Encryption technology and the law

By Apar Gupta

40-bit, 128-bit or 256-bit? What is the maximum encryption level allowed by the law?

Due to advancements in technology, there has been a steady growth of businesses that rely heavily on encryption technology to protect data and communications. Such businesses, many of whose unique selling points or business models depend entirely on the level of encryption services provided, include e-mail, messaging, storage or payment service providers.

For these businesses, laws and regulations governing encryption play a critical part in ensuring the smooth running of their operations; failing to meet the decryption requirements by national law enforcement or security agencies may mean having to make significant changes to or shut down their businesses.

This was highlighted in the widely publicized controversy between Canadian company Blackberry and the Indian government over providing encryption keys to its secure e-mail and messenger services, which were extremely popular. The standoff between Blackberry and the Government also emphasizes the need to have clear rules that govern encryption. This article seeks to examine the state of legal regulation of encryption in India.

Why regulate encryption technology?

Encryption as a technology presents unique challenges for the legal system as a whole, as fears remain that its usage may lead to widespread misuse or abuse. While the private sector may deem it as necessary to maintain data confidentiality and protection, national security and law enforcement agencies will naturally remain suspicious of what it cannot easily monitor.

In order to conduct investigations or track criminals, there may be a need for these agencies to have real time access and the ability to monitor, intercept and decipher encrypted communications. This may be achieved by subjecting such service providers to regulations that may require them to provide a method of decryption or limit their services to provide only low levels of encryption.

What are the rules governing encryption technology in India?

The principal act that deals with the information technology (IT) industry in India is the Information Technology Act 2000 (ITA). Other relevant laws include the Indian Telegraph Act, 1885, Reserve Bank of India Act, 1934, Securities Exchange Board of India Act, 1992 and Payments and Settlements Act, 2007.

Section 84A of the ITA, inserted by the Information Technology (Amendment) Act, 2008 (10 of 2009) specifically empowers the Central Government to prescribe the bit level of encryption. It states that:

“Modes or methods of encryption – The Central Government, may, for secure use of the electronic medium and for promotion of e-governance, prescribe the modes or methods for encryption.”

However, these modes and methods of encryption are yet to be specifically defined by the Central Government. At present, no rules have been framed under Sec. 84A and uncertainty exists with regard to the specific bit level permissible by law. In the absence of any regulations, many companies in the IT sector have implemented 256-bit level encryption for their data in India.

The ITA also provides for the establishment and recognition of Electronic Signatures by Certifying Authorities. This is similar in its objective to the Electronic Signatures in Global and National Commerce Act of the United States. The ITA also empowers the Central Government to lay down rules for setting the standards which have to be adopted by the Certifying Authorities for encryption. Under Rule 6 of the Information Technology (Certifying Authorities) Rules 2000, Certifying Authorities are allowed to issue Electronic Signatures with up to a 2048-bit level.

Telecommunications and internet service providers

The Telegraph Act 1885 (TA) is the main pillar of the regulatory framework for communications in India. The TA grants the Central Government the exclusive privilege of providing telecommunication and internet services in India. However, as per its continuing policy of Liberalization as stated in the National Telecom Policy, 1999, the government has allowed private entities to provide these telecommunication and internet services by entering into licensing agreements with them.

There are various versions of these agreements, which depend on the type of technology and service provided by the private party as well as the government policy existing at the time such agreement was entered. Restrictions and limitations on encryption are placed in agreements which have been made publicly available by the government including the License Agreement for Provision of Internet Services (LAPIS) and License Agreement for Provision of Cellular Mobile Telephone Service (LAPCMTS).

Clause 2.2(vii) of the LAPIS mandates that persons utilizing the gateways and services of ISPs are permitted to use encryption up to 40-bit key length in the symmetric key algorithms. However, if encryption above a 40-bit key length is used, it shall be done after obtaining prior permission of the Indian government. Such permission will only be granted after the deposit of the “decryption key” with the government.

Under clause 42.1 of the LAPCMTS, the licensee is not permitted to employ bulk encryption equipment in its netowrk. Any encryption equipment connected to the licensee’s network has to have prior evaluation and approval.

While these prohibitions may prima facie appear to prohibit 256-bit level encryption, its applicability is doubtful as it represents a private contract between the Indian government and a third party providing internet or mobile services. It may not have the force of law which is made either through an Act of Parliament or Executive Order.

The prohibition also appears to be doubtful due to the standards laid down for Certifying Authorities under the ITA as well as the preference of sectoral regulations, which mandate a higher level of bit encryption. These sectoral regulations have been made pursuant to Acts of Parliament and are individually highlighted below.

Payment gateways and electronic banking

The Reserve Bank of India, established under the Reserve Bank of India Act, 1934, serves as the central bank for India and also acts as a sectoral regulator for electronic banking as per section 3(1) of the Payments and Settlements Act 2007. The Reserve Bank of India stated in its ‘Report on Internet Banking’ dated 22 June 2001, that all transactions must use SSL/128 bit encryption as the minimum level of security.

Stock exchanges

The Securities and Exchange Board of India (SEBI) is the regulator for capital markets in India, established under the Securities Exchange Board of India Act, 1992. In Annexure 2 of its ‘Master Circular for Trading in Stock Exchanges in India’ dated March 20, 2010, it contains all the circulars issued by it to regulate behaviour in India’s capital markets. It states, in Paragraph 1(ii)(d), the section on internet trading, that:

“Transmission from the WAP Gateway server to the Internet server should be secured using Secured Socket Level Security, preferably with 128 bit encryption, for server access through Internet…”

Current position in India

At present it appears that there is some uncertainty with regard to the bit levels at which encryption is permissible in India. Though there exists a legislative provision under the ITA, no rules have been made specifying the bit levels allowed. The specific references to bit levels under the (a) ITA; (b) licensing agreements made pursuant to the TA; (c) the Reserve Bank of India’s Report on Internet Banking; and (d) The Securities and Exchange Board of India’s ‘Master Circular’ adds to the ambiguity surrounding permitted bit levels.

As previously stated, Indian companies have implemented systems which exceed 40-bit level encryption, mostly without specific approval from the government. However, risk-averse businesses may decide to ensure that their encryption levels do not exceed 40 bits. Going beyond that could mean having to obtain prior permission and approval from the government or risk being required to diclose the “decryption key”.

About the author

Apar Gupta
Apar Gupta is a partner at Delhi-based law firm Advani & Co. He obtained his Masters in Law from New York’s Columbia Law School, where he was part of the editorial board of the Columbia Science and Technology Law Review and one of the founding office bearers of the Columbia International Arbitration Association. Apar has also been named by Forbes India’s list of ’30 Under 30′ for his work in media and technology law. He has an abiding interest in and is an avid contributor to, the debate on formation of technology policy and law in India, and has authored a book on India’s Information Technology Act. He may be contacted at apar.gupta[at]advaniandco.com.