Naavi.org

According to latest information,  the Government has completely withdrawn the draft Encryption policy announced last week and put up for public comments.

A new policy may be drafted and released in due course.

Hopefully, this time it will consult the right persons before the policy is publicized.

Naavi

P.S: It would be interesting to know who owns the responsibility for the badly drafted policy which was under gestation for nearly six years from the day ITA 2008 was notified on 27th October 2009. (Observe that the policy is not on a letterhead and not signed. The addendum is just a note on a piece of paper again unsigned), It has given an opportunity for certain opposition political parties to score brownie points. Was it the hidden agenda?…. Otherwise it is difficult to imagine if such policy documents can be written by an IAS cadre officer.

The honourable minister Mr R S Prasad needs to conduct an enquiry since this is not the first time the Minister has been painted in bad light because of thoughtless policy announcements. There is a possibility that some body in the department is working at cross purposes with the Minister. If this is not properly addressed now, there will be many more occasions in future where the Minister will have to take the blame for inefficient departmental work. 

Naavi

@17.30

After criticism that emanated over the week end on the draft National Encryption Policy that the Government released last week, Government has quickly made some clarifications.

The original policy is available here

We had provided our comments and suggestions on the draft policy in our earlier post.

We had requested the Government to exempt the individuals from the responsibilities of being bound by this encryption policy and enforce it only through the intermediaries. Others have highlighted the fact that “need to preserve encrypted information for 90 days” is an additional security risk and privacy invasion.

Keeping the upcoming US visit of Mr Modi and possible repercussions if the privacy issue is left un-attended, Government has moved fast to issue a “Clarification”.

The clarification reads as follows:

PROPOSED ADDENDUM TO THE DRAFT ENCRYPTION POLICY

By way of clarification, the following categories of encryption products are being exempted from the purview of the draft national encryption policy:

1. The mass use encryption products, which are currently being used in web applications, social media sites, and social media applications such as WhatsApp,Facebook,Twitter etc.

2. SSL/TLS encryption products being used in Internet-banking and payment gateways as directed by the Reserve Bank of India

3. SSL/TLS encryption products being used for e-commerce and password based transactions.

(Copy of the clarification text issued. It is unsigned and has not on a letterhead, just like the policy itself)

It is unfortunate that clarification became necessary so soon after the issue of the draft NEP policy. At the same time it should be appreciated that releasing the draft policy for public comments and reacting to it quickly was good. Atleast we can say that the department has been responsive.

Some in the media are however misrepresenting the clarification and stating that “E Banking is exempted from Encryption Policy”. 

This is however not the correct interpretation. E Banking is already been under the guidance of RBI and the G Gopalakrishna Working group has already given elaborate guidelines on E Banking security. Additionally there is an industry level information security standard already in place. The clarification only means that the security need not be limited to what is mentioned in the encryption policy and could be different.

The same interpretation holds for other sensitive departments of the Government which are exempt from this policy. They (such as the Military and Police) need to keep the information encrypted at levels better than what is suggested in this policy.

It should also be remembered that this is only a policy guideline which is subordinate to the law contained in Information Technology Act 2008. It cannot be ultra vires the Act.

The ITA 2008 already has a provision under Section 69 that the Government (through CCA) has the power to demand decryption of any communication. There is no need for this policy to demand decrypted message from WhatsApp or other message systems.

Under Section 67C, there is a provision for data retention norms being set. Government may set here any time limit for retention of data by any intermediary.

Further, any information that becomes “Potential Data related to a cognizable offence” becomes an “Evidence”  and has to be retained for an indefinite period, failure of which can become a contravention of Section 65 of ITA 2008.

These sections 67C and 65 carry 3 years imprisonment and Section 69 carries 7 year imprisonment if the IT user/intermediary does not comply.

For some data to be treated as “Potential Evidence”, notice from law enforcement is not mandatory. Knowledge that the data may hold evidentiary value is sufficient. A notice will however seal the status of some data changing its status to “Potential Evidence” which need to be preserved.

This is part of the ITA 2008 compliance that every IT user need to follow at present and this would continue.

Hence, media should not proliferate the incorrect view that “E Banking” and “E Commerce” is exempt from the encryption policy and inter alia the need to retain data particularly what is suspected to be an “Evidence”.

In the past media by its ignorance created a situation where Section 66A was wrongly painted as unconstitutional and even the Supreme Court Judges were rendered blind to reality and scrapped the section just to correct a false perception. In the last few days, we have also pointed out how Karnataka Government, in its ignorance of Cyber Law has passed a Bill which is ultra vires the ITA 2008 and how the Adjudicator of Karnataka in the past has created an untenable legal situation out of his ignorance of ITA 2008. Now the media highlighting “E Banking exempted from Encryption Policy” will be another mis-perception that would be circulating and will gain acceptance by uninformed.

We need to ensure that this mistake does not happen.

The Government when it issues the final policy should therefore clarify that E Banking and E Commerce are expected to use encryption systems commensurate to what can be considered as “Reasonable Security Policy” under ITA 2008. This will be another Suggestion that we would like to make to the department on the policy.

Naavi

The Registration (Karnataka Amendment Bill 2015) was passed by the Karnataka Legislative Assembly on 30th March 2015.  On the same day, it was also passed by the Legislative Council. Since the matter involved partial amendment of Indian Registration Act 1908, it has been been sent to the Central Government for the assent of the President of India.

If there is no objections from any of the departments of the Central Government, the Bill will be automatically assented to by the President and would become an Act.

As has been pointed out in detail in our earlier post,the bill is in direct violation of Information Technology Act 2000 (ITA 2000). The ITA 2000 does not provide legal recognition to electronic documents which transfers title in an immovable property as well as a Power of Attorney document.

The Karnataka Bill is meant to introduce e-Governance in the registration department and provides for electronic documents to be presented online for registration. Since there is no recognition for such documents, the provision should be considered as unconstitutional.

It is regrettable that the e-Governance department of the Karnataka Government has not done proper consultation before pushing the Bill. The legislators obviously have no knowledge to check if the Bill is consistent with other laws of the country or not. If the President passes the bill in the normal course, the dubious distinction of passing an invalid legislation will fall on the honorable President of India.

The issue needs to be taken note of seriously by all the people concerned and accountability fixed for such an irresponsible action by the officials.

 It may be recalled here that Karnataka already has the dubious distinction where by one previous IT Secretary in 2011 acting in his capacity as an Adjudicator that the term “Person” in Section 43 of ITA 2000 means only an individual and does not include a Body Corporate. To this we now have another dubious feather in the cap for the Government of the Silicon City of India. (Refer an earlier post : Will the CM of Karnataka respond?)

I urge the IT Ministry in Government of India to take necessary steps so that the e-Governance and IT Secretaries in all the States are adequately trained on Cyber Laws. Also they need to ensure that similar faulty laws are not passed by other States also in a bid to push use of technology in Governance.

Naavi

Today, Times of India has reported a Cyber Extortion attack on the Managing Director of a Company in Hyderabad. Typically in such cases, the data of the Company is hacked and encrypted. The authorized persons who try to access would be confronted with a message to pay a ransom for getting the decryption password. In this particular case, the ransom amount demanded is $1000/-

Refer Article here

Let us pick up this case as a hypothetical case study by assuming that  this Company had obtained Cyber Crime Insurance.  We shall then discuss some of the possible developments.

I request readers to send their views on “If you are the MD who is the victim of the Hyderabad incident, and your company has a Cyber Insurance policy, what would you do now”.

(Of course if you donot have a Cyber Insurance, then you may take a different set of actions since you have no obligations.)

(…To Be continued..on cyberinsurance.org.in )

Naavi

The Government of Karnataka has recently passed an amendment to the Indian Registration Act 1908 through The Registration (Karnataka Amendment) Bill, 2015 which has been forwarded to the President of India for his assent.

The bill has been drafted in direct violation of Information Technology Act 2000 and it is strange that it has been drafted and passed by both the legislatures of Karnataka and forwarded to the President for his assent.

The President’s office has no option but to reject the Bill as it is constitutionally invalid. 

The objective of the Bill is stated to be “to amend the Registration Act 1908 (Central Act 16 of 1908) in its application to the State of Karnataka to provide for online Registration of Agreement for Sale, Lease Deed and Leave and License Agreements and for online filing of true copies of Court orders, Decrees and Mortgages by way of Deposit of Title Deeds etc., sent by Banks and other Financial Institutions..”

It may be recalled that section 1(4) of Information Technology Act 2000 (ITA 2000) provides the details of documents that are outside the scope of Information Technology Act 2000. (Now available in First Schedule  after the amendment in 2008 ).

Section 1(4) of ITA 2000 as amended in 2008 (ITA 2008) states as follows:

Nothing in this Act shall apply to documents or transactions specified in the First Schedule by way of addition or deletion of entries thereto.

This “Nothing in this act applies” include sections 4 of ITA 2000 which provides legal recognition for electronic documents as equivalent to paper documents, Section 5 of ITA 2000 which provides legal recognition of electronic/digital signatures to physical signatures, as well as other sections of the Act including Sections 6,6A,7, 7A,8 and 9 which directly apply to e-Governance transactions.

The following are the documents which are indicated in the First Schedule which are outside the purview of ITA 2000/8 by virtue of this section.

Documents or Transactions To Which the Act Shall Not Apply

As one can see, “Any contract for the sale or conveyance of immovable property or any interest in such property” is outside the scope of this Act and if such documents are rendered in Electronic form, they are not recognized in law.

Hence the proposed amendments is bad in law ab initio.

The amendment proposes that under Section 32, (of Indian Registration Act), documents (including compulsorily registerable documents) can be presented “by electronic means” either by a person who is executing the document or claiming under the same. There is no mention of electronic or digital signature any where in the Bill.

If such documents are to be presented as electronic documents, then they may include documents that fall into the category 5 mentioned in First Schedule of ITA 2008.

If any body other than the executant has to present the documents then a Power of Attorney is required which also may be outside the Act as per item 2 on the list of excluded documents.

The legislation proposed is therefore impossible to be passed under the current law and if by inadvertence it is given assent by the President, then a situation will be created similar to what Karnataka faced during the Telgi fake Stamp usage time when a number of documents were  registered though no stamp duty was paid to the Government coffers making them void in law.

It is regrettable that the persons responsible for the drafting of the Bill and pushing it through the legislatures have demonstrated a total ignorance of the provisions of  Information Technology Act 2000 and there is a need for the Government to fix responsibility on the officials responsible for the faux pas.

We urge the State Government to apologise to the honourable President of India and  immediately withdraw the Bill.

We also request the office of the President, as well as the Ministry of Law and Justice to take note of the impending disaster and advise the President immediately not to provide assent in the normal course.

Naavi

P.S: Copy of the amendment bill

The Government of India has announced a draft National Encryption Policy as an adjunct to the requirements under Section 84A of ITA 2008 which required a notification on the approved modes and methods and for encryption for use in e-Governance and e-Commerce.

The policy acknowledges that the meanings attached to different methods of encryption namely hashing, symmetric encryption and asymmetric encryption has already been explained under ITA 2000. The modes of encryption to be used and the algorithms with respect to hashing and asymmetric encryption used in digital signatures also has been already prescribed under ITA 2000 by CCA.

What ITA 2000/8 had not done was to suggest what algorithms are considered approved for symmetric encryption if used either in the SSL systems or for encryption of data in storage.

Now the draft notification indicates that AES, Triple DES and RC4 encryption algorithms and key sizes upto 256 bits are to be used.  We may however note that the RSA keys used for asymmetric encryption as per CCA guidelines indicate key sizes of 2048 and 4096 bit (Ref notification GSR 783(E) dated 25th october 2011 read along with earlier notifications).

(For non technologists, it is always difficult to understand the difference in the key length and encryption bit length and the difference in symmetric and asymmetric key strengths. . In RSA, the bit length is indicative of the size of the integer used in the mathematical model where as in the symmetric key system the bit length just indicates the number of bits in the key. Technologists  say that 2048 bit RSA key length is equivalent to 256 bit key strength in Symmetric encryption from the point of view of breaking through brute force.)

The National Encryption Policy (NEP) goes much beyond the Section 84A requirements and the draft as provided for public comments may have impact on the larger public and hence it needs a discussion at some length.

Applicability:

1. The Draft National Encryption Policy (D-NEP)  is applicable to all Central and State Government Departments (including sensitive Departments / Agencies while performing nonstrategic & non-operational role), all statutory organizations, executive bodies, business and commercial establishments, including public sector undertakings and academic institutions and all citizens (including Personnel of Government / Business performing non-official / personal functions). (See Suggestion 1 below)
2. It is not applicable to sensitive departments / agencies of the government designated for performing sensitive and strategic roles.

Classification:

Based on the nature of transactions that require encryption the users in the Policy are classified as:

(i)  Govt. – All Central and State Government Departments (including sensitive departments / agencies while performing non-strategic and non-operational role).
(ii)  All statutory organizations, executive bodies, business and commercial
establishments, including all Public Sector Undertakings, Academic institutions.
(iii) All citizens (including personnel of Government / Business (G/B) performing nonofficial / personal functions).
(iv) G2G Government to Government users
(v) G2B, G2C, B2G & C2G Government to Business & Government to Citizen users
(vi) B2B Business to Business users
(vii) B2C & C2B Business to Citizen users

The Regulation

(1)  Use of Encryption technology for storage and communication within G group of users with protocols & algorithms for Encryption, key exchange, Digital Signature and hashing will be as specified through notification by the Government from time to time.

(2). Use of Encryption technology for communications between G group and B / C groups (i.e. G2B and G2C sectors) with protocols and algorithms for encryption, key exchange, Digital Signature and hashing will be as specified through notification by the Government from time to time.

(3) Users / Organizations within B group (i.e. B2B Sector) may use Encryption for storage and communication.

Encryption algorithms and key sizes shall be prescribed by the Government through Notifications from time to time.

On demand, the user shall be able to reproduce the same Plain text and encrypted text pairs using the software / hardware used to produce the encrypted text from the given plain text. (See Suggestion 2 below)

Such plain text information shall be stored by the user/organisation/agency for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country. (See Suggestion 3 below)

(4) B / C groups (i.e. B2C, C2B Sectors) may use Encryption for storage and communication.

Encryption algorithms and key sizes will be prescribed by the Government through Notification from time to time.

On demand, the user shall reproduce the same Plain text and encrypted text pairs using the software / hardware used to produce the encrypted text from the given plain text.

All information shall be stored by the concerned B / C entity for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country.

In case of communication with foreign entity, the primary responsibility of providing readable plain text along with the corresponding Encrypted information shall rest on entity (B or C) located in India. (See Suggestion 4 below)

(5) Service Providers located within and outside India, using Encryption technology for providing any type of services in India must enter into an agreement with the Government for providing such services in India.

Government will designate an appropriate agency for entering into such an agreement with the Service provider located within and outside India. The users of any group G,B or C taking such services from Service Providers . are also responsible to provide plain text when demanded. (See Suggestion 5 below)

(6) Users within C group (i.e. C2C Sector) may use Encryption for storage and communication.

Encryption algorithms and key sizes will be prescribed by the Government through Notification from time to time.

All citizens (C), including personnel of Government / Business (G/B) performing non-official / personal functions, are required to store the plaintexts of the corresponding encrypted information for 90 days from the date of transaction and provide the verifiable Plain Text to Law and Enforcement Agencies as and when required as per the provision of the laws of the country. (Suggestion 1 already covers this point)

(7)  Algorithms and key sizes for Encryption as notified under the provisions in this Policy only will be used by all categories of users

Regulatory Framework:

(a) All vendors of encryption products need to be pre registered with the Government of India.

(b)List of  Registered vendors would be published by the Government. Users in India would be required to use only products registered in India.

(c) Export of Encryption products would be permitted with prior intimation to the designated agency of the Government of India.

Additionally, the Government has through this policy expressed its intention to support research in encryption and also set up a testing and evaluation infrastructure. A Technical advisory committee will take the responsibility of advising the Government on review of the policy from time to time.

While some of the follow up would be through the notification under Section 84A, the present draft does not contain the information on some of the aspects such as the agency for registration etc. Some more follow up guidelines will therefore be required.

In the meantime, members of the public may send their responses to the Government  by 16/10/2015 to Shri A. S. A. Krishnan, Scientist ‘G’, Department of Electronics and Information Technology, Electronics Niketan, 6, CGO Complex, Lodhi Road, New Delhi: 110003, Email: akrishnan@deity.gov.in

Naavi has some specific observations that are listed below. If the readers have any comments and additional points, they can send them to naavi  for consolidation before they are forwarded to the department.

Even if readers donot have any additional observations, I request the readers to send two suggestions namely to keep the common citizens out of the policy responsibilities and for the Government to conduct a free encryption education certification program for those who are interested. The suggestion maybe sent by email to the email address akrishnan@deity.gov.in directly before 16th October 2015.

Naavi’s Observations/Suggestions

Suggestion 1:

The NEP is made applicable to all organizations except sensitive departments of the Government. It is presumed that the sensitive departments to whom the policy is not applicable may use more stringent encryption norms. What is however notable is that the policy is applicable to common citizens.

Government must take note that the knowledge and expertise of common citizens may be inadequate to understand the nuances of encryption.

Though the Citizens will be indirectly impacted by the policy as implemented by the Government or Business users, Citizens cannot at this point of time assume the responsibility for direct compliance of this policy since their ignorance would be exploited by intermediaries for business gain.

For example, if a Citizen uses a service available on the internet which uses say a higher level of encryption than what is approved then this policy may make him liable for the violation. User may not even know what encryption is being used within a software or service that he may buy and whether that product is “NEP-compliant” The service provider himself may be outside the jurisdiction and hence escape liability including the responsibility for registration.

Already Netizens in India are being pushed to the use of technology without apropriate security cover nor Cyber Insurance cover and the encryption policy will introduce one more risk and possible liability for the honest citizen.

If the Government wants to make common citizens responsible for knowing the encryption policy, how it is operated in practice and how it affects them, there has to be a large scale education program.

Government should provide a “Free Encryption Education Certification” program to all interested Netizens.

There is also a need to clarify in common man’s terms what the “Strength of Encryption means” and how it differs from Symmetric and Asymmetric systems, Difference between Cipher Block Sizes and Key lengths etc.in the policy document.

Further, keeping in view the inconsistent use of terms by technologists, the Government should push through Cyber Insurance for individuals so that any liabilities arising out of inconsistent technical interpretations about the “Strength” of encryption is covered by insurance.

Suggestion 2:

Most of the intermediaries who provide services to Netizens store passwords of the Netizen users in hash form. Some technologists consider that hashing is also a method of encryption (though the draft notification under Sec 84A has not included hashing as a method of encryption.). If hashing is considered as encryption, reversing the process is not feasible.

Hence an explanation may be required to state that “hashing” is not considered “Encryption” for the purpose of this policy and Section 84A

Suggestion 3:

The need to preserve plain text information such as passwords for 90 days provides a wrong impression that Sensitive Personal Information as defined by section 43A of ITA 2008 has to be stored in an insecure manner as per this guideline.

It will also cause confusion as regards retention of data which the law enforcement may require when the data custodian is aware that the information constitutes an “Evidence” under law. There will be conflict with Section 65 of ITA 2008 also in such cases.

The wordings of the policy need to therefore be changed.

Suggestion 4:

The provision to exempt a foreign entity from the responsibility to provide unencrypted information interferes with the right of the law enforcement to conduct investigation in criminal cases where the foreign entity may refuse to part with unencrypted information from their end. This provision can be deleted.

Suggestion 5:

The provision to require service providers using encryption technology to register and enter into an agreement with a body of the Government of India is redundant and unenforceable as a part of this policy. Since there is a large number of services today which use encryption (even accepting the fact that SSL/TLS users are exempted), this policy may require thousands of websites to enter into agreement with the Government. Already there is a provision in Section 69 of ITA 2008 which is a statutory law. Hence this provision for entering into a contract should be deleted.

Naavi

Ref: Copy of the Draft National Encryption Policy