stage of thinking that encryption is something to do with secret codes and invisible inks. I'm all for not trying to enlighten them.
This post has been deleted by its author