Encryption is a very useful utility and tool of the present times. It keeps personal information and sensitive details out of the reach of preying eyes and big brothers. It also causes nuisance for the law enforcement and security agencies when they have to solve genuine cyber crimes and national security threats issues. Whatever the scenario may be, civil liberties and national security requirements must be reconciled so that both conflicting interests can peacefully coexist.
India is planning to embrace virtualisation and cloud computing technologies. Anybody who would be submitting his data with a cloud infrastructure would be taking both legal and cyber security risks. The cyber security trends of India (PDF) well reflect these techno legal risks. Even the most basic e-mail policy of India is missing. An Encryption Policy of India is needed (PDF) and Indian government must formulate the same as soon as possible.
We have no dedicated encryption laws and regulations in India. Provisions under different statutes and different regulatory authorities and departments like Department of telecommunication (DOT), Reserve Bank of India (RBI), Securities and Exchange Board of India (SEBI), etc have prescribed different encryption standards and levels for their respective fields. Thus, the encryption laws and regulations are still evolving and the liability to ensure a particular encryption level is still a grey area in India.
The Information Technology Act, 2000 also carries a few provisions pertaining to encryption. However, much is still to be done to ensure that Indian encryption standards are upto the mark and they can support the ambitious projects that Indian government is considering implementation in the near future.
In fact, the inaction on the part of Indian government has brought a situation where it is not clear what encryption related legal requirements have to adhere to by online business communities like e-commerce, Bitcoins, m-health, etc. Further, there is no e-surveillance policy of India that is presently implemented by Indian government. The conflicts of laws in cyberspace have further complicated this scenario.
The privacy rights in India in the information age need to be strengthened. India’s e-surveillance oriented projects like Aadhar, National Intelligence Grid (NATGRID), Crime and Criminal Tracking Network and Systems (CCTNS), National Counter Terrorism Centre (NCTC), Central Monitoring System (CMS), Centre for Communication Security Research and Monitoring (CCSRM), Internet Spy System Network And Traffic Analysis System (NETRA) of India, etc are violative of civil liberties protection in cyberspace. None of them are governed by any Legal Framework and none of them are under parliamentary scrutiny.
Encryption laws, regulations and compliance requirements in India must be clarified by Indian government as soon as possible in the larger interest of India. In the absence of legal safeguards, self defence mechanisms like encryption must be widely used by Indian citizens.