Naavi.org

The Government of India has announced a draft National Encryption Policy as an adjunct to the requirements under Section 84A of ITA 2008 which required a notification on the approved modes and methods and for encryption for use in e-Governance and e-Commerce.

The policy acknowledges that the meanings attached to different methods of encryption namely hashing, symmetric encryption and asymmetric encryption has already been explained under ITA 2000. The modes of encryption to be used and the algorithms with respect to hashing and asymmetric encryption used in digital signatures also has been already prescribed under ITA 2000 by CCA.

What ITA 2000/8 had not done was to suggest what algorithms are considered approved for symmetric encryption if used either in the SSL systems or for encryption of data in storage.

Now the draft notification indicates that AES, Triple DES and RC4 encryption algorithms and key sizes upto 256 bits are to be used.  We may however note that the RSA keys used for asymmetric encryption as per CCA guidelines indicate key sizes of 2048 and 4096 bit (Ref notification GSR 783(E) dated 25th october 2011 read along with earlier notifications).

(For non technologists, it is always difficult to understand the difference in the key length and encryption bit length and the difference in symmetric and asymmetric key strengths. . In RSA, the bit length is indicative of the size of the integer used in the mathematical model where as in the symmetric key system the bit length just indicates the number of bits in the key. Technologists  say that 2048 bit RSA key length is equivalent to 256 bit key strength in Symmetric encryption from the point of view of breaking through brute force.)

The National Encryption Policy (NEP) goes much beyond the Section 84A requirements and the draft as provided for public comments may have impact on the larger public and hence it needs a discussion at some length.

Applicability:

1. The Draft National Encryption Policy (D-NEP)  is applicable to all Central and State Government Departments (including sensitive Departments / Agencies while performing nonstrategic & non-operational role), all statutory organizations, executive bodies, business and commercial establishments, including public sector undertakings and academic institutions and all citizens (including Personnel of Government / Business performing non-official / personal functions). (See Suggestion 1 below)
2. It is not applicable to sensitive departments / agencies of the government designated for performing sensitive and strategic roles.

Classification:

Based on the nature of transactions that require encryption the users in the Policy are classified as:

(i)  Govt. – All Central and State Government Departments (including sensitive departments / agencies while performing non-strategic and non-operational role).
(ii)  All statutory organizations, executive bodies, business and commercial
establishments, including all Public Sector Undertakings, Academic institutions.
(iii) All citizens (including personnel of Government / Business (G/B) performing nonofficial / personal functions).
(iv) G2G Government to Government users
(v) G2B, G2C, B2G & C2G Government to Business & Government to Citizen users
(vi) B2B Business to Business users
(vii) B2C & C2B Business to Citizen users

The Regulation

(1)  Use of Encryption technology for storage and communication within G group of users with protocols & algorithms for Encryption, key exchange, Digital Signature and hashing will be as specified through notification by the Government from time to time.

(2). Use of Encryption technology for communications between G group and B / C groups (i.e. G2B and G2C sectors) with protocols and algorithms for encryption, key exchange, Digital Signature and hashing will be as specified through notification by the Government from time to time.

(3) Users / Organizations within B group (i.e. B2B Sector) may use Encryption for storage and communication.

Encryption algorithms and key sizes shall be prescribed by the Government through Notifications from time to time.

On demand, the user shall be able to reproduce the same Plain text and encrypted text pairs using the software / hardware used to produce the encrypted text from the given plain text. (See Suggestion 2 below)

Such plain text information shall be stored by the user/organisation/agency for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country. (See Suggestion 3 below)

(4) B / C groups (i.e. B2C, C2B Sectors) may use Encryption for storage and communication.

Encryption algorithms and key sizes will be prescribed by the Government through Notification from time to time.

On demand, the user shall reproduce the same Plain text and encrypted text pairs using the software / hardware used to produce the encrypted text from the given plain text.

All information shall be stored by the concerned B / C entity for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country.

In case of communication with foreign entity, the primary responsibility of providing readable plain text along with the corresponding Encrypted information shall rest on entity (B or C) located in India. (See Suggestion 4 below)

(5) Service Providers located within and outside India, using Encryption technology for providing any type of services in India must enter into an agreement with the Government for providing such services in India.

Government will designate an appropriate agency for entering into such an agreement with the Service provider located within and outside India. The users of any group G,B or C taking such services from Service Providers . are also responsible to provide plain text when demanded. (See Suggestion 5 below)

(6) Users within C group (i.e. C2C Sector) may use Encryption for storage and communication.

Encryption algorithms and key sizes will be prescribed by the Government through Notification from time to time.

All citizens (C), including personnel of Government / Business (G/B) performing non-official / personal functions, are required to store the plaintexts of the corresponding encrypted information for 90 days from the date of transaction and provide the verifiable Plain Text to Law and Enforcement Agencies as and when required as per the provision of the laws of the country. (Suggestion 1 already covers this point)

(7)  Algorithms and key sizes for Encryption as notified under the provisions in this Policy only will be used by all categories of users

Regulatory Framework:

(a) All vendors of encryption products need to be pre registered with the Government of India.

(b)List of  Registered vendors would be published by the Government. Users in India would be required to use only products registered in India.

(c) Export of Encryption products would be permitted with prior intimation to the designated agency of the Government of India.

Additionally, the Government has through this policy expressed its intention to support research in encryption and also set up a testing and evaluation infrastructure. A Technical advisory committee will take the responsibility of advising the Government on review of the policy from time to time.

While some of the follow up would be through the notification under Section 84A, the present draft does not contain the information on some of the aspects such as the agency for registration etc. Some more follow up guidelines will therefore be required.

In the meantime, members of the public may send their responses to the Government  by 16/10/2015 to Shri A. S. A. Krishnan, Scientist ‘G’, Department of Electronics and Information Technology, Electronics Niketan, 6, CGO Complex, Lodhi Road, New Delhi: 110003, Email: akrishnan@deity.gov.in

Naavi has some specific observations that are listed below. If the readers have any comments and additional points, they can send them to naavi  for consolidation before they are forwarded to the department.

Even if readers donot have any additional observations, I request the readers to send two suggestions namely to keep the common citizens out of the policy responsibilities and for the Government to conduct a free encryption education certification program for those who are interested. The suggestion maybe sent by email to the email address akrishnan@deity.gov.in directly before 16th October 2015.

Naavi’s Observations/Suggestions

Suggestion 1:

The NEP is made applicable to all organizations except sensitive departments of the Government. It is presumed that the sensitive departments to whom the policy is not applicable may use more stringent encryption norms. What is however notable is that the policy is applicable to common citizens.

Government must take note that the knowledge and expertise of common citizens may be inadequate to understand the nuances of encryption.

Though the Citizens will be indirectly impacted by the policy as implemented by the Government or Business users, Citizens cannot at this point of time assume the responsibility for direct compliance of this policy since their ignorance would be exploited by intermediaries for business gain.

For example, if a Citizen uses a service available on the internet which uses say a higher level of encryption than what is approved then this policy may make him liable for the violation. User may not even know what encryption is being used within a software or service that he may buy and whether that product is “NEP-compliant” The service provider himself may be outside the jurisdiction and hence escape liability including the responsibility for registration.

Already Netizens in India are being pushed to the use of technology without apropriate security cover nor Cyber Insurance cover and the encryption policy will introduce one more risk and possible liability for the honest citizen.

If the Government wants to make common citizens responsible for knowing the encryption policy, how it is operated in practice and how it affects them, there has to be a large scale education program.

Government should provide a “Free Encryption Education Certification” program to all interested Netizens.

There is also a need to clarify in common man’s terms what the “Strength of Encryption means” and how it differs from Symmetric and Asymmetric systems, Difference between Cipher Block Sizes and Key lengths etc.in the policy document.

Further, keeping in view the inconsistent use of terms by technologists, the Government should push through Cyber Insurance for individuals so that any liabilities arising out of inconsistent technical interpretations about the “Strength” of encryption is covered by insurance.

Suggestion 2:

Most of the intermediaries who provide services to Netizens store passwords of the Netizen users in hash form. Some technologists consider that hashing is also a method of encryption (though the draft notification under Sec 84A has not included hashing as a method of encryption.). If hashing is considered as encryption, reversing the process is not feasible.

Hence an explanation may be required to state that “hashing” is not considered “Encryption” for the purpose of this policy and Section 84A

Suggestion 3:

The need to preserve plain text information such as passwords for 90 days provides a wrong impression that Sensitive Personal Information as defined by section 43A of ITA 2008 has to be stored in an insecure manner as per this guideline.

It will also cause confusion as regards retention of data which the law enforcement may require when the data custodian is aware that the information constitutes an “Evidence” under law. There will be conflict with Section 65 of ITA 2008 also in such cases.

The wordings of the policy need to therefore be changed.

Suggestion 4:

The provision to exempt a foreign entity from the responsibility to provide unencrypted information interferes with the right of the law enforcement to conduct investigation in criminal cases where the foreign entity may refuse to part with unencrypted information from their end. This provision can be deleted.

Suggestion 5:

The provision to require service providers using encryption technology to register and enter into an agreement with a body of the Government of India is redundant and unenforceable as a part of this policy. Since there is a large number of services today which use encryption (even accepting the fact that SSL/TLS users are exempted), this policy may require thousands of websites to enter into agreement with the Government. Already there is a provision in Section 69 of ITA 2008 which is a statutory law. Hence this provision for entering into a contract should be deleted.

Naavi

Ref: Copy of the Draft National Encryption Policy

After the ITA 2000 was amended in December 2008, the gazette notification of 27th October 2009 brought into effect all the amendments. One of the amendments which therefore became effective from 27th October 2009 was Section 84A which was an addition to ITA 2000 and became part of the act.

Section 84A stated:

Modes or methods for encryption: 

The Central Government may, for secure use of the electronic medium and for promotion of e-governance and e-commerce, prescribe the modes or methods for encryption

While the section enabled (note the word “may”) the Government to prescribe “modes and methods” of encryption to secure the use of electronic medium” and “promotion of e-governance and e-commerce” , until now, no rules were notified by the Government. However ITA 2000/8 and the rules had also prescribed the system of “Digital/electronic” signature for which encryption standards had already been prescribed and were being monitored by CCA.

Many of the corporates were intrigued on the effect of this section on their operations and in the absence of specific guidelines, experts could only advise them that  “Best Practices” need to be followed.

Now the Government has come up with a draft guideline under Section 84A and asked for public comments.

According to the notification,

..”a draft National Encryption Policy as given under has been formulated by an Expert Group setup by DeitY based on which the Rules would be framed. Comments from the public are invited on the draft Policy.

You can send your comments by 16/10/2015 to Shri A. S. A. Krishnan, Scientist ‘G’, Department of Electronics and Information Technology, Electronics Niketan, 6, CGO Complex, Lodhi Road, New Delhi: 110003, Email: akrishnan@deity.gov.in. “

Copy of the detailed notification is available on the deity website here: 

The draft policy as proposed is reproduced below:

Draft Notification on modes and methods of Encryption prescribed under Section 84A of Information Technology Act 2000

1. Definitions – In these Rules/Policy, unless the context otherwise requires, –

(a) The following definitions Cryptography, Encryption, Hash, Key, Public Key Cryptography/Asymmetric Cryptography, the meaning of aforesaid definitions has already been provided under Information Technology Act 2000, Rules and Regulations made there under.
(b) Symmetric Encryption is a method of encryption where the same key is used for both Encryption and Decryption. The key must be kept secret, and is shared by the message sender and recipient.

2. Symmetric Cryptographic/Encryption products with AES, Triple DES and RC4 encryption algorithms and key sizes up to 256 bits are prescribed by the Government for use for protecting information by stakeholders.

3. Asymmetric Cryptographic/Encryption products as prescribed under Information Technology Act 2000, Rules and Regulations made there under shall be used for Digital Signature purposes by stakeholders

Apart from the draft notification, the detailed notification provides a “National Encryption Policy” and contains some interesting aspects on which the Corporates would like to deliberate and communicate their views to the Government.

Some of the observations are discussed in a subsequent post.

Naavi

Ref: Copy of the Draft National Encryption Policy

It is reported that an expert committee on Cyber crimes has amongst other things recommended an amendment to Indian Evidence Act.

Ostensibly the objective is to help law enforcement agencies to tackle new generation of cyber crimes particularly the mobile and cloud related crimes.

While the intention is appreciated, it is not clear what exactly is being sought.

This report in Hindu makes a reference to Section 65B of Indian Evidence Act and hints at some misunderstanding about the section.

Section 65B provides an option to convert electronic evidence to be presented in a Court in an admissible form. The presentation can be either in electronic form with a digital signature authentication or in paper form with written signature and should contain an appropriate certification.

The certification is meant to build prima facie validity to the evidence and fixing accountability to the person producing the evidence.

There is  some confusion on who has to sign the certificate and the Hindu report also suggests the same.

It is to be understood that Section 65B certificate only certifies the conversion of electronic evidence present in one form to another form in which it can be presented to a Court. It does not validate the truthfulness of the content but only tells the Court that “This is what is present in Cyber Space”. It is a “matter of fact” certification of something present in cyber space which is copied into a CD or printed out for the purpose of presentation to the Court. What Section 65B certificate provides is an assurance to the Court that this process of conversion has been made in accordance with the procedure mentioned in the section and certified as indicated there in.

I wish that before making any amendments, the Government  explores providing an “Explanation” and avoids creating any further confusion on the interpretation of the section.

We must reiterate that in the case of Section 66A, the inadequacies and ignorance of the Police was carried through the system and finally a wrong decision was taken at the highest level. Similarly, the suggestions of the Home Ministry for amending of the evidence act may result in wrong decisions if they are not properly discussed and evaluated. I hope the Government would not be in a hurry to carry out an amendment before such a debate.

Naavi

It is a sad commentary on the Indian legal system that litigation in Courts linger along for decades. In fact it was a surprise to know that the baazee.com case has still not been fully resolved by the judicial system and the proceeding against one of the officials of the company under Section 79 of ITA 2000 is still to be disposed off.

As readers are aware, baazee.com case was a landmark case under ITA 2000. It involved a video containing a sexual act indulged in by two minors being sold through the e-commerce platform.

The person who sold the material was Mr Raviraj, a student of IIT Kharagpur and was charged under Section 67 of ITA 2000. (and also under Section 292 of IPC). Simultaneously the CEO of baazee.com (now ebay.in) Mr Avnish Bajaj was also charged for failing to exercise due diligence under Section 79.  Baazee.com defended by stating that the terms and conditions presented was sufficient due diligence which was not accepted by the Court. However, Mr Avnish Bajaj was acquitted because the Police had launched the proceedings against him as the CEO of a company, under Section 79 without first making the company as an accused.

Now it is understood that one of the residual cases attached to the main case in which a manager of Baazee.com Mr Digumarti under Section 292 of IPC is yet to be disposed off though he was discharged of the offence under ITA 2000.

See report here.

The case would come up for hearing on October 9th where the fact whether Mr Digumarti had exercised due diligence or not and whether he could have prevented the offence being committed or not would be discussed.

We hope the unfortunate manager would be freed from this decade long agony he was made to suffer because of the unfortunate incident.

However, it is sadder to think that even after observing the predicament of this manager on how the law hurts when officials donot exercise “Due Diligence”, the corporate managers managing e-environments today might not implemented what may be termed as “Due diligence” in most cases.

It is important that we all review the “Due Diligence” at our end and protect ourselves from the kind of problems which both Mr Digumarti and Avnish Bajaj faced in this case.

In order to check if a Company has been following “Due Diligence”, the first thing for every executive is to conduct an ITA 2008 compliance audit and document the gaps in compliance. If the executives fail to move even now, then they have no body else to blame if they face civil and criminal liabilities for offences committed by their customers.

The undersigned has been advising companies in this regard of their responsibilities and would closely watch if there is any increase interest in the corporate world for knowing what is ITA 2008 compliance.

One of the challenges that is observed is that most of the corporate executives have been brainwashed into a state where they are unable to understand the importance of ITA2008 compliance even while there is a high awareness of compliance to some technical information security frameworks such as ISO27001 and PCI DSS.

The information security professionals in the organisations are yet to appreciate fully that “Legal compliance” alone can be the primary tool to defend them against liabilities while the “Best Practice compliance” can only be a secondary tool. Hence any amount of investment in ISO27001 or PCI DSS will be inadequate when it comes to seeking protection against the kind of liabilities which Mr Avinash Bajaj or Digumarti faced.

Some of them will realize it the hard way in times to come.

I would therefore once again urge all CEOs and CISOs to start asking yourselves if your company is ITA 2008 compliant? and take steps to comply before your company becomes the next baazee.com. Don’t hesitate to contact the undersigned if you need any clarifications.

Naavi

18^th September 2015

To

Sri Narendra Modi , Honourable Prime Minister, Government of India

Sub:  “Cyber Insurance For All Netizens of India

 Dear Sir,

One of the distinguishing features of the Governance model adopted by your Government is its reliance on technology. “Smart Governance through E-Governance” is the recognizable face of this Government.

In pursuance of this policy, you have adopted the “Aadhar” as the core citizen identity and linking every welfare programs of the Government to this e-identity of the Citizens. In a way you are converting every Citizen to a Netizen. With the ambitious projects such as “Smart Cities” and “Digital India” in the anvil, the dependence of the society on technology is only going to increase.

I am fully in support of this push for using of technology for development and have been advocating such a policy for a long time as documented at www.naavi.org. I had also advocated a “Charter of Demand for Netizens” which included several initiatives including “Digital ID for all Citizens of India” and “E Consumer Protection”. I request you to kindly take some time to look into these suggestions.

I firmly believe that success or failure of your Government will be hugely influenced by the success or failure of the E-Governance model which you are adopting and hence no stones should be left unturned to make it a success.

However, I always keep recalling how Mr Chandrababu Naidu lost an election despite his many good E-Governance measures in Andhra Pradesh and this should be remembered as a lesson for people like you who want to do good things but the society may not be fully ready for absorbing the long term thoughts.

 Cyber space has its fair share of risks and any society dependent on Cyber technology is open to the adverse effects of cyber attacks from cyber criminals, cyber terrorists and Cyber war capable nations.

It is therefore a certainty that such cyber attacks will have to be faced by the society from time to time. Measures to prevent an adverse fall out  therefore should be considered as inevitable.

We know that Cyber risks are an essential evil that has to be endured with, but politicians in the opposition will easily use any adverse attack as a consequence of “Anti People Policies” of the Government.

For example, in case there is a Cyber attack on the Indian Banking system and 10000 customers lose their money in their JanDhan accounts, opposition will say that it is a scam and all the money has been misused by BJP politicians. In a charged atmosphere that may follow, the perception battle is more likely to be won by the opposition than the Government.

If therefore your Government needs to insulate itself from the risks of being blamed for Cyber risks, you need to go an extra mile to ensure that citizens don’t lose out of cyber attacks.

In this context, I suggest that there is a need for a policy of “Cyber Insurance for All” as a means of protecting the Netizens from the vagaries of Cyber risks.

“Cyber Insurance” is a protection against financial losses arising out of cyber crimes such as “Phishing”, “Identity Theft”, “Denial of Services”, “Hacking” etc. It includes frauds involving cloning of credit cards, debit cards, ATM cards,  Aadhar data, etc. It includes mobile related frauds which will be one of the biggest threats of the future where a large number of victims will each lose a small amount making it impossible for them to invoke any traditional legal remedy such as approaching the Courts.

Just as “Drip Irrigation” is essential to fight the vagaries of failure of rains in the agricultural sector, “Cyber Insurance” is essential to fight the risks of cyber attacks in the Digital environment.

In the Motor Insurance area there is already a concept of Mandatory Third Party insurance. A similar policy is required in the E Commerce and E Banking area.

Of late, RBI has issued many licenses for Payment Banks and Small Banks as well as new generation Banks. These will all be heavily technology dependent and the customers will hold all the risks. Hence RBI should be persuaded to mandate that all new Banking licensees introduce mandatory Cyber Insurance for its customers.

Kindly don’t be swayed by any argument that Cyber risks are not “insurable” since it is too huge a risk to be covered or that no insurance company may be interested etc. Presently, insurance companies are doing a profitable cyber insurance business but are restricting it to companies and not extending it to individuals. They are milching the higher end of the market and are avoiding the lower end because they feel it is expensive to manage. They need to be persuaded and incentivized to provide the retail cyber insurance policies.

If the Rs 12 per year accident insurance policy for a cover of Rs 2 lakhs against accidents is commercially feasible, the individual cyber crime insurance policy that protects the individuals against any loss say to the extent of say Rs 10000/- to Rs 25000/- per incident must be also feasible.

I therefore suggest and also urge you to adopt  the “Cyber Insurance for ALL” as a new policy of the Government to support its Digital India initiative.

Regards

Yours faithfully

 Na.Vijayashankar (Naavi)

Founder: www.naavi.org

In pursuance of Naavi’s efforts to promote the concept of Cyber Insurance in India, Naavi has launched a dedicated website Cyber Insurance.org.in to discuss all issues of Cyber Insurance in India.

Naavi considers Cyber Insurance an important developing field because in the era of increasing Cyber threats accompanied by an increasing usage of Internet in a Digital India, the Netizen community needs to be protected against the risks.

Naavi also considers that Cyber Insurance is an extension of the Techno Legal Information Security activities since “Risk Transfer” is one of the four ways Risks can be managed in business, the others being Risk avoidance, Risk absorption and Risk Mitigation.

For the last several years, Naavi has been discussing the issue of Cyber Insurance with several industry players but found very little interest on the subject in the market place.

The reasons are many. Some may consider that like many of Naavi’s obsessions, this is ahead of its time and the business is yet to mature. Some may have no confidence that this is a viable business. Some may think it is some body elses’s responsibility.

The recent India Cyber Insurance Survey 2015 and the interactions Naavi has had with professionals in the Insurance industry do suggest that there is still lot of grounds to be covered in this field by both the Insurance industry as well as the Information Security industry.

But Naavi considers that this ground has to be covered if our dream of Digital India does not end up as a disaster.

Naavi has urged PM Mr Narendra Modi that just as he launched the life and accident insurance schemes for the masses as a part of his national agenda, he needs to push Cyber Insurance as part of Digital India agenda.

We hope that in due course this would be accepted as a policy in the Government.

In the meantime, we shall continue our efforts to popularize the concept of Cyber Insurance and also provide whatever assistance that is required by the industry to enhance the use of Cyber Insurance.

For some time there may be dual posting of articles between naavi.org and cyberinsurance.org.in.

However, I expect that Cyberinsurance.org.in should attract contributions from other professionals and develop into a community website.

I welcome contributions.

Naavi