Thursday 10 March 2011

Encryption Laws And Regulations In India

Encryption is an important aspect of cyber security and data security. Though India has a cyber law in the form of information technology act 2000 (IT Act 2000) yet it does not contain any effective and robust encryption provisions. Till now encryption is an unresolved enigma in India.

For some strange reasons, encryption is a feared technology in India. Government of India in general and intelligence and security agencies in particular are very nervous regarding use of encryption in India. Till now there are no clear and definite encryption standards in India

India is increasingly looking forward for concepts like e-governance, e-commerce, m-commerce, mobile governance, mobile banking, cloud computing, etc. However, we do not have legal enablement of ICT systems in India. Further, we do not have a cyber security policy of India.

In this background, absence of encryption laws, regulations and standards is a death knell of online dealings of Indian citizens. There are no safeguards against possible loss of sensitive information and money due to insecure online transactions.

Governments of most developed countries allow the usage of strong encryption standards ranging from 128 bits to 256 bits or more to ensure the security of sensitive information exchanged via Internet and other networks. However, India is still clinging to 40 bits encryption standards for the simple reason that intelligence and security agencies of India are not capable enough to break strong encryptions.

Instead of strengthening its cyber security capabilities, Indian government and security agencies are concentrating more upon e-surveillance. However, e-surveillance is not a substitute for effective cyber skills, especially the ability to break high quality encrypted communications.

The Information Technology Amendment Act 2008 (IT Act 2008) incorporated a single provision in the form of Section 84A for Encryption Purposes, informs Praveen Dalal, leading techno legal expert of India and Managing Partner of Perry4Law. Although the provision became applicable since 27th October 2009 yet Indian Government has slept over the issue, says Dalal. Indian Government must urgently formulate a Dedicated Encryption Policy of India, suggests Dalal.

Presently, Indian government has taken a wrong decision by enforcing encryption standards through Internet service provider’s (ISPs) license. The same strategy has been adopted by Indian government to force Research in Motion (RIM) to surrender Blackberry’s encryption keys. It is indirectly forcing Blackberry to succumb to its demand by forcing the telecom service providers of India to drop services of Blackberry if e-surveillance of Blackberry is not possible.

This is not the right strategy and Indian government must take a pro active and positive approach regarding encryption issues.