ET BureauNEW DELHI: A government panel set up to examine security threats regarding 15 forms of communications, including Google’s Gmail, Research in Motion’s BlackBerry services, Nokia’s email offerings and Microsoft Skype amongst others, that cannot be tracked by law enforcement agencies here, has recommended that no service be banned purely on the grounds that it cannot be monitored.
It has recommended that in the short term, India should force operators who offer such services to either locate servers in the country or share encryption keys with security agencies and assist security agencies here in monitoring these services.
As a long-term solution, the committee has recommended that the upcoming Central Monitoring System (CMS) be made capable of intercepting any form of communication service offered within the country.
It has also endorsed the telecom ministry’s stance that the ultimate solution should involve intelligence agencies building up capabilities indigenously to monitor and intercept these technologies. The panel has also added that security agencies must avail the help of companies such as Infosys, TCS, Wipro and TechMahindra to build such capabilities.
The committee has said that security agencies must first check whether monitoring solutions are available in other counties before threatening to ban any specific communication service.
“Before banning or blocking of encrypted communication impact on business and industry, e-Commerce, e-governance, e-medicine, e-health, passport services etc should be taken into consideration. Further, banning or blocking services without providing an alternative may have international reactions and could affect other Indian industries such as BPO and IT outsourcing,” the panel’s report, a copy of which was reviewed by ET adds.
The government panel, with members from different ministries, including telecoms and IT, has also recommended that India raise its encryption levels from the present 40 bits to 256 bits, which is the standard in Europe and the US.
Encryption means converting data and emails into codes that travel through the network and later get reassembled into the original form. A higher encryption level will ensure more secure financial transactions on personal computers and cell phones. It is also vital for protection from hackers. Most western countries do not allow financial transactions on the internet through computers and mobile handsets, if the encryption level is less than 128 bits. India on the other hand does not legally allow encryptions beyond the 40-bit on the grounds that its security agencies lacked the technological capabilities to monitor data transfers on the internet when the coding is beyond this limit.
Home Ministry, Intelligence Bureau oppose panel’s views
But the Home Ministry and Intelligence Bureau (IB) whose members were part of the panel, have not signed these recommendations and have given their dissent note.
The IB has said the recommendations by the panel shifts the onus on encryption and decryption from mobile phone companies to the ‘designated agency’ (CMS) authorized by the home ministry, when ‘current experience was that government agencies were unable to track such services’. It has also pointed out that it may be impossible to persuade foreign players to locate servers in India or share encryption keys with security agencies here as recommended by the panel.
The intelligence bureau has also said that recommendations must include its point that mobile phone and internet companies must have technologies to block services that are non-decodeable by security agencies. “It is also felt that unless a comprehensive solution solution to decrypt encrypted messages is in place, the proposal to allow increase in encryption from 40 bits would only make it more difficult for law enforcing agencies,” adds the IB’s note, which has been enclosed with the panel’s recommendation.
The home ministry is concerned that terrorists may use highly encrypted messages and emails sent through smartphones and internet to coordinate and plot attacks as information exchanged on these channels cannot be monitored.
The crackdown on all communication services offered through channels that could not be intercepted began after the 2008 Mumbai attacks. Indian security agencies learnt during investigations that Pakistani militants had used mobile and satellite phones to coordinate the terror strikes.
The recommendations by this technical panel, that had looked at encryption services provided by different platforms, companies, handset makers and IT giants, will cheer mobile phone companies and internet service providers, all of whom are opposing a directive by the home ministry that mandated operators to provide interception solutions for services they offered to their customers.
For generic consumer services, this panel is of the view that government can mandate that servers be located in India or insist that the provider provide remote access to servers located abroad to address security issues. At the same time, it has also cautioned that ‘mandating of availing email services from servers located in India may prompt other countries to also take similar action, which may not be desirable for a country like India, an emerging nation in the field of IT’.
Panel's views may not offer relief to BlackBerry
This government panel has recommended in the case of enterprise users, ‘it may be made mandatory for have servers in India and register themselves with service providers and DoT before they avail the enterprise centre communication solution’. “If any enterprise wants to have server abroad for email communication of employees in India, then remote access for the targeted email should the provided,” the panel’s report added. If implemented, this can have a direct bearing on RIM, Nokia and email solutions provided by other handset majors and IT giants.
Skype under scanner
For internet telephony services such as Skype, the government panel feels that either it should be banned in India or should be made to offer the services through encryption level limited to 40 bits. This will enable monitoring of internet calls by security agencies. The panel is also of the view that services such as Skype don't even stand the scrutiny of law, as they don't pay a license fee on the revenue they generate via telephony or through ads.
All telecom conversations happening in the country are currently being stored in large data warehouses. The intelligence agencies have the prerogative of asking an operator to run a keyword search on all calls in a period. On services like Blackberry messenger, communication is encrypted by keys. "With cloud computing, location of many servers will spread across the world, making it difficult for governments to monitor them in future. Thus real time monitoring would be needed," he adds.
It has recommended that in the short term, India should force operators who offer such services to either locate servers in the country or share encryption keys with security agencies and assist security agencies here in monitoring these services.
Elevate Your Tech Prowess with High-Value Skill Courses
| Offering College | Course | Website |
|---|---|---|
| Indian School of Business | ISB Professional Certificate in Product Management | Visit |
| IIM Lucknow | IIML Executive Programme in FinTech, Banking & Applied Risk Management | Visit |
| IIM Kozhikode | IIMK Advanced Data Science For Managers | Visit |
It has also endorsed the telecom ministry’s stance that the ultimate solution should involve intelligence agencies building up capabilities indigenously to monitor and intercept these technologies. The panel has also added that security agencies must avail the help of companies such as Infosys, TCS, Wipro and TechMahindra to build such capabilities.
The committee has said that security agencies must first check whether monitoring solutions are available in other counties before threatening to ban any specific communication service.
“Before banning or blocking of encrypted communication impact on business and industry, e-Commerce, e-governance, e-medicine, e-health, passport services etc should be taken into consideration. Further, banning or blocking services without providing an alternative may have international reactions and could affect other Indian industries such as BPO and IT outsourcing,” the panel’s report, a copy of which was reviewed by ET adds.
Discover the stories of your interest
The government panel, with members from different ministries, including telecoms and IT, has also recommended that India raise its encryption levels from the present 40 bits to 256 bits, which is the standard in Europe and the US.
Encryption means converting data and emails into codes that travel through the network and later get reassembled into the original form. A higher encryption level will ensure more secure financial transactions on personal computers and cell phones. It is also vital for protection from hackers. Most western countries do not allow financial transactions on the internet through computers and mobile handsets, if the encryption level is less than 128 bits. India on the other hand does not legally allow encryptions beyond the 40-bit on the grounds that its security agencies lacked the technological capabilities to monitor data transfers on the internet when the coding is beyond this limit.
Home Ministry, Intelligence Bureau oppose panel’s views
But the Home Ministry and Intelligence Bureau (IB) whose members were part of the panel, have not signed these recommendations and have given their dissent note.
The IB has said the recommendations by the panel shifts the onus on encryption and decryption from mobile phone companies to the ‘designated agency’ (CMS) authorized by the home ministry, when ‘current experience was that government agencies were unable to track such services’. It has also pointed out that it may be impossible to persuade foreign players to locate servers in India or share encryption keys with security agencies here as recommended by the panel.
The intelligence bureau has also said that recommendations must include its point that mobile phone and internet companies must have technologies to block services that are non-decodeable by security agencies. “It is also felt that unless a comprehensive solution solution to decrypt encrypted messages is in place, the proposal to allow increase in encryption from 40 bits would only make it more difficult for law enforcing agencies,” adds the IB’s note, which has been enclosed with the panel’s recommendation.
The home ministry is concerned that terrorists may use highly encrypted messages and emails sent through smartphones and internet to coordinate and plot attacks as information exchanged on these channels cannot be monitored.
Elevate Your Tech Prowess with High-Value Skill Courses
| Offering College | Course | Website |
|---|---|---|
| Indian School of Business | ISB Product Management | Visit |
| Indian School of Business | ISB Professional Certificate in Product Management | Visit |
| IIM Lucknow | IIML Executive Programme in FinTech, Banking & Applied Risk Management | Visit |
The recommendations by this technical panel, that had looked at encryption services provided by different platforms, companies, handset makers and IT giants, will cheer mobile phone companies and internet service providers, all of whom are opposing a directive by the home ministry that mandated operators to provide interception solutions for services they offered to their customers.
For generic consumer services, this panel is of the view that government can mandate that servers be located in India or insist that the provider provide remote access to servers located abroad to address security issues. At the same time, it has also cautioned that ‘mandating of availing email services from servers located in India may prompt other countries to also take similar action, which may not be desirable for a country like India, an emerging nation in the field of IT’.
Panel's views may not offer relief to BlackBerry
Discover the stories of your interest
This government panel has recommended in the case of enterprise users, ‘it may be made mandatory for have servers in India and register themselves with service providers and DoT before they avail the enterprise centre communication solution’. “If any enterprise wants to have server abroad for email communication of employees in India, then remote access for the targeted email should the provided,” the panel’s report added. If implemented, this can have a direct bearing on RIM, Nokia and email solutions provided by other handset majors and IT giants.
Skype under scanner
For internet telephony services such as Skype, the government panel feels that either it should be banned in India or should be made to offer the services through encryption level limited to 40 bits. This will enable monitoring of internet calls by security agencies. The panel is also of the view that services such as Skype don't even stand the scrutiny of law, as they don't pay a license fee on the revenue they generate via telephony or through ads.
"It's a government's prerogative to ask firms to locate servers to India, as any conversation happening on internet or phone, is converted into data and stored in data warehouses," says Karthik Shahani, Country Manager RSA India. Firms such as RSA provides encryption and decryption solutions to governments and security agencies.
All telecom conversations happening in the country are currently being stored in large data warehouses. The intelligence agencies have the prerogative of asking an operator to run a keyword search on all calls in a period. On services like Blackberry messenger, communication is encrypted by keys. "With cloud computing, location of many servers will spread across the world, making it difficult for governments to monitor them in future. Thus real time monitoring would be needed," he adds.
( Originally published on Jun 16, 2011 )
Get Unlimited Access to The Economic Times
