Coupon Accepted Successfully!

Why encryption is important for businesses?

In the earlier days, communication of cryptographic or encoded messages was limited to the highest level of confidential transfer of information (mostly related to national security and strategic information related to diplomatic relation). However, with the advent of internet and technology changed how people and businesses communicate with each other. Rapid development of technology made it possible to encrypt electronic communications (emails, SMS, instant messaging services like WhatsApp, Hangout) to a very high level to prevent such communications from intercepted by an third party. Just imagine, a strategic communication containing strategic information about tender details of a business got hacked by a rival party causing immense loss to the business. Such communications can be encrypted by the communicating party, even if such message is intercepted by a hacker, if might be hard for such hacker to decipher what is written inside the message.

As more and more businesses are going online, one of the challenges that the businesses must address relates to maintaining adequate data security standards. Most of the online payment gateways use high level of encryption to prevent data theft of the credentials of their customers. Moreover for certain businesses whose whole sole USP and business model is based on the level of encrypted services provided by them, the regulations governing encryption can play a critical part – businesses might need to close or alter their business model if they fail to meet the decryption requirements of the security agencies. This was highlighted quite prominently in the Blackberry controversy when the Indian security agencies insisted that Blackberry (whose main USP is encrypted messaging service) provide the means to interception of its messenger and email services, which otherwise could not be easily decrypted by the security agencies. The tussle between Blackberry and the Government also highlighted an absence of clear rules which govern encryption.

Why the government wants to regulate encryption technology?

Encryption as a technology presents unique challenges for the legal system since its use is feared to bring about its abuse. While the private sector may see it as necessary to promote confidentiality and data protection, state law enforcement remains deeply suspicious of what is encrypted and what it cannot easily monitor. While the encryption mechanisms can be used for genuine legal activities by the businesses and public; but what happens when such communication system falls in the hands of terrorists, smugglers and criminals. Security agencies around the world are sceptical about usage of high level of encryption by businesses and the services provided by them. The security agencies might need real time access and ability to decrypt messages communicated through telecom and internet to monitor possible terrorist activities, criminal investigations and other organised crimes like smuggling, drug trafficking. Recently the investigation officers found out that the smugglers were using WhatsApp for communicating with each other (http://bit.ly/Rhzl20). High level of encryption might make it hard for the security agencies to intercept and decipher such communications which might affect national security and internal law and order situation. In such circumstances, it is important for the security agencies to have an effective way of monitoring encrypted messages send and received within the country – one of the important ways of achieving it can be through regulating the service providers of such services to provide them with a method of decryption or provide services which have low level of encryption.

What are the rules governing encryption in India?

The regulation of the Information Technology Industry which includes, Information Technology Enabled Services (ITES) are principally dealt with by the Information Technology Act, 2000. Though the Information Technology Act, 2000 remains the principal enactment, other laws which are relevant are:
  • The Indian Telegraph Act, 1885
  • The Reserve Bank of India Act, 1934
  • The Securities Exchange Board of India Act, 1992
  • The Payments and Settlements Act, 2007
  • Information Technology Act, 2000
As stated earlier, the Information Technology Act, 2000 is the principal enactment which regulates IT Services sector in India. Section 84A of the Information Technology Act, 2000 which has been inserted by the Information Technology (Amendment) Act, 2008 specifically empowers the Central Government to prescribe the bit level of encryption for the services to be provided through electronic medium including e-governance programmes.

However, these modes and methods of encryption are yet to be specifically defined by the Central Government. At present, no rules have been framed under Sec. 84A and uncertainty exists with regard to the specific bit level permissible by law. In the absence of any regulations, many companies in the ITES sector have implemented 256-bit level encryption for their data in India.

The Information Technology Act, 2000 also provides for the establishment and recognition of Electronic Signatures by the Certifying Authorities. This is similar in its objective to the ‘Electronic Signatures in Global and National Commerce Act (ESIGN, Pub. L. No. 106-229) of the United States. The Information Technology Act, 2000 also empowers the Central Government to lay down rules for setting the standards which have to be adopted by the Certifying Authorities for encryption (Refer: Information Technology (Certifying Authority) Rules, 2000, under Rule 6). The rule allows the Certifying Authorities to issue Electronic signatures with bit levels up to 2048.

What will happen if a business fails to provide the security agencies with a method to decrypt the communications made through its systems?

All businesses and individuals are required to assist and help the security agencies or the Government in decrypting the information passed through the computer resource operated or owned by the person or the business under Section 69 of the Information Technology Act, 2001. The Controller appointed under the Information Technology Act may make order for interception of such information, if it is necessary in the interest of the security of the country, public law and order, or to prevent commission or incitement of any criminal activities. If a person fails to assist the security agency or the Government, he may be punished with an imprisonment for a term which may extend to seven years.

Encryption regulations for telecom and internet service providers

The Indian Telegraph Act, 1885 acts as the principal pillar of regulatory framework for communications in India. The Telegraph Act, 1885 grants the Central Government with the exclusive privilege of establishing, maintaining, and working communication services within India including , privilege to provide telecommunication and internet services in India (refer to Section 4(1) and 3(1) of the Telegraph Act). However, as per its continuing policy of Liberalization as stated in the National Telecom Policy, 1999, the Government of India has allowed private players to provide these telecommunication and internet services by entering into licensing agreements with them.

There are various versions of these agreements, which depend on the type of technology and service provided by the private party as well as the government policy existing at the time such agreement was entered. The encryption limitations which are placed in such agreements like License Agreement for the Provision of Internet Services  and License Agreement for Cellular Mobile Telephone Service.

License Agreement for the Provision of Internet Services: Clause 2.1(vii) of the agreement states that:

“(vii) The Licensee shall ensure that Bulk Encryption is not deployed by ISPs. Further, Individuals/ Groups/ Organizations are permitted to use encryption up to 40 bit key length in the symmetric key algorithms or its equivalent in other algorithms without obtaining permission from the Licensor. However, if encryption equipments higher than this limit are to be deployed, individuals/groups/organizations shall obtain prior written permission of the Licensor and deposit the decryption key, split into two parts, with the Licensor.”

License Agreement for Cellular Mobile Telephone Service

“42.1 The Licensee shall not employ bulk encryption equipment in its network.  Any encryption equipment connected to the LICENSEE’s network for specific requirements has to have prior evaluation and approval of the LICENSOR or officer specially designated for the purpose.”

Here, as stated above, the License Agreement between the Government of India and Internet Service Providers (ISPs) mandates that persons utilizing the gateways and services of ISPs are permitted to use encryption up to 40-bit key length in the symmetric key algorithms. However, if encryption above a 40-bit key length is used, it shall be done after obtaining prior permission of the Government of India. Such permission will be granted only after the deposit of the “decryption key”.
However, while this prohibition may appear prima facie to prohibit 256-bit level encryption, its applicability is doubtful as it represents a private contract between the Government of India and another third Party which provides Internet Services. In a sense, it may not have the force of public law which is made either through an Act of Parliament or through an Executive order.

The prohibition also appears to be doubtful due to the standards laid down for Certifying Authorities under the Information Technology Act, 2000 as well as the preference of sectoral regulators, which prescribes a higher level of bit encryption. These sectoral regulations have been made pursuant to Acts of Parliament.

Encryption requirements for payment gateways and electronic banking

One of the challenges for the e-commerce sites is to provide a secured medium for payment of the goods purchased online. While online payment make the transaction more convenient for both the buyer and seller, but with such transactions there is possibility of security threats.  To minimise such threats, the e-commerce sites must have a strong and secured payment mechanism which can be achieved through encrypted payment gateways.

The Reserve Bank of India serves as the central bank for India and also acts as a sectoral regulator for electronic banking as per Sec. 3(1) of the Payments and Settlements Act, 2007. The Reserve Bank of India has stated, as per its ‘Report on Internet Banking’ dated 22 June 2001, that all internet banking transactions must be have a minimum encryption of SSL/128 bits and authenticated by a user ID and password and digitally certified by the Certifying Authority.

Encryption requirements for trading in stock exchanges

The Securities and Exchange Board of India (SEBI), similarly is the regulator for capital markets in India, established under the Securities Exchange Board of India Act, 1992. In Annexure -2 of its ‘Master Circular for Trading in Stock Exchanges in India’ dated March 20, 2010, it contains all the circulars issued by it to regulate behaviour in India’s capital markets. It states in its Section on Internet Trading, in Paragraph 1(ii)(d) that:

“The WTLS encrypts data upto the WAP Gateway server. Transmission from the WAP Gateway server to the Internet server should be secured using Secured Socket Level Security, preferably with 128 bit encryption, for server access through Internet.  Alternately, the WAP Gateway server and Internet server may be co hosted. The server resource should not be shared for any other applications.”

Current legal position in India

At present it appears that there is uncertainty with regard to the bit level to which encryption is permissible in India. Though there is a Legislative provision under the Information Technology Act, 2000, it does not make any rules with regard to specifying the bit levels. The specific references to bit levels which are contained under the (a) Information Technology Act, 2000; (b) Licensing Agreements made pursuant to the Indian Telegraph Act,1885; (c) the Reserve Bank of India’s report on Net Banking; and (d) The Securities and Exchange Board of India’s ‘Master Circular’, also do not remove this ambiguity categorically.

As previously stated, in this ambiguity, companies have implemented systems which exceed 40-bit level encryption. This is without specific approval from the Government of India. However, risk-averse businesses may not exceed their encryption levels beyond 40-bit, otherwise they may run the risk of disclosing the “decryption key” to the Government of India and seek its prior approval.
(with inputs from Apar Gupta, Partner, Advani & Co.)

Test Your Skills Now!
Take a Quiz now
Reviewer Name