Friday, August 12, 2005

Sloppy journalism

There is a story in yesterday's DC entitled "Is encryption legal in India?" that goes like this:
Is encryption legal in India? Well that's the impression one gets when you log on to any of the online auction sites. Any Indian citizen, unaware of the IT Act 2000 or the Wireless and Telegraph Act would be led to believe that it is, indeed, legal in India, without realising that he/she would be liable for imprisonment for up to five years.
Wait a minute, if encryption is illegal in India, am I breaking the law every time I log in to my bank's site using HTTPS? Reading on:
For instance, ebay.in, an online auction site has been, apparently, inducing (into participating) its buyers and sellers into breaking the law. Incidentally, eBay India had acquired bazzi.com [sic] in July 2004. It may be recalled that bazzi.com's [sic] CEO Avnish Bajaj is still facing charges in connection with circulation of the lewd MMS depicting two Delhi Public students in a sexual act.
The paragraph starts with "For instance", but does not substantiate the dramatic charge it made in the previous paragraph. Also, the reference to baazi.com has no relevance to the point being made.
While the Indian IT Act, 2000 allows absolutely no encryption, eBay.in, seemingly, tells its site visitors that 128 bit encryption is legal in India. Furthermore, eBay.in has been inviting its customers to fax their Credit Card details in order to pay sellers through PaisaPay (a gateway used for payment provided through leading banks like ICICI, HDFC, Citibank), that the web site claims comes to a "secure server" and only "authorised eBay employees have access to".
Why do I get the feeling that the story is, at least partly, a hatchet job on eBay.in? There is also no evidence (in the form of a quote from the web site) to back up the claim that eBay tells its visitors that 128 bit encryption is legal in India.
IT act experts point out that by asking customers to fax their credit card statement which contains other details like name, credit card number and billing address, these web sites are actually "aiding and abetting" credit card frauds.
At last, something I agree with. Never mind the fact that this is absolutely tangential to the story.
"Going by the present status," said informed sources, "The Central Government, so far, has not notified any security procedures under Section 16 of the IT Act for on-line electronic commerce, banking and financial transactions in India." Informed sources also point that the department of telecom, which consents to 40 bits [sic] encryption also seems to be overlooking (the) law.
So I am breaking the law when I check my bank balance online. Hmmm.
Cyber law expert Pawan Duggal said that, "Although the government has not made any effort to define encryption in the Indian IT Act, but technically it clearly says that it is not allowed."
Allowing that encryption is illegal in India and that the authorities do not enforce the law, the story could have made its point just as well (if not better) by leaving eBay.in out of it, or by using any site that uses SSL as an example.