Thursday, October 1, 2015

Encryption Policy in India - By DEITY

Information Technology (Amendment) Act, 2008 provides for encryption under Section 84A, which reads as follows:
“84A. The Central Government may, for secure use of the electronic medium and for promotion of e-governance and e-commerce, prescribe the modes or methods for encryption.”

 DSCI has engaged with the government to help formulate the encryption policy. To institutionalize its efforts and industry engagement with the government, DSCI formed a DSCI Advisory Group on Encryption Policy to discuss these issues in detail and engage with the government, including its security agencies, to enable the government come up with the policy at the earliest.
Objectives of this policy:
1) To synchronize with the global usage of encryption for ensuring Security/confidentiality of data and to protect privacy without unduly affecting public safety and National Security.
2) To encourage wider usage of Digital Signatures.
3) To encourage the adoption of information security best practices by all entities and Stakeholders in the Government, public & private sector and citizens that are consistent with industry practice.
As per my understanding and view, India must have a solid encryption policy for security reason, where we have lots of threat from internal and external terrorist.
 Following is the agenda of the DSCI Advisory Group on Encryption Policy:
  • Discuss the business need for encryption in India–specific client requirements in outsourcing, business growth, facilitate financial inclusion,IPR protection, cost reduction by using internet / cloud computing, etc.
  • Discuss the domestic regulatory requirements for encryption –RBI , SEBI,TRAI, etc.
  • Identify popular encryption techniques / methods (AES, 3 DES, etc.) and encryption strength (128, 256, etc. bits) used in the Indian industry
  • Share any incidents / frauds / cases that happened because of use of weak encryption techniques
  • Discuss and deliberate on the recommendations submitted earlier byDSCI-NASSCOM for Encryption Policy u/s 84A of the IT (Amendment) Act, 2008 and any modifications that may be required
  • Discuss and deliberate different approaches / recommendations for meeting Law Enforcement Agencies requirements (for National Security) but ensuring business use of strong encryption at the same time (including approaches for Key Management)
  • Discuss the encryption policies of other countries and how they balance strong business use of encryption and national security
 What is current Issue with Encryption Policy?
Question, is it Updated India’s draft encryption policy puts user privacy in danger? Let me brief about current update, and what should be pointed out and where we missed from various points, tweet and others thought.
 Following security part does not covered in policy –
  1. Hard Disk Encryption Products
    2. SSH and RDP Encryption (Required to manage servers)
    3. Wearables like Fitbit
    4. Smartphone Full Disk Encryption
    5. Symmetric Encryption Software to transfer files between humans and computers
    6. OS Update Servers
    7. Browser Update Servers
    8. App Store, Play Store etc.
    9. Encrypted Streaming for audio video
    10. Email Encryption
    11. Off The Record Messaging
    12. Voice Communication apps like Skype etc.
    13. Digital Signatures for software
 The daft National Encryption Policy also states that :
– Only the government of India shall define the algorithms and key sizes for encryption in India, and it reserves the right to take action for any violation of this Policy.
– Businesses also have to keep all encrypted data for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country.
– Entities in India are responsible for providing unencrypted details of communication with foreign companies in readable plaintext.
– Service providers which provide encryption in India will have to register with the government.
Who is this policy applicable to?
  1. all citizens and their personal usage.
  2. all Central and State Government Departments (including sensitive Departments / Agencies while performing nonstrategic & non-operational role)
  3. all statutory organizations, executive bodies
  4. business and commercial establishments, including public sector undertakings and academic institutions
Who is this policy not applicable to?
  1. Sensitive departments/agencies of the government designated for performing sensitive and strategic roles.
 Source DEITY, DSCI, Twitter, social media