Encryption is the Key to Information Security

The recent faux pas committed by the Department of IT, Government of India in publishing a half-baked policy as the “Draft National Encryption Policy” created a needless controversy on the topic of “Encryption Policy” itself and whether it was required or not. Once the dust settled down, we need to think with clear minds, whether “Encryption” (in the context of data or information) is important for us and whether it needs to be regulated in the form of a “National Policy” and if so how.

We must admit that subjects such as Encryption which is linked not only to technology but also to concepts such as “Privacy” are sensitive and complicated from the point of view of regulation. Privacy itself is also related to national security on one hand and Freedom of Expression on the other.

Hence, any attempt to regulate “Encryption” will affect “Right to Privacy”, “Right to Freedom of Expression”, “National Security”. As a result the regulation will have to find a balance with provisions of Indian Constitution, the existing laws such as ITA 2008 or Indian Telegraph Act and also the proposed “Right to Privacy Bill”. A minor irritant will be the views and attitude of the Supreme Court as exhibited in the Shreya Singhal Case which lead to the scrapping of Section 66A  of ITA 2008.

If the DeitY wants to develop a revised draft Encryption Policy, it needs to take into consideration all these aspects.

Since the subjects of “Right to Privacy” and “Right to Freedom of Expression” are subjects dear to non technology people such as the Media and law Fraternity and also that many of them are human right activists, any perceived infringement to these rights will generate a disproportionate counter reaction that will be used as tools of political criticism by issue starved opposition parties.  The Government will therefore be pushed to a corner and is likely to panic and take wrong decisions. This happened in the Section 66A case where the Government failed to properly defend and let the section be scrapped.

The activists who donot understand technology and the political activists who neither understand not want to understand technology need to be first made to commit on the fact whether we need “Security of the State”. Information is the lifeblood of the current generation and securing its integrity and availability is an issue which is beyond debate. In the process of ensuring availability and integrity, confidentiality is also a necessity. Encryption comes into discussion because “Confidentiality” of information is achieved through the “Encryption Process”.

Way back in 2000, India adopted the Digital law called Information Technology Act 2000 (ITA 2000) which recognized the use of asymmetric crypto system for the purpose of authentication of electronic documents with the use of digital signatures. The technology was adopted as was considered the best available in the form of accredited algorithms such as the RSA public key system supported by hashing algorithms such as MD5 and SHA1. Over a time the hashing algorithms have been reviewed and presently SHA2 algorithm is recommended. In due course the encryption algorithm may also be reviewed and alternatives to RSA may be considered.

While digital signature was normally used for authentication, it was not used for data encryption in general. Whenever data had to be encrypted either in transit or at rest, the “Symmetric Key Encryption” system was being used . These systems were either embedded in other applications such as the e-mail or internet data transmissions, document management systems or used as a standalone application.

Since US had a policy of not allowing export of encryption products beyond a certain level of security (40 bit key strength in symmetric key system), it became a de-facto standard in India also. With the gradual availability of stronger products with the revised encryption export policy of the US  and entry of other countries such as Israel as leaders in information security products, gradually stronger end encryption entered the Indian scene also.

The Law enforcement has been facing challenges of decryption communication used by criminals and terrorists and have been in the forefront of engineering a policy change that makes it easy for them to snoop on the conversation of suspected criminal activities. While the right of the law enforcement in this regard cannot be denied, if the security is reduced to accommodate easy snooping, it can also be misused for breach of privacy. Breach of Privacy is not only a human rights issue but also leads to “Identity theft” which is again a law enforcement headache.

It is therefore necessary for the Law Enforcement Agencies (LEA) to realize that it is not in their own interest to force the community not to use encrypted communications of their choice. If they do, there would be a huge increase of Identity theft incidents followed by financial frauds that will destroy the concept of Digital India.

ITA 2000 provided the leverage to LEAs through Section 69 to demand decryption from the users of communication failing which there could be 7 years imprisonment. This is should be considered as adequate legal support to LEA as regards the use of encryption to hide communication from LEAs.

We are however aware that  criminals will continue to use Strong Encryption because they are any way challenging the law. They will also use the excuse of available protections not to cooperate with the LEAs . Even if 7 year imprisonment is a deterrant for ordinary citizens, it may not be so for criminals.

But  normal citizens who are concerned about privacy and use strong encryption for privacy protection can always be convinced to part with the unencrypted data when there is a suspected criminal activity. What they are vary of is that this process of forced disclosure should follow a “Due Process” since public donot trust the LEAs not to leak the information given for a specific purpose for some other purpose detrimental to the interest of the data subject. Presently such practices are there under Indian Telegraph Act and snooping of telephone conversation is authorized from time to time under a due process. (though abused from time to time).

The Government should therefore understand that Criminals will continue to encrypt their data exchange whether India has an encryption policy or not and honest Citizens would not mind sharing the data when demanded provided they are given the confidence that data would be used responsibly by the Government.  Here there is a need for a due process of law to be adopted and universally accepted principles of  Privacy such as minimal and purposeful collection, consent, disclosure, security etc are followed.

Encryption of data is an essential part of Information Security and at a time where “Cloud Storage” of data  has become a norm imposing artifical restrictions on the strength of encryption is impractical and undesirable. In fact we need to encourage Netizens and E Commerce/E Governance to use strong data encryption so that information security is maintained at a high level and criminals are challenged to the extent possible. Encryption is therefore a necessity and has to in place.

The objective of Section 84A of ITA 2008 was to enable notification of  the minimum acceptable encryption standards and methods that can be used by the public. It need not have been used to restrict the upper end of encryption strength. Section 84A was also not meant to define data retention standards for which there was section 67C separately. There was Section 69 already available to ensure that decryption can be forced. Hence the law permitted encryption of data in storage and transmission and if some body is cooperative with LEA, there is no reason why he should not use the strongest encryption. In fact if the upper end of security is freed, there could be innovation and research in India to find more secure forms of encryption. Any person of ordinary prudence would have realized that if there was a need for the Encryption Policy, it was required to encourage innovation and indigenous research and not to restrict the uage.

Imposing export restrictions is another aspect that is to regulate the misuse of encryption by those who are not within the jurisdiction of the exporting country. If India is a manufacturing country for cutting edge encryption products then it makes sense in imposing export restrictions.  Again whether this has to be in the form of export-ban or export licensing is a matter that can be considered.

For records, my view is that if “Make in India” reaches that level where we can export information security products and encryption products, there can be a strict export licensing to track the use of such products by people outside India.

My recommendation to the Government is to think innovatively on thoughts such as “Regulated Anonymity”, allow licensed “Anonymizer Services” who provide anonymization service and encryption support but remain cooperative with LEAs.  This will serve the purpose of both the LEAs as well as meet the demands of the Privacy Activists.

Several years back, I had proposed a structure for Regulated Anonymity. It can be suitably revised to develop a  structured plan of action to be a bridge between the proposed encryption policy and the proposed Privacy Bill. (The earlier recommendations can be found here)

The concept of “Regulated Anonymity” and the “Licensed Anonymizers” will be new innovative E Commerce business thoughts that can be commercially feasible.

It therefore did not make sense to say that “Users should maintain data in plain text form for 90 days” as the draft policy tried to say. This was foolish and exposed the utter incompetence of those who wrote and approved the policy. We cannot trust national information security with such incompetent persons. Some people have claimed that the policy was drafted by a group of “Experts”.  

I would like the Government to reveal the name of those “Experts” and give a commitment to the public that these experts are thrown out of the system that is entrusted with national security.

My demand that the Minister should order an enquiry to find out if there was an attempt to sabotage the reputation of the Government stands.  I look forward to necessary action.

Naavi

Related information on Encryption Export Policy of US

Comparative Evaluation of US and EU

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.