•  •  Dark Mode

Your Interests & Preferences

I am a...

law firm lawyer
in-house company lawyer
litigation lawyer
law student
aspiring student

Website Look & Feel

 •  •  Dark Mode
Blog Layout

Save preferences

Government asleep over encryption regulations

The Indian Government attacked BlackBerry's manufacturer for providing encryption services that would prevent security services from reading potential terrorists' emails. One year on and the Indian rules surrounding encryption are still a legal quagmire, explains Salman Waris.

Canadian BlackBerry manufacturer RIM came under fire last year for allowing data to flow across its networks with the strong 256-Advanced Encryption Standard (AES), while the regulations required that all service providers adopt weaker encryption standards up to 40-bit.

For a long time countries such as the US considered such strong encryption as military grade technology and placed export restrictions on them. However, after prolonged lobbying from e-commerce and other businesses, strong encryption is now a global standard. Except in India.

There is no specific legislation covering encryption of electronic communication in India so issues relating to ‘electronic data processing’ are currently covered under the Information Technology Act 2000. However, the Act omits to set out the level of encryption that individuals and businesses can use to protect their electronic communications.

To complicate matters further, guidelines by different Government departments provide for different levels of encryption and have grown into a disparate jungle of conflicting rules.

The IT Rules - Information Technology (Certifying Authorities) Rules, 2000
The Government has laid down the IT Security Guidelines for implementation and management of IT security. These Guidelines state that electronic communication systems used for the transmission of sensitive information, such as routers, switches, network devices and computers, must be equipped with suitable security software and, if necessary, with an encryptor or encryption software.

Furthermore the guidelines provide that stored passwords must be encrypted using ‘internationally proven encryption techniques’ to prevent unauthorised disclosure and modification. Such ‘internationally proven encryption techniques’ require RSA Public Key Technology standards like PKCS#1 RSA Encryption Standard (512, 1024, 2048 bit), PKCS#5 Password Based Encryption Standard or PKCS#7 Cryptographic Message Syntax standard under section 6 of the IT Rules.

These are very strong and secure encryption algorithms.

The Securities and Exchange Board of India (SEBI) Guidelines on Internet Based Trading and Services
SEBI also mandates the use of encryption technology for security, reliability and confidentiality of data through use of encryption technology. However, it prescribes a 64 bit/128 bit encryption for standard network security. For securities trading over a mobile phone or Wireless Application Platform (WAP), SEBI recommends that transmission from the WAP Gateway server to the Internet server should be secured using Secured Socket Layer (SSL) security, preferably with 128 bit encryption.

Reserve Bank of India Guidelines on Internet Banking
Similarly, the Reserve Bank of India (RBI) has issued guidelines on internet banking in June 2001. Its guidelines recommend Public Key infrastructure (PKI) as the most favored technology for secure internet banking services. However, due to its limited availability, the guidelines advise that banks should use at least 128-bit SSL for securing browser to web server communications and encryption of sensitive data like passwords in transit within the enterprise itself.

Department of Telecommunications Licensing Regime
The worst of the lot is the present licensing regime of the Department of Telecommunications, which perpetuates an outdated and technologically obsolete approach. This has led to a growing difference between regulations and legislation enacted by the Government of India, the National and International Long Distance License Agreements (NLD and ILD) and the Internet Service Provider (ISP) license agreements.

Both the NLD and the ILD license make it mandatory for the service provider to have prior evaluation and approval from the Department of Telecommunication or an officer specially designated for the purpose, before connecting and installing any encryption equipment to its network. The ILD license also prevents such service providers from employing 'bulk encryption' equipment in their network.

Finally, the ISP license also bans internet providers from deploying 'bulk encryption' and further restricts the level of encryption for individuals, groups or organisations to a key length of only 40 bits in symmetric key algorithms or equivalents.

Such weak encryption is easily broken, highly insecure and not suitable for e-commerce or any other sensitive applications.

For the use of encryption equipment stronger than 40 bits, individuals, groups or organisations are required to obtain prior written permission and to deposit the decryption key, split into two parts, with the Department of Telecommunications.

This is like handing the Government the combination code to your personal or company safe, just in case they may need it.

It is clear that there continue to exist stark discrepancies between the level of encryption recommended under the IT Rules, SEBI Guidelines and RBI internet banking guidelines on the one hand, and on the other the Department of Telecommunications Licensing Regime relating to the ISPs, NLDs and ILDs.

However, despite the furore around the Blackberry issue and the recent amendment of the Indian Information Technology Act, a year down the line the Government has yet to clarify the situation of contradictory regulatory requirements as laid down by its own departments and institutions.

Salman Waris heads FoxMandal Little's technology, media and telecommunications (TMT) practice in Delhi.

If you have a legal opinion you would like to share, please get in touch with us at

Click to show 2 comments
at your own risk
By reading the comments you agree that they are the (often anonymous) personal views and opinions of readers, which may be biased and unreliable, and for which Legally India therefore has no liability. If you believe a comment is inappropriate, please click 'Report to LI' below the comment and we will review it as soon as practicable.