Anybody serious about his civil liberties in cyberspace would be using encryption and encryption related services to maintain integrity and confidentiality of his data and communications. World over countries are facing tough challenges to maintain a balance between civil liberties and national security requirements. India also has to maintain equilibrium between civil liberties and national security needs. At the same time, self defence measures must also be encouraged to protect privacy and confidentiality of user’s communications and details.
Use of encryption and encrypted services in India is still a grey area. In many cases use of encryption beyond a specified limit is violation of Indian laws and punishment can also be met out in such cases. Most of the website developers are not at all aware that using an encryption level beyond the sector specified requirements would make them and the website owner liable to be prosecuted.
There are numerous encryption related regulatory compliances in India that various websites and their owners must comply with. However, different levels and different standards of encryption have really created confusion among various stakeholders. For instance, cloud computing, m-health, e-commerce, e-mail service providers, online payment service providers, mobile payment, online pharmacies, etc have different sets of regulatory requirements regarding encryption usage in India.
Sector specific regulators have also prescribed different encryption rules through their own regulations. For instance, Securities and Exchange Board of India (SEBI), Department of Telecommunication (DOT), Reserve Bank of India (RBI), etc have prescribed encryption standards that in many cases conflicts with each other.
The Information Technology Act, 2000 has incorporated few provisions regarding encryption usage and its legality. However, till now rules and regulation under those provisions have not been prescribed by Indian government.
India is planning to embrace virtualisation and cloud computing technologies. Anybody who would be submitting his data with a cloud infrastructure would be taking both legal and cyber security risks. The cyber security trends of India (PDF) well reflect these techno legal risks. Even the most basic e-mail policy of India is missing. An Encryption Policy of India is needed (PDF) and Indian government must formulate the same as soon as possible.
Now RBI has once again encouraged use of mobile banking services in India. After proper deliberations, RBI may also come out with mobile banking related regulations and encryption related issue may also be covered by it. However, nothing is better than formulating a techno legal encryption policy of India that is not only holistic but covers various aspects of the same.