The Egyptians were the first to use non-standard hieroglyphs to communicate information in 1900 BCE. Encryption has come a long way since the days of simple substitution ciphers and has found its way into our daily life. Paraphrasing John Oliver from Last Week Tonight, “Encryption helps protect some of our most important information like financial information, health records, pictures of our private parts (refer: Andrew Weiner), trade secrets, classified government records, credit card information…” amongst others. It forms the very basis of the information economy; e-commerce sites, net banking, emails and other services are protected by encrypting traffic.
Encryption has been around for almost 4,000 years. The Egyptians were the first to use non-standard hieroglyphs to communicate information in 1900 BCE. The two oldest encryption methods still in use today are the Atbash cipher used by Hebrew scribes and the Caesar cipher, named after Julius; of Roman and Shakespearean fame. It has even been used by the leader of the Namdhari Sikhs during the Indian Freedom Struggle. I can drone on about the evolution of cryptography and make this section as useful as the paper sheets in which bhel-puri is served. However, this article has an opportunity to contextualise the conversations surrounding encryption in India, and I intend to do exactly that.
Encryption has come a long way since the days of simple substitution ciphers and has found its way into our daily life. Paraphrasing John Oliver from Last Week Tonight, “Encryption helps protect some of our most important information like financial information, health records, pictures of our private parts (refer: Andrew Weiner), trade secrets, classified government records, credit card information…” amongst others. It forms the very basis of the information economy; e-commerce sites, net banking, emails and other services are protected by encrypting traffic.
You would imagine that something as important and central as encryption has had the attention of the government to ensure standardisation and high levels of protection. Prepare to get angry and confused.
There are conflicting policies regarding encryption in different sectors.
- The Securities and Exchange Board of India (SEBI) mandates 64-bit/128-bit encryption for standard network security and 128-bit encryption for socket layer security for securities traded over mobile or a wireless application platform.
- The Reserve Bank of India (RBI) has recommended public key infrastructure of 128-bit key length, as the most-favoured technology for secure internet banking services, as per its guidelines issued on internet banking of June 2001.
- The Information Technology (Certifying Authorities) Rules, 2000, issued by the DoT, has laid down the IT Security Guidelines for implementation and management of IT security. They provide that stored passwords must be encrypted using ‘internationally proven encryption techniques’ to prevent unauthorised disclosure and modification.
What, perhaps, is most puzzling is that the Internet Service Providers License Agreement (ISP License), entered between the Department of Telecommunication (DoT) and an Internet Service Provider (ISP) to provide internet services (i.e. internet access and internet telephony services), restricts the use of encryption only up to 40-bit key length in the symmetric algorithms or its equivalent in others. 40-bit keys can be cracked in 1 week using the least powerful modern computers to 0.0002 seconds given intelligence agency level computing power.
Finally, the Government has also been granted the power to gain access to means of decryption or simply, decrypted information under Section 69 of the IT Act and the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009; otherwise known as the Decryption Rules.
In a bid to gain a hold on the fragmented policies surrounding encryption, the government released a Draft National Encryption Policy; under its power from Section 84A of the IT Act; which was made available for public feedback in late 2015. This draft sough to treat all users of encryption as errant children by prescribing exactly how much and what types can be used. It also made it mandatory to store data in plain text (unencrypted) format for 90 days. Happily enough, it drew enough criticism from all quarters; Business, Civil Society and End Users; to force the government to withdraw the draft. I, for one have had been biting my nails waiting for the next draft to drop.
The government department that governs that ISPs, the services you use to access the internet and transmit your sensitive data recommends outdated, insecure encryption protocols which can be cracked in no time; while the ones that regulate important activities online recommend higher encryption standards, which, admittedly are of international standards. This leads us to the question of if encryption is considered as a means of information security or a threat to national security. The encryption mandates for banking systems and certifying authorities in India are contradictory to those under the telecom licenses and the Decryption Rules.
In conclusion, it is high time that the Indian government wake up and smell the C8H10N4O2 (50 points if you get it!). Its time to ensure that encryption is treated with the level of importance and respect that it needs and to ensure standards are created & maintained for the benefit of business users. Further, the government should not have any say to limit the the consumers’ freedom to use higher encryption types so that we too, can electronically transmit our UID Information, bank details or even risqué photos without a fear of Big Brother watching our every move.
[This article has been written by Rajat, a social scientist working with the Research & Advocacy wing of DEF. It was first published in Expert Speak, the newsletter of MitKat Advisory Services. Mitkal is an advisory and consulting firm that deals in security threats across different verticals.]