How many bits are enough ? the legality of encryption
Encryption as a technology presents unique challenges for the legal system since its use is feared to bring about its abuse. While the private sector may see it as necessary to promote confidentiality and data protection, state law enforcement remains deeply suspicious of what is encrypted and what it cannot easily monitor. This way highlighted quite prominently in the Blackberry controversy when the Indian security apparatus insisted that Blackberry provide the means to interception of its messenger and email services. To me the tussle between Blackberry and the Government also highlighted an absence of clear rules which govern encryption. In this post I examine what is the state of legal regulation of encryption in India.
The regulation of the Information Technology Industry which includes, Information Technology Enabled Services (ITES) are principally dealt with by the Information Technology Act, 2000. Though the Information Technology Act, 2000 remains the principal enactment, other laws which have been found relevant to the this post are:
- The Indian Telegraph Act, 1885
- The Reserve Bank of India Act, 1934
- The Securities Exchange Board of India Act, 1992
- The Payments and Settlements Act, 2007
Information Technology Act, 2000
As stated earlier, the Information Technology Act, 2000 is the principal enactment which regulates IT Services sector in India. Section 84A of the Information Technology Act, 2000 which has been inserted by the Information Technology (Amendment) Act, 2008 (10 of 2009) specifically empowers the Central Government to prescribe the bit level of encryption. It states that:
“S. 84A. Modes or methods of encryption — — The Central Government, may, for secure use of the electronic medium and for promotion of e-governance, prescribe the modes or methods for encryption.”
DSC_2595-Edit-Edit.jpg by amador_emmanuel34 under CC BY-NC-SA 2.0
However, these modes and methods of encryption are yet to be specifically defined by the Central Government. At present, no rules have been framed under Sec. 84A and uncertainty exists with regard to the specific bit level permissible by law. In the absence of any regulations, many companies in the ITES sector have implemented 256-bit level encryption for their data in India.
It is also pertinent to note that the Information Technology Act, 2000 also provides for the establishment and recognition of Electronic Signatures. This is similar in its objective to the ‘Electronic Signatures in Global and National Commerce Act (ESIGN, Pub. L. №106–229)’ of the United States. Towards this, the Information Technology Act, 2000 under Sec. 35 provides for Certifying Authorities to issue Electronic Signatures. The Information Technology Act, 2000 also empowers the Central Government to lay down rules for Certifying Authorities, which has been done with the enactment of the Information Technology (Certifying Authority) Rules, 2000. The Information Technology (Certifying Authority) Rules, 2000, under Rule 6 contain the standards which have to be adopted by the Certifying Authorities and it states that:
“6. Standards. — — The Information Technology (IT) architecture for Certifying Authorities may support open standards and accepted de facto standards; the most important standards that may be considered for different activities associated with the Certifying Authority’s functions are as under:
……
RSA Public Key TechnologyPKCS#1 RSA Encryption Standard (512, 1024, 2048 bit) ……
Hence, the only reference to a specific bit level when made under the Information Technology Act, 2000 is when the reference is with respect to Certifying Authorities, and when such reference is made, bit levels up to 2048 are permitted by law.
The Indian Telegraph Act, 1885
The Indian Telegraph Act, 1885, even though subjected to continuous amendments, remains the principal pillar of regulatory framework for communications in India. Section 4(1) of the Telegraph Act, 1885, states that the Central Government has the exclusive privilege of establishing, maintaining, and working telegraphs within India. Section 3(1) of the Act, defines the term ‘telegraph’ broadly to include,
“… any appliance, instrument, material or apparatus used or capable of use for transmission or reception of signs, signals, writing, images, and sounds or intelligence of any nature by wire, visual, or other electro-magnetic emissions, Radio waves or Hertzian waves, galvanic, electric or magnetic means.”
Hence, the Government of India has exclusive monopoly over electronic communications which includes the privilege to provide telecommunication and internet services in India. However, as per its continuing policy of Liberalization as stated in the National Telecom Policy, 1999, the Government of India has allowed private players to provide these telecommunication and internet services by entering into licensing agreements with them.
There are various versions of these agreements, which depend on the type of technology and service provided by the private party as well as the government policy existing at the time such agreement was entered. The encryption limitations which are placed in two such agreements which have been made publicly available by the Government of India include:
License Agreement for the Provision of Internet Services: Clause 2.1(vii) of the agreement states that:
“(vii) The Licensee shall ensure that Bulk Encryption is not deployed by ISPs. Further, Individuals/ Groups/ Organizations are permitted to use encryption up to 40 bit key length in the symmetric key algorithms or its equivalent in other algorithms without obtaining permission from the Licensor. However, if encryption equipments higher than this limit are to be deployed, individuals/groups/organizations shall obtain prior written permission of the Licensor and deposit the decryption key, split into two parts, with the Licensor.”
License Agreement for Cellular Mobile Telephone Service
“42.1 The Licensee shall not employ bulk encryption equipment in its network. Any encryption equipment connected to the LICENSEE’s network for specific requirements has to have prior evaluation and approval of the LICENSOR or officer specially designated for the purpose.”
Here, as stated above, the License Agreement between the Government of India and Internet Service Providers (ISPs) mandates that
(a) Persons utilizing the gateways and services of ISPs
(b) are permitted to use encryption up to 40-bit key length in the symmetric key algorithms.
© However, if encryption above a 40-bit key length is used, it shall be done after obtaining prior permission of the Government of India.
(d) Permission will be granted after the deposit of the “decryption key”.
However, while this prohibition may appear prima facie to prohibit 256-bit level encryption, its applicability is doubtful as it represents a private contract between the Government of India and another third Party which provides Internet Services. In a sense, it may not have the force of public law which is made either through an Act of Parliament or through an Executive order.
The prohibition also appears to be doubtful due to the standards laid down for Certifying Authorities under the Information Technology Act, 2000 as well as the preference of sectoral regulators which mandate a higher level of bit encryption. These sectoral regulations have been made pursuant to Acts of Parliament and are individually highlighted below.
Other Sectoral Regulators
The Reserve Bank of India, established under the Reserve Bank of India Act, 1934, serves as the central bank for India and also acts as a sectoral regulator for electronic banking as per Sec. 3(1) of the Payments and Settlements Act, 2007. The Reserve Bank of India has stated, as per its ‘Report on Internet Banking’ dated 22 June 2001, that:
“All transactions must be authenticated using a user ID and password. SSL/128 bit encryption must be used as the minimum level of security. As and when the regulatory framework is in place, all such transactions should be digitally certified by one of the licensed Certification Authorities.”
The Securities and Exchange Board of India (SEBI), similarly is the regulator for capital markets in India, established under the Securities Exchange Board of India Act, 1992. In Annexure -2 of its ‘Master Circular for Trading in Stock Exchanges in India’ dated March 20, 2010, it contains all the circulars issued by it to regulate behaviour in India’s capital markets. It states in its Section on Internet Trading, in Paragraph 1(ii)(d) that:
“d. The WTLS encrypts data upto the WAP Gateway server. Transmission from the WAP Gateway server to the Internet server should be secured using Secured Socket Level Security, preferably with 128 bit encryption, for server access through Internet. Alternately, the WAP Gateway server and Internet server may be co hosted. The server resource should not be shared for any other applications.”
At present it appears that there is uncertainty with regard to the bit level to which encryption is permissible in India. Though there exists a Legislative provision under the Information Technology Act, 2000, it does not make any rules with regard to specifying the bit levels. The specific references to bit levels which are contained under the (a) Information Technology Act, 2000; (b) Licensing Agreements made pursuant to the Indian Telegraph Act,1885; © the Reserve Bank of India’s report on Net Banking; and (d) The Securities and Exchange Board of India’s ‘Master Circular’, also do not remove this ambiguity categorically.
As previously stated, in this ambiguity, companies have implemented systems which exceed 40-bit level encryption. This is without specific approval from the Government of India. However, risk-averse businesses may not exceed their encryption levels beyond 40-bit, otherwise they may run the risk of disclosing the “decryption key” to the Government of India and seek its prior approval.
