Encryption Policy

Information Technology (Amendment) Act, 2008 provides for encryption under Section 84A, which reads as follows:

“84A. The Central Government may, for secure use of the electronic medium and for promotion of e-governance and e-commerce, prescribe the modes or methods for encryption.”

Encryption policy under this section is urgently required as a national policy, since at present encryption is restricted to 40-bits under the telecom licensing policy regime. This level of encryption is weak, and does not promote client confidence – clients require strong encryption for data protection and privacy protection. The government, however, has legitimate need to access encrypted data for monitoring of suspected criminals and terrorists in what is considered as lawful interception. Encryption policy, therefore, requires consideration of various technical issues, national security issues, business privacy, and international competitive pressures for the growth of e-commerce and e-governance applications. Continued economic growth of Indian industries and business in an increasingly global economy requires availability of cryptography to all legitimate users that include employees and business associates of the corporate sector.

DSCI has engaged with the government to help formulate the encryption policy. To institutionalize its efforts and industry engagement with the government, DSCI formed a DSCI Advisory Group on Encryption Policy to discuss these issues in detail and engage with the government, including its security agencies, to enable the government come up with the policy at the earliest.

Following is the agenda of the DSCI Advisory Group on Encryption Policy:

  • Discuss the business need for encryption in India–specific client requirements in outsourcing, business growth, facilitate financial inclusion, IPR protection, cost reduction by using internet / cloud computing, etc.
  • Discuss the domestic regulatory requirements for encryption –RBI , SEBI, TRAI, etc.
  • Identify popular encryption techniques / methods (AES, 3 DES, etc.) and encryption strength (128, 256, etc. bits) used in the Indian industry
  • Share any incidents / frauds / cases that happened because of use of weak encryption techniques
  • Discuss and deliberate on the recommendations submitted earlier by DSCI-NASSCOM for Encryption Policy u/s 84A of the IT (Amendment) Act, 2008 and any modifications that may be required
  • Discuss and deliberate different approaches / recommendations for meeting Law Enforcement Agencies requirements (for National Security) but ensuring business use of strong encryption at the same time (including approaches for Key Management)
  • Discuss the encryption policies of other countries and how they balance strong business use of encryption and national security

Members’ Name Designation Organization
Mr. Murali Krishna Senior VP, Group Head –Computers and Communications Division Infosys
Mr. A Vasudevan Corporate Vice President –ERS HCL
Mr. Sundeep Oberoi Global Head –NTDG TCS
Mr. Pazhamalai Jayaraman CISO & GM-IRM & Policy Compliance Wipro
Mr. P S Venkat Subramanyan Head – Data Protection Practice CSC
Mr. Sumeet Parashar Chief Information Security Officer CSC
Mr. Mohit Kapoor Chief Technology Officer Bank of America Continuum
Mr. Mukesh Singh Technology Leader Makemytrip
Mr. Naveen Srivastava Chief Manager (Systems) State Bank of India