After the ITA 2000 was amended in December 2008, the gazette notification of 27th October 2009 brought into effect all the amendments. One of the amendments which therefore became effective from 27th October 2009 was Section 84A which was an addition to ITA 2000 and became part of the act.
Section 84A stated:
Modes or methods for encryption:
The Central Government may, for secure use of the electronic medium and for promotion of e-governance and e-commerce, prescribe the modes or methods for encryption
While the section enabled (note the word “may”) the Government to prescribe “modes and methods” of encryption to secure the use of electronic medium” and “promotion of e-governance and e-commerce” , until now, no rules were notified by the Government. However ITA 2000/8 and the rules had also prescribed the system of “Digital/electronic” signature for which encryption standards had already been prescribed and were being monitored by CCA.
Many of the corporates were intrigued on the effect of this section on their operations and in the absence of specific guidelines, experts could only advise them that “Best Practices” need to be followed.
Now the Government has come up with a draft guideline under Section 84A and asked for public comments.
According to the notification,
..”a draft National Encryption Policy as given under has been formulated by an Expert Group setup by DeitY based on which the Rules would be framed. Comments from the public are invited on the draft Policy.
You can send your comments by 16/10/2015 to Shri A. S. A. Krishnan, Scientist ‘G’, Department of Electronics and Information Technology, Electronics Niketan, 6, CGO Complex, Lodhi Road, New Delhi: 110003, Email: email@example.com. “
Copy of the detailed notification is available on the deity website here:
The draft policy as proposed is reproduced below:
Draft Notification on modes and methods of Encryption prescribed under Section 84A of Information Technology Act 2000
1. Definitions – In these Rules/Policy, unless the context otherwise requires, –
(a) The following definitions Cryptography, Encryption, Hash, Key, Public Key Cryptography/Asymmetric Cryptography, the meaning of aforesaid definitions has already been provided under Information Technology Act 2000, Rules and Regulations made there under.
(b) Symmetric Encryption is a method of encryption where the same key is used for both Encryption and Decryption. The key must be kept secret, and is shared by the message sender and recipient.
2. Symmetric Cryptographic/Encryption products with AES, Triple DES and RC4 encryption algorithms and key sizes up to 256 bits are prescribed by the Government for use for protecting information by stakeholders.
3. Asymmetric Cryptographic/Encryption products as prescribed under Information Technology Act 2000, Rules and Regulations made there under shall be used for Digital Signature purposes by stakeholders
Apart from the draft notification, the detailed notification provides a “National Encryption Policy” and contains some interesting aspects on which the Corporates would like to deliberate and communicate their views to the Government.
Some of the observations are discussed in a subsequent post.