India Waking Up To Encryption Realities

Indian companies are adopting many technological methods to streamline their production and efficiency. While these methods can bring cost economy and production efficiency yet these technologies must be used in such a manner that they do not violate the laws of India.

For instance, the virtualisation, cloud solutions and encryption usage in India is subject to many laws like the cyber law of India incorporated in the information technology act 2000 (IT Act 2000), privacy laws, data protection and data security laws, etc. Cyber law due diligence in India is now well established and websites, companies and individuals must ensure the same in their own interests.

According to Praveen Dalal, managing partner of Perry4Law and leading techno legal expert of Asia, we have no dedicated Encryption Laws in India. Since this is a very crucial issue, Indian Encryption Policy must be formulated as soon as possible. Realising that Encryption Policy of India is needed, India is now considering formulating the same, informs Dalal. The proposed Encryption Policy plans to increase the encryption strength from 40 bits to 128 Bits, informs Dalal.

The new encryption policy would be announced by the Department of Information Technology (DIT) and it intends to strengthen the online and cyber security standards in India. However, this move may make the law enforcement agencies and intelligence agencies of India nervous as they are not comfortable with high encryption levels.

However, a Higher Encryption Level would strengthen E-Commerce in India as online sales, purchases and payments in India could then be made in a more “Secure” manner, suggests Praveen Dalal. For instance, Online Shopping in India has certain Legal and Cyber Security Issues that must be resolved before launching any Online Payment or E-Commerce Platform, informs Dalal.

India has so far failed to maintain a balance between national security, civil liberties and commercial requirements. Even a matter is pending before the Supreme Court of India where it would try to reconcile the Mobile Verification and National security Requirements in India, informs Dalal.

Home Ministry Mulls Lawful Interception Law Of India

Lawful Interception is a process that “Reconciles” the National Security requirements and Civil Liberties of a Nation. In the Indian context, we have no Lawful Interception Law in India. By Lawful Interception Law I mean a “Constitutionally Sound” Lawful Interception Law and not just any “Self Serving Law”- Praveen Dalal.

World over civil liberties are infringed using information and communication technology (ICT). In the past, Indian telecom companies have used private individuals to do phone tapping. Experts like Praveen Dalal have been suggesting enactment of a “constitutionally sound” lawful interception law in India. Till now we do not have a constitutionally sound lawful interception law in India and the same is urgently required.

On the top of it we have projects like central monitoring system (CMS), national intelligence grid (Natgrid), Aadhar, crime and criminal tracking network and systems (CCTNS), etc that are not governed by any legal framework and procedural safeguards.

We also do not have any encryption laws in India nor do we have any encryption standards in India. Further, India has a poorly drafted and decayed cyber law in the form of information technology act, 2000 that needs urgent repeal, inadequate cyber security, missing cyber forensics capabilities, inadequate critical infrastructure protection and so on.

In this background, the home ministry has asked the departments of telecommunication (DoT) and department of information technology (DIT) to examine the existing legal framework and recommend appropriate amendments of the laws to ensure smooth access to services like BlackBerry and Skype.

The home ministry has asked DoT and DIT to examine the Indian Telegraph Act 1885, Information Technology (Amendment Act), 2008, rules under the Telegraph and IT Act and provisions in the licence agreements and recommend appropriate amendments so that requirements, to the extent possible, are incorporated in the Act itself. However, India needs a dedicated lawful interception law and not just few amendments in the present outdated laws.

According to Praveen Dalal, managing partner of New Delhi base law firm Perry4Law and leading techno legal expert of India, India is the only country of the World where Phone Tapping and Interceptions are done without a Court Warrant and by Executive Branch of the Constitution of India. Phone Tapping in India is “Unconstitutional” and the Parliament of India has not thought it fit to enact a “Constitutionally Sound Law” for Phone Tappings and Lawful Interceptions. Even the Supreme Court’s directions in PUCL case have proved futile and presently the Court is dealing with the issue once more, informs Dalal.

The present action of home ministry seems to be in response to these developments that are “unconstitutional” in nature. These activities of Indian government and its agencies can be challenged in Indian higher courts as unconstitutional as violative of fundamental rights of Indians. Let us hope the Parliament of India would soon come up with a constitutionally sound lawful interception law of India.

Encryption Standards In India

Although India is a destination for technology related services yet when it comes to use of the same India is poorly situated. India has a badly drafted and decayed cyber law in the form of information technology act, 2000 that needs urgent repeal, inadequate cyber security, missing cyber forensics capabilities, inadequate critical infrastructure protection and so on.

On the policy front also India has no cyber security policy, encryption policy, cyber crimes policy, ICT crisis management policy and so on. So on both law making and policy formulation, India has performed extremely poor.

Naturally, India is facing growing numbers of cyber attacks. In fact, India has no effective and practically applicable crisis management plan for cyber attacks and cyber terrorism. There are growing cases of cyber terrorism against India in one form or other. Some of them have been detected while others are still stealth in nature.

In fact, cyber attacks and cyber terrorism preparedness of India is missing at all. Cyber Terrorism is a concept that is closely related to National Security and Cyber Security of any Nation, says Praveen Dalal, managing partner of New Delhi based law firm Perry4Law and leading techno legal expert of India. While the definition and nature of Cyber Terrorism is still debatable yet none can doubt about the use of ICT for attacking crucial computer systems of others, says Dalal.

Encryption is a very useful technology to thwart cyber attacks upon sensitive and crucial computer systems and networks. Encrypted data is more difficult to intercept and decrypt than data and information traveling in plain text. Encryption makes online banking and e-commerce more secure and reliable.

Presently, we have neither encryption laws in India nor there are any encryption standards and norms in India. Due to security concerns of intelligence agencies of India, encryption is still a feared technology in India. Indian Government must clear its head regarding crucial issues like Encryption Standards, Network Sniffing, E-Mails Sniffing, Mobile Phones Interceptions, Cell Phone Data Usages, etc, says Dalal.

Encryptions standards must be urgently formulated and immediately implemented. The more we ignore and postpone the same the greater would be practical difficulties and commercial losses for India.

Encryption Policy Of India

Any field that is not supported by any policy or strategy is bound to fail and encryption is one such area. We have no encryption policy of India and neither do we have encryption laws in India. It seems encryption is a concept that is beyond contemplation and understanding of Indian government.

In the name of encryption laws, we have a single and redundant provision in the cyber law of India, i.e. information technology act 2000. Further, some guidelines have been issued by the department of telecommunication (DoT) that are of ancient nature and not meeting the requirements of contemporary times.

India must deal with encryption issues as soon as possible. To start with, we must formulate good encryption policy of India. Once this is achieved, we must ensure effective encryption laws and regulations in India. Further, according to techno legal experts telecom security of India and encryption issues is also correlated.

India is compromising the Mobile Security of India and Mobile Governance in India by insisting upon a Weak Encryption Infrastructure, says Praveen Dalal, managing partner of New Delhi based law firm Perry4Law and leading techno legal expert of India. Mobile Cyber Security in India is not upto the mark and unencrypted communication would further increase the risks, claims Dalal. New Telecom Policy of India 2011 is in pipeline and it would be a good idea if Mobile Security Policy of India is also made a part of the same, suggests Dalal. The proposed Telecom Security Council of India can take this issue when constituted, suggests Dalal.

One of the reasons for weak encryption usage in India is due to fear among the intelligence agencies of India. Intelligence agencies of India are not technologically sound to crack strong encryption hence they are insisting upon weak encryption usage in India. However, India must realise that e-surveillance is not a substitute for cyber security expertise and cyber forensics capabilities.

Law enforcement and intelligence agencies of India need modernisation initiatives. Further, they must also get good quality techno legal trainings in fields like cyber law, cyber security, cyber forensics, etc. Perry4Law Techno Legal Base (PTLB) is providing world class techno legal trainings to law enforcement and intelligence agencies.

If encryption related knowledge and training is provided to law enforcement and intelligence agencies of India, they would be less skeptical to the use of encryption in India. While formulating the encryption strategy of India, these factors must also be kept in mind.

The New National Telecom Policy Of India 2011

The first National Telecom Policy of India was written in 1994. It was subsequently reformulated as the New Telecom Policy in 1999 and was also amended in 2004. Now proposals have been given to formulate National Telecom Policy of India 2011.

The Telecom Policy of India has been in controversies like 2G scam in the past. The present Telecom Policy of India is anti common man. It is going against the interests of telecom consumers of India. India needs consumer friendly telecom policy to break the vicious circle that has engulfed the telecom sector of India, says Praveen Dalal, managing partner of Perry4Law and leading techno legal telecom expert of India.

Similarly, in the name of national security and cyber security, companies like Gmail, Skype and BlackBerry have been troubled a lot in India. The biggest problem creator is the encryption issues that are not acceptable o the intelligence agencies of India.

Encryption is an unresolved enigma in India. We have no encryption laws in India and despite the suggestions of many experts’ encryption laws and regulations in India are still missing. Encryption has also become essential due to faulty electronic sniffing and e-surveillance approach of India.

Of late, India is pressurising Research in Motion’s (RIM) Blackberry for providing unencrypted e-mail and telecom communications in India. By threatening to ban Blackberry services in India, the government has already obtained access to Blackberry’s messenger services. Now India is forcing the telecom service providers of India to drop Blackberry’s services if it does not provide free and unencrypted access to its services in India.

In this entire quandary, Indian government has not paid attention to the real issues. Issues like Consumer Friendly National Telecom policy of India, Telecom Security of India, establishment of Telecom Security Council of India, establishment of Telecom Security Regulatory Authority of India (TSRAI), etc must be considered by Indian Government in general and Ministry of Communication and Information Technology (MCIT) in particular on a “priority basis”, suggests Praveen Dalal. Further, Telecom Security Policy of India must also be formulated as soon as possible as India has already taken more than enough time in this regard, suggests Dalal.

We have no telecom security policy in India. There is no mechanism in India through which telecom hardware and software can be analysed for backdoors and malware. In these circumstances, formulating an Indian telecom security policy is urgently required.

The new telecom policy of India 2011 must incorporate all these suggestions in order to be effective. If we need to eradicate corruption that is marring the present telecom sector of India, we must take bold and immediate steps in this regard.

Mobile Cyber Security In India

Mobile phone has become an important aspect of our daily lives. We use mobile phone for multi purposes including mobile banking and mobile governance. With the use of third generation spectrum, even better, speedier and more productive use of mobile phones is now possible.

However, of all the benefits of use of mobile, we cannot ignore the risks associated with it. For instance, the mobile banking in India is risky as the present banking and other technology related legal frameworks are not conducive for mobile banking in India.

Similarly, we do not have a well developed e-governance infrastructure in India. Naturally, India is still not ready for m-governance. India does not have any infrastructure, legal framework, policies and strategies and most importantly expertise to implement these ambitious projects.

The biggest hurdles before the mobile related uses in India pertain to use of weak encryption standards and non use of mobile cyber security mechanisms in India, informs Praveen Dalal, managing partner of New Delhi based law firm Perry4Law. Absence of encryption laws in India has further made the mobile security very weak in India, says Dalal.

Mobile viruses and worms are further increasing the woes of mobile users’ world wide, claims Dalal. Recently 50 applications within Google’s official Android Market were found to be contaminated with DroidDream malware. The malware stole sensitive information like phone’s International Mobile Equipment Identity (IMEI) Number and the SIM card’s International Mobile Subscriber Identity (IMSI) number. It then sent it to a command-and-control server, informs Dalal. Similarly, other spyware and bugs are also infecting mobile phones worldwide

Instead of making the encryption requirements redundant and weak, India must concentrate upon further strengthening the same for better and secure mobile communications. Governments of most developed countries allow the usage of strong encryption standards ranging from 128 bits to 256 bits or more to ensure the security of sensitive information exchanged via Internet and other networks. However, India is still clinging to 40 bits encryption standards for the simple reason that intelligence and security agencies of India are not capable enough to break strong encryptions.

In fact, threats have been issued by Indian government to services providers providing encrypted mobile, e-mail and VOIP services. Gmail and Skype have been asked to provide the encryption keys to Indian government and its security agencies. However, neither Google nor Skype have admitted of receiving any such communication. India is also indirectly pressurising Blackberry to help India in its e-surveillance activities. These actions of Indian government would only make mobile security weaker.

Indian population is still not interested in mobile cyber security and if the default encryption protection is also taken away, mobile usage in India is definitely going to be suffered from malware attacks and cyber attacks. India must urgently concentrate upon mobile security so that these infected mobile cannot be used by criminals.

Internet Kill Switch In India

Indian government in general and intelligence and security agencies of India in particular are not at all comfortable with the use of information and communication technology (ICT) in India. For instance, use of encryption technology in India is feared like a plague by Indian government. That is why there are practically no encryption laws and regulations in India.

Similarly, Internet in India is under potential threats of e-surveillance and civil liberties violations. We have no lawful interception law in India and phone tapping and e-surveillance in India is done in an illegal and unconstitutional manner. As a result, Internet censorship in India, phone tapping and e-surveillance in India have increased a lot.

India has poor cyber law and inadequate cyber security. We have no cyber security policy as well as a national security policy in India. Critical infrastructure protection in India has not yet received the attention of Indian government.

No doubt critical infrastructure protection in India is absolutely required but Internet kill switch is no a solution to cyber security problems of India. Further, Internet kill switch should not be used as a tool of e-surveillance and Internet control in India. On the contrary, we need active steps to formulate anti Internet kill switch measures in India.

We originally raised these concerns in India for the first time and it seems now the media has also taken note of this issue. We once again reiterate the need of anti Internet kill switch laws in India before it is too late.