Tuesday, August 3, 2010

Encryption Standards, Norms And Laws In India

Telecom security related decisions of India are primarily guided by hysteria and paranoid thoughts rather than genuine security concerns. Telecom security in India must be preceded by proper telecom policies and adequate cyber security initiatives in India. In India we have neither a telecom security policy nor cyber security capabilities.

Firstly, the ban on Chinese telecom equipment has shown the weaknesses of Indian laws and telecom security strategy. It showed that India lacks both a legal framework and regulatory body to manage security issue of telecom industry in India.

Realising the gravity of the situation the government of India announced for the formulation of Telecom Security Regulatory Authority of India (TSRAI) that would advice it on telecom security related issues. However, it is another issue that TSRAI remained a distant dream and mere loud words alone. It proved just a fa├žade to gain time and slip through the banning controversy of Chinese telecom equipments.

Now the government of India is once again locking horns with Research in Motion (RIM) that is managing Blackberry services in India and worldwide. It is forcing RIM and Blackberry to reduce the security and privacy features of its services. RIM and Blackberry have taken a middle path and while refusing to dilute the security and privacy features has shown its willingness to help Indian government and its agencies in matters of national security.

Presently, the cyber law of India i.e. information technology act 2000 (IT Act 2000), as amended by the information technology amendment act 2008 (IT Act 2008) governs the encryption related legal provision. Section 84 A of IT Act 2000 provides that the Central govt may, for secure use of electronic medium and for promotion of e-governance and e-commerce prescribe the modes or methods of encryption.

Further, Section 69 of IT Act 2000 empowers the, Central Government/State Government/ its authorised agency to intercept, monitor or decrypt any information generated, transmitted, received or stored in any computer resource if it is necessary or expedient so to do in the interest of the sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence or for investigation of any offence.

The security agencies of India are in favour of a weaker encryption standard whereas the present telecom requirements dictate otherwise. Since the Central Government has not taken any initiative in this regard, the Department of Telecommunications (DOT), India has suggested an absurd level of 40 bit encryption for ISPs and a written permission from DOT is required with mandatory deposit of decryption key with DOT. Surprisingly, Indian regulatory bodies like SEBI and RBI have mandated encryption standard greater than 40-bit.

It is high time for India to formulate proper law in this regard while establishing the proposed TSRAI. At the same time RIM/Blackberry should not dilute the security and privacy features of its services otherwise there is nothing distinct that remains in Blackberry that separates it from other ordinary services.