The Hindu Business Line : E-commerce: Watch on encryption code compliance

Online banking operations and e-commerce transactions including purchase through credit cards may be open to Government surveillance as a fallout of the recent Blackberry controversy.

The Department of Telecom is now taking steps to ensure that all providers of Internet services strictly follow the prescribed encryption code. As per the existing law, all Internet-based service providers are required to submit a decryption key to the Government if they use more than 40 bit encryption code to secure the transactions.

Encryption codes are essentially a way to scramble information sent online in such a way that only the desired recipient has the key to unscramble it and convert it back to its original form.

However, as it was found out in the Blackberry case, a number of service providers are not strictly following the rule and have not submitted the decryption code. The issue came to light when telecom operators providing Blackberry services told DoT last week that the Government was singling out one service for allegedly violating the encryption laws.

Most of the e-commerce web sites like those selling airline and movie tickets and banking application web sites use more than 128 bit encryption code. The higher code is required to keep the transactions secure. The problem with using higher encryption codes is that the Indian security agencies find it impossible to track any specific transaction unless they have the decryption codes.

However, the Internet Service Providers termed DoT’s policy as archaic and said that they have already requested DoT to raise the permitted levels from 40 bits to at least 128 bits in line with the changing technology. “The existing encryption laws were made when Internet services were just beginning to take shape in the country. It is really unfair to stick to the same standards when technology is enabling more secure transactions and highly complex transactions. If DoT insists on the 40 bit encryption then it will be taking the Internet back to the dark ages,” said Mr Rajesh Chharia, President, Internet Service Providers Association.

Industry experts said that DoT’s policy was not practical on two counts. First, no company will give away its patented codes to leaky Government departments as it could make e-commerce applications unsecure and, therefore, useless. Second, under the existing rules, the procedure for submitting decryption keys, which is in digital form, has not been laid out. So even if anyone was bold enough to give the code to the Government, they would not know how to submit it. “In developed countries like the US there is no limit on the encryption code. Monitoring is done by their security agencies using the most sophisticated technology. DoT should invest in setting up monitoring centres which can do the job without limiting the scope of Internet services,” said Mr Amitabh Singhal of Elxess Consulting Services.

Related Stories:
No question of banning BlackBerry, says DoT
DoT unlikely to stop Blackberry services

More Stories on : Security | E-Commerce & E-Business | ISPs

Article E-Mail :: Comment :: Syndication :: Printer Friendly Page