The world has seen an exponential growth in internet usage. Today the internet is accessed not just through browsers, but also through mobile applications and internet-enabled smart devices which collect data. The data collected is then stored on servers which may either be in India, or abroad, locally or on the cloud, and may or may not be encrypted. In most cases, users remain unaware if such data is encrypted or not. For the uninitiated, "encryption" refers to the process of using an algorithm to transform information into a secret code, thereby ensuring it remains unreadable to unauthorised users.
The storage of data on servers has not been immune to cyber security breaches. In India, several incidents of servers being compromised have been reported in the past few months alone. For instance, it was reported in May this year that a popular restaurant search and discovery service had its servers compromised resulting in the personal data of 17 million users being stolen. It was also reported that an international fast-food chain's mobile application in India allegedly exposed personal information of its 2.2 million users. India's newspapers have also carried reports in relation to personal details contained in the Aadhaar cards of citizens being stolen.
There is an urgent need for the government of India to provide for a comprehensive policy framework if it wants to promote its "Digital India" initiative.
Although encryption has been widely debated in the Indian context, India currently does not have a dedicated legislation on encryption technology. Section 84A of the Information Technology Act, 2000 (IT Act) provides that the "Central Government may, forsecure use of the electronic medium and for promotion of e-governance and e-commerce, prescribe the modes or methods of encryption." The Information Technology (Certifying Authorities) Rules, 2000 (IT Rules) sets out the standards of encryption for digital signatures. India's central bank, the Reserve Bank of India (RBI), has mandated a minimum standard of SSL (Secure Sockets Layer) of 128 bits encryption. These minimum standards need to be used for conducting all digital financial transactions, securing passwords and connection between computer servers and browsers. In 2015, the central government had published a draft National Policy on Encryption. However, this was withdrawn shortly thereafter due to criticism from users, advocacy groups and the information technology sector.
Though there is a provision for a regulatory framework in India in relation to encryption technologies, there are no minimum standards for encryption across technologies and platforms. While there is no guarantee that a device or a server which uses the highest standard of encryption is impenetrable to a cyber attack, the risk of personal information becoming public is reduced considerably. There is an urgent need for the government of India to provide for a comprehensive policy framework if it wants to promote its "Digital India" initiative. A galloping India cannot afford to remain behind in terms of adopting the globally established best practices in encryption. In the interim, and until such time as regulatory policies are formulated, each company needs to individually ensure that it has strong encryption protocols in place to protect itself, its employees and its users from cyber security breaches.