Rediff Logo Infotech Find/Feedback/Site Index
July 26, 1999


Search Rediff

Case of the Missing Cop: Despite several guidelines, the government is still not clear on who is going to police the Internet. Priya Ganapati

The Indian government finally relented and allowed private Internet service providers to set up their own gateways after a 10-month delay.

Last week it announced the 'Guidelines and general information for setting up of international gateways for Internet'.

Email this story to a friend.

Today, the government released application forms for setting up gateways.

The forms were expected to come along with clarifications on several grey areas in the guidelines. Instead, today's forms have further confused issues.

Two of the most important questions that are begging to be answered are:

  1. The government wants to snoop into every email and Net transaction. Even if that is at all possible, who is going to do it?
  2. Can ISPs choose among the international telecom carrier, which provide the bandwidth for the gateways?
Amitabh Singhal, secretary, Internet Service Providers' Association of India, told Rediff "It could be anyone... The Intelligence Bureau or RAW (Research and Analysis Wing, a counter-intelligence organisation). We have to come back to the DoT (Department of Telecommunications) for a clarification on this. Throughout they have not specified who these security agencies or monitoring agencies are going to be."

Rediff contacted National Informatics Centre Director N Seshagiri who is also a member of the committee that decided on the guidelines: "As per my knowledge, the security agency will be a committee comprising members of DoT, NIC, Department of Electronics, DRDO (Defence Research and Development Organisation), the home ministry and the National Association of Software and Service Companies," he said.

Seshagiri explained the drafting committee's views: "We thought that the DoT should be a single-point interface between the ISPs and the security agency. However, DoT will also have to go to IB and RAW because it is the issue of the nation's security and law."

To placate the raging debate about involving intelligence agencies so deeply in patrolling of the Internet, Seshagiri justifies: "The IB will have to be involved as they are concerned about issues like hacking. While RAW comes into the picture if foreign agents like ISI (Inter-Services Intelligence, Pakistan's counter-intelligence agency) get involved. For example, if the ISI gives the funds and sets up an ISP for all its insurgency activities, who will then be responsible? So intelligence agencies will have to be involved."

But once the government clarifies on who is actually going to police the Web, the next question is bound to be how?

Both Seshagiri and Singhal agree that there can be no continuous monitoring of Internet traffic passing through the private ISPs' international gateways.

Seshagiri explains, "It has to be done only through sample checks. If you see even VSNL today is supposed to monitor 5 per cent of the traffic through its gateways. But logistically, it is impossible. When I spoke to them I found out that they were monitoring only 0.001 per cent!"

Singhal says, "When we talk of monitoring we are thinking of whatever kind of traffic that goes through the gateways. But you see no one can really monitor anything. I think they are just asking for random checks anytime they want. Say, even at 4 in the morning without any notice. As to the frequency at which packets will be sampled, it will have to specified by the security agencies."

The costs involved in this monitoring are to be borne by the ISP.

Guideline III (a) says international gateway locations and / or ISP nodes with a router or switch having an outbound capacity of 2 MBPS or more will have to install monitoring equipment estimated to be Rs 400,000 per location.

In addition to this, office space of 10 feet x 10 feet with uninterruptible power supply, air-conditioning equipment and one local exclusive telephone line will have to be provided to the monitoring agency.

But for ISP nodes with an outbound capacity of less than 2 MBPS, the monitoring equipment would be provided by the security agency.

Singhal is not very perturbed with these additional costs for the ISPs. "Actually, a lot depends on the location of the nodes or gateways. The cost of the premises itself in a place like Bombay would be quite high. But for people who have budgets of Rs 100 crore (Rs 1 billion) or more, who would be the category 'A' ISPs, the fixed hardware cost would not be much," he argues.

A clause in the guidelines says that the ISPs are required to apply to 'the telecom authority for bandwidth, giving the detailed requirement'.

Now, it is not clear as to who the telecom authority is and can ISPs directly procure bandwidth from carriers of their choice.

Charges Singhal "From the face of it, it looks like ISPs are not allowed to choose their own carriers. We would have to tell the DoT about our bandwidth requirements. There are many VSAT operators trying to sell bandwidth. One could have actually shopped for bandwidth but right now it does not look like it is possible."

If ISPs are basically retailers of bandwidth, this restriction could cascade down to the consumer and keep Net access prices higher.

"If the 'telecom authority' is to be the provider of bandwidth, there would be no guarantee of the uptime or the timeframe in which bandwidth would be allotted to the ISPs wishing their own gateways," feared an executive in an ISP organisation.

Yet another clarification that would really help is whether it is necessary to be a practising ISP to set up a gateway?

That means do you just need to hold an ISP licence to be eligible to set up a gateway or do you have to be an operational ISP with a subscriber base?

Singhal is worried too. "It is one of the issues we have asked a clarification for. We have not got a reply yet but I don't see why it should not be possible. Providing a gateway or bandwidth is also a part of being an ISP. But I am not sure whether DoT will agree to this."

Other issues related to security involve the strength of encryption that can be used and the geographic locations in which gateways cannot be set up.

Guideline II 16 1. defines the level of encryption: 'Individuals / Groups / Organisations are permitted to use encryption up to 40-bit key length in the RSA algorithms or its equivalent in other algorithms without having to obtain permission. However, if encryption equipment higher than this limit are to be deployed, individuals / groups / organisations shall do so with the permission of the Telecom Authority and deposit the decryption key, split into two parts, with the Telecom Authority.'

There is a view in the industry that 40-bit key length is too weak for most commercial applications and can be easily broken.

Surprisingly, Singhal is not very worked up over this. He clarifies that it is just an initial step. "It is not a hard and fast rule that higher bit encryption is not allowed. If encryption over 40 bits is used then the key will have to be given to the government. The DoT seems to have taken the worldwide standard. As and when they receive complaints that it can be easily broken, they will consider going for stronger encryption."

Finally, the government has restricted ISPs from setting up gateways in politically sensitive areas like the border state of Jammu and Kashmir. Other such areas are yet to be defined by the monitoring agencies.

But that can happen only when the monitoring agencies themselves are defined!

The Internet nodes in these areas will have to route their traffic through VSNL only. The Videsh Sanchar Nigam Limited is the government owned overseas telecommunications monopoly.

In 'places of security importance', the interconnection of Internet nodes to other nodes within the country directly would not be permitted.

With inputs from Suchitra Singh Roy

Related site:

The DoT guidelines

Tell us what you think