Introduction
Encryption schemes allow creators to protect their original work from unwanted access. Content encryption is a method of determining the authorised user in a digital environment. Encryption entails scrambling the bits that make up material digitally so that it cannot be viewed clearly until it is decoded. The keys to decode the work are only available to authorised users.
Laws in India for regulation of encryption key/code
India does not have a specific encryption law. Although, a number of industry rules, such as those governing the banking, finance, and telecommunications industries, include requirements for minimum encryption standards to be utilised in protecting transactions. Apart from Section 84A, which delegated to the Central Government the authority to frame any rules on the use and regulation of encryption, the Information Technology Act of 2000, which regulates electronic and wireless modes of communication, is devoid of any substantive provision or policy on encryption. The Central Government has not enacted any rules under this provision to yet. Aside from that, there are a few industries where encryption technology and goods are controlled and mandated by particular terms and conditions:
- Department of Telecommunication (DoT) License with Internet Service Providers (ISPs)
The terms and conditions of the licencing agreement between the Department of Transportation and the Internet Service Providers allow the use of encryption technologies up to 40 bits with RSA algorithms or equivalents without prior clearance from the Department of Transportation. Only with authorization and submission of the decryption key in two halves to the Department of Transportation may a higher encryption standard be used. Furthermore, under these licencing terms, ISPs are prohibited from implementing mass encryption (Clause 2.2 (vii) of the License Agreement between DoT and ISP, January 2010). It is essential to note, however, that while the Unified Service License Agreement expressly prohibits mass encryption (Clause 37.1), it does not mandate a 40-bit standard. Instead, they declare that the acceptable encryption standard under this Agreement shall be regulated by regulations established under the Information Technology Act of 2000. (Clause 37.5). However, as previously noted, no rules have yet been created under the IT Act that prescribe or control the use of encryption technology in India.
- Securities and Exchange Board of India (SEBI) Guidelines on Internet based Trading and Services
According to the SEBI Committee on Internet based Trading & Services' Report on Internet Trading, a 64/128 bit encryption standard is recommended for safe transactions and online tradings. "128 bit encryption should be permitted to be widely utilised," it stated emphatically. It is tempered, however, by the need that the Department of Transportation's encryption policy and regulation be followed. "Data in motion and data at rest should be in encrypted form by using strong encryption methods such as Advanced Encryption Standard (AES), RSA, SHA-2, etc," SEBI mandates in paragraph 30 of the cyber security and cyber resilience framework for Stock Exchanges, Clearance Corporations, and Depositories, as well as Registrars to an Issue / Share Transfer Agent with a portfolio of over two crore.
- Reserve Bank of India (RBI)
The RBI mandated a minimum security standard of using SSL for server authentication and client side certificates, 128-bit SSL encryption for communication between browsers and the server, and encryption of sensitive data like passwords in transit within the enterprise in its Report on Internet Banking released in 2001.
- Information Technology Rules, 2000
These Rules describe how digital signatures should be verified. Rule 3 requires that digital signature authentication be done using a public key encryption technique. The required standards for public keys that can be used for this purpose are provided in Rule 6 of these Certifying Authorities Rules, such as PKCS#1 RSA Encryption Standard (512, 1024, 2048 bit), PKCS#5 Password Based Encryption Standard, or PKCS#7 Cryptographic Message Syntax Standard. The majority of the standards mentioned under this regulation use encryption strength more than 40 bits, which is the maximum allowed under the licencing terms of an ISP-DoT agreement.
- Data Security Council of India's (DSCI) recommendation
In 2009, the DSCI and NASSCOM made suggestions to the Department of Information Technology proposing an Encryption Policy for India, along with additional industry inputs. One of the proposals made is to move away from the 40-bit standard entrenched in the DoT licence to ISPs and instead use a 256-bit encryption standard with the AES algorithm or other equivalents for e-commerce platforms, as well as SSL for end-to-end authentication.
Prohibition on Encryption technologies in India
Users are not authorised to employ encryption standards larger than 40 bits using symmetric key algorithms or similar methods without prior clearance and deposition of decryption keys, according to the licencing agreement between the ISP and the DoT. As previously stated, there are a variety of additional rules and recommendations that use a greater encryption level than 40 bits for particular sectors. In the lack of a comprehensive encryption policy/regulation or any processes outlined under the Information Technology Act of 2000, service providers are not bound by any encryption strength limitations under the provisions of the Unified Service License Agreement. As a result, the 40-bit restriction practically only applies to people, companies, or groups utilising ISP platforms that operate under a licencing agreement between DoT and ISP.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
