[TheGuide Logo]

Search

Forum

Home

Feedback

Credits

About Raj

GUIDELINES FOR SUBMARINE INTERNATIONAL GATEWAYS FOR INTERNET
A National Joke


by TheGuide

Introduction

What flows over the Internet is human knowledge.  Some of it is totally useless, or undesirable, but much is not.  Knowledge is doubling and redoubling at a pace never foreseen before in history.  This means that even accessing a small part of it, over time, involves movement and sifting of enormous amounts of data.  That is the need for these growing high-speed data pipes (fiber bandwidth).  Commerce is built on that "knowledge" as it always has been.  When a key commodity in the world was salt, even military action could not prevent KNOWLEDGE from carrying forward commerce.  Indeed, this is a reference to Mahatma Gandhi and his historic “Dandi salt march”.  Not because commerce is the end-all, but because it is the way we have - still today – for cooperative actions that continue to benefit many.

With the unimaginable increase in knowledge that seems to be ever gaining momentum, we can see it becoming an essential part of our future, wherever we may live in the world.  And the repository of that knowledge is distributed across the entire Internet.  It already is causing new methods of doing business - from the website which sells products to a global market, to the vertical supply chain coordination of industry.  Anyone NOT part of this looses, and anyone who can find benefits from it DOES GAIN.

A wonderful example of this, gained international attention a few months ago.  Illiterate women in Madhya Pradesh use the `Gyandoot' <URL: http://www.gyandoot.com> network for getting prices prevailing in the neighbouring markets. This greatly enhances their business activities, which, in turn, also benefits the entire rural community.

But, as things grow in this pile of electrons, it also becomes fragile.  New protections are needed, and those available must be used.  The stability must be designed in, or the fall of immense virtual structures can be faster than a building targeted by a terrorist in the physical world.

We in India need to be a part of this knowledge revolution by integrating our commerce into the realm of the global village concept.  This requires abundant bandwidth capacity to link our citizens and entrepreneurs to this large repository of knowledge on the Internet.  Genuine liberalization of our policies in this direction, if wisely done, will be of far greater importance than being merely a welcome step.

Shocking Guidelines for private submarine fiber and Internet gateways

When one analyzes the outcome of applying the existing “Guidelines and General Information for setting up of Submarine Cable Landing Stations for International Gateways for the Internet”, one is likely to be rendered speechless, to put it mildly. 
<URL: http://www.dotindia.com/investment/isp/information_submarine_landing_stn.htm>

The absurdity of some of the provisions of the said Guidelines, cannot be stated strongly enough.  These guidelines as we shall see are against our national interests as they

·         Alienate India from international trade allowing other competing nations to benefit from the resulting decline in India’s share of export revenues.

·         Stimulate and trigger an exodus of talent, skills and enterprise from India by reducing India to a mere supplier of human resource that technically advanced nations can use to our disadvantage. 

·         Expose national wealth to the risks of cyber crime through weak security being promoted on the Internet.

At the outset, the first question that arises, is that could it be some skillful interference of competing vested business interests from the IT industry who DO NOT want India to be an active participant in the network and knowledge based revolution that is transforming the world into a global village?   Do we or do we not, want to be a part of this revolution?  If we do, one would dread to imagine that such an unworkable divisive document could even be SUGGESTED with India’s well being at heart. 

This single document, if enforced, undermines the military, economic, and sociological infrastructures of the entire sub-continent - removing India from the Internet, and shutting down existing facilities as well, until special permissions can be issued.  And if such a policy were to be "selectively enforced", it is an open invitation to have portions of the Government of India infiltrated and taken over by "organized crime" from any nation.  It also runs the risks of giving access to other hostile or competing nations, into the data networks of our country.  Is that the underlying intention?  It surely sends signals that we may dread to interpret.

The so-called requirements of this fiber landing station license, ENSURE that the Internet in India may be tossed down a black hole and left there, and international commerce left to trickle off, to a big zero.

One sincerely hopes that these strong words do not create any prejudice against the factual criticisms that will now follow.   However, if this critique should succeed in triggering off a nation-wide public debate, its objective will have been fulfilled. 

Let us now explore the significant provisions of the guideline requirements that were found to be shocking.  For each such provision, the underlying technology and its alarming implications are detailed.

Toy Encryption Requirements

Overview: 

The requirement of running a 40-bit asymmetric key encryption for anything, with any significant duration or importance, is absurd.

It is common knowledge that the 56-bit DES (Data Encryption Standard - an industry adopted standard), was cracked in about a day, with the methods now having been clearly established.  The resources for a 64-bit encryption are not negligible, but not terribly significant, either.

 A 40-bit single-key encryption is approximately 2^16 (2 raised to power of 16), i.e. over a sixty thousand times LESS secure (than a 56-bit DES encryption) and is hence referred to as a "toy" encryption methodology.  This means that even a single-transaction encryption at 40-bit is not a good idea.

In January 1996, an ad hoc study committee of the worlds leading cryptographers and computer scientists released an ‘industry’ report titled:

“Minimal Key Lengths for Symmetric Ciphers To Provide Adequate Commercial Safety”       By: Matt Blaze, Whitfield Diffie, Ronald L Rivest, Bruce Schneier, Tsutom Shimomura, Eric Thompson, Michael Wiener

Ref.
ftp://ftp.research.att.com/dist/mab/keylength.ps

This report, by leading industry experts, indicated that a 75-bit (single-key) encryption technology was barely suited (then), for protecting commercial transactions, and this was 4 years ago.  In equivalent terms for an “asymmetric” key encryption (which is now mandated by specifying that encryption be done using the “RSA algorithm"), it approximately works out to be a 768-bit encryption that seemed to have found “minimal” acceptance (just enough), over 4 years ago.  As against this, the Guidelines will now permit (by default), a mere “40-bit encryption using the RSA algorithm”.

Indeed, it may be good idea for our policy makers to study and understand this expert report that has to a fair extent even addressed the futuristic requirements for cryptography that perhaps may now or in the near future become relevant.

Specific Details:

A 40-bit asymmetric key Encryption in the RSA algorithm being now stipulated is a technological suicide.  First, the lowest key size normally likely to be used internationally, ("in the RSA algorithm"), is a 512-bit key, while the commonly used, is with 1024 bits.  In comparison, the smaller “single key” encryptions can be termed as follows:

  1. 40-bit (toy)
  2. 56-bit (broken-DES)
  3. 128-bit (commercial grade)
  4. 168-bit (strong commercial grade)

These are understood as pertaining to SESSION keys that are generated on the fly for a given session and hence have a short lifetime that makes it somewhat more difficult to break.  They are not the persistent keys, (now being mandated by the guideline, in this regard), that remain permanent in relation to their users.  Such persistent keys, offer an unlimited time, for malicious hackers to break-in. 

Until recently, one of the most restrictive countries in the domestic use of cryptography was France.  Their ATM/bank cards were cracked BECAUSE of using too weak a cryptography, teaching them a hard lesson.

Dictating such guidelines that restrict the use of cryptography to an extent that we are almost insecure is like dictating something as non-secretive as what languages may be used in "written communication" over the facilities.  It is somewhat like the (not so secret) code language that parents use to keep things confidential from children.  Do we wish to expose our commerce to the risks of that level of (in)-security? 

The policy makers stipulating various guideline requirements haven't even specified any equivalent of the RSA algorithm.  For instance, what would be the equivalent encryption with Diffie-Hellman (renowned also as a public key cryptography) algorithm? 

Guidelines require all computers in India to seek permission for Internet

Further, it appears that the guideline requirements for “level of encryption” (refer clause 23) only restrict HARDWARE "equipments" deployed and not software in regard to the use of encryption.  If "equipments" legally includes (the only way that the encryption restriction ever COULD work), both the hardware provisions AND the software and firmware running on it, which we all more clearly understand as "system", then, it is not merely limiting technology such as the smart-card and iButton, but also, it is likely to make every in-use computer in India, illegal to possess for use on the Internet without prior written permissions from the Telecom Authority being granted to each "individual/group/organisation" using them. 

Alarming, isn't it?   True and yet unbelievable.

Let us now see how this mandated rule for a 40-bit key encryption in RSA algorithm or its equivalent, wouldn't be complied with, in the case of ALL computers used for Internet, in India.  

At the outset, every ISP (Internet Service Provider), including VSNL, would be offering their services with the use of UNIX servers or UNIX-like systems.  At a minimum, UNIX and Unix-like systems thus “deployed”, use as a standard, a 56-bit DES single key encryption just for handling passwords of their "client" users (which incidentally covers ALL INTERNET users in India).  This is roughly equivalent to a 560-bit asymmetric encryption "in the RSA algorithm" as compared to the now allowed only 40-bit asymmetric key encryption.  PGP (Pretty Good Privacy - one of the most popular cryptosystems) doesn't even offer to generate keys below 512 bits in "the RSA algorithm".  

Even if we took what was meant, instead of what was said, the new guidelines in this regard will eliminate, the weakest use of PGP or GPG (GNU Privacy Guard - a cryptosystem on the OPEN platform), that is used the world around for privacy and security.   This software would at least require a 512-bit "in the RSA algorithm".  Generally speaking, encryption doubles the strength of security when we add ONE bit to the key size.  So this PGP or GPG encryption, at its minimal use, is already astronomically above the 40-bit restriction for permitted encryption that is now being imposed.  And PGP or GPG encryption security is already, widely used in India just as it is around the world.  How then, are we to deal with this existing violation of the new guideline?  Lets find out some more while on existing violations of the new guidelines.

Guidelines outlaw existing facilities

Existing ISPs deploying commonly used servers violate guidelines:

We have discussed how, under the new guideline requirements, any ISP (Internet Service Provider) in India, who uses a UNIX or UNIX-like server, (and almost all of them do), would be breaking the law unless they get a special prior permission from the Telecom Authority, for “deploying” servers that register user passwords, using encryption features that are not permitted by default -- if the ISP would be connected to the Internet through any private fiber Internet gateway.  How would one achieve this?   The pre-requisite for such prior permission would practically require the ISP to ask all their registered password users to deposit their password with the Telecom Authority (before commencing to use the ISP’s facilities).  It would also mandate preventing the user from then changing the password for which prior written permission is obtained.  Any takers?   

End-users of standard applications like Word, Excel will breach the guidelines:

Now, let us take a step further and move towards the end-users of Internet in India.  Most end-users would use Operating Systems, such as Microsoft Windows (WinME, WINDOWS 2000, and future upgrades thereof) or Linux or a FreeBSD on their computers through which they would access the Internet.  

All end-users most certainly, use applications software such as WORD, EXCEL, and the like, in order to prepare files that would be attached to their e-mail messages, even for normal correspondence.  Each one of us, as users are often faced with situations at some time or the other, when we need to secure such file attachments (even if they were, for instance, love letters or on a more serious note, confidential business plans, Internet banking instructions, etc.).  In such an instance, the default encryption feature of the OS (Operating System) and the application software is used for securing the attached file(s).  Since the default encryption features of such software are far above the new stipulations, this too, becomes an existing violation of the new guideline requirements for a 40-bit asymmetric encryption in the RSA algorithm or its equivalent. 

Even standard browsers will NEVER qualify for prior permission on the Internet:

Now that USA has removed the export ban on 128-bit encryption software, it will also make browsers with 128-bit encryption features illegal for use in E-commerce transactions (without prior written permissions being individually obtained by all end-users).  It is because these encryption levels far exceed the permitted 40-bit RSA encryption and hence, will need prior written permissions in order to comply with law.  And such prior permission can NEVER be obtainable since transactions through browsers are single key encrypted and we, as users, have no knowledge of the key that gets uniquely generated ‘on the fly’, for each session.  Hence no one will be able to deposit the encryption keys that the Telecom Authority requires as a pre-requisite for granting such permissions (as stipulated by clause 23) for “deploying” (read as installing) a current version of widely used browser even to access web-based e-mail such as Hotmail, Yahoo, etc.

(Technically, the "RSA Algorithm" routinely uses 512-4096 bit keys and then the browser facilities e.g. Netscape's SSL, or others, use a 40-bit to 168-bit “single” key encryption for the session).  In terms of RSA algorithm this will translate to 400-bit to 1680-bit asymmetric key encryption as against the 40-bit that is permitted. 

Accordingly, if this new guideline requirement is actually made law - or enforced as if law - we will have removed India from all but the simplest parts of the Internet.  We will have destroyed our participation in new protective infrastructures such as cryptographically signed DNS, Virtual Private Networks, and OUTLAWED ALL EXISTING SOFTWARE for all practical purposes.  In the true practical sense, no secure E-commerce transactions will be possible in India. 

Guidelines welcome outlaws

Or, in other words, all our E-commerce transactions if secured within the framework of permitting law, would invite the risk of theft by malicious hackers, all over the world.  Please come and steal from us, is what we are asking malicious hackers to do.

Guidelines outlaw Internet enterprise

As a consequence, it would imply, that all private fiber bandwidth providers would not be able to service any ISPs (including themselves, since only ISPs can have landing station permits), without seeking for themselves and also having all their ISP customers and their end-customers, seek prior written permissions for use of higher encryption, from the Telecom Authority.  And what will this entail?  

It will require every individual/group/agency/organisation applying for such prior written permission to deposit the decryption key, split into two parts, with the Telecom Authority and do so again, each time they wish to change it.   The machinery required for all this is beyond anyone's imagination.  This apart, most of us are not tech-savvy enough to be able to comply with this requirement. 

[QUOTE – clauses 22 & 23]

"Individuals/Groups/Organisations are permitted to use encryption up to 40 bit key length in the RSA algorithms or its equivalent in other algorithms without having to obtain permission from the Telecom Authority.  However, if encryption equipments higher than this limit are to be deployed, individuals/groups/ organisations shall do so with the prior written permission of the Telecom Authority and deposit the decryption key, split into two parts, with the Telecom Authority".

[END QUOTE]

Apart from the foregoing, it may well be added that split key technologies like RSA and Diffie-Hellman are thought to be about 1/10 the strength of single-key algorithms, when figuring "equivalent".   This means that a 40-bit key as specified here would be a FOUR-bit key in single-key cryptosystems, if we take this quoted paragraph as stated.

Absolutely absurd, a Key-Escrow demand translates thus:

 [Political to English translation]

 We don't trust our people a bit.  We trust the agencies of foreign governments and foreign and international companies more.  We even trust foreign malicious hackers more than we trust our own law-abiding people.  We INSIST that our own law-abiding people be defenseless against attacks such as:

  •  Virus/Trojan (with or without a worm component)
  •  Industrial/Commercial Espionage
  •  Theft of electronically based "funds" by domestic or foreign thieves
  •  Electronic Intrusion, foreign or domestic/criminal.

[End translation]

It is the equivalent of insisting that nobody keep a safe without passing along the combination to the government.  That, solid-core doors, if installed, must be left unlocked, and that any door that has both metal sheathing (even as a fire protection) and a lock on it, must have the keys for those locks deposited with the Telecom Authority.

Guidelines drive out even basic Certifying Authority business

This restriction, if no exception is granted, eliminates the Certifying Authority (CA) business from India, and will consequently also eliminate all international E-commerce that requires it, as well.  NO CA in their right mind allows their signing keys to escape their immediate and specific control.  A certificate signed with a 40-bit based RSA key would be absolutely worthless.  Microsoft, themselves would not comply with this, according to their public statements.  Their signing "keys" are locked into tamper-proof and copy-proof hardware without duplication possible.

Guidelines outlaw use of common Operating Systems and other software

With Active Update in Windows 2000 (and likely similar in WinME) depending upon cryptographic certification, this restriction weakens the entire infrastructure all the more.  If enforced, we will now have to compel all international vendors of Operating System and environmental software to weaken the level of encryption offered on their products to this extent merely to address our markets in India.  In the alternative, we will have to block on-line downloads of all Active Updates on the Internet, in India.  And similarly, ban all imports of non-complying software versions, into India.  Any takers?

Accordingly, the stated policy, if implemented without IMMEDIATE exclusions and if applied to computers with software, as well as "equipments" implementing encryption higher than 40-bit, then ALL OPERATING SYSTEMS WILL HAVE TO BE DUMBED DOWN, with the possible exception of old MS-DOS, CP/M, Windows3 and Windows95 systems.  And even that is just "possibly".   Although old versions of MS-DOS can be used with the Internet, very few people do so today, anywhere in the world.

Changing it to read what the policy writers perhaps MEANT to say is still no help.  Even if we changed the requirement to restrict RSA/DH keys to say 512 or even the more common 768 to 1024-bit size, and then restrict our session (single key) encryption to 40-bit, it would still force India into the "have not" status as regards international E-commerce. 

There is no way that the policy makers could have intended to force the RSA/DH equivalent of FOUR BIT KEYS that could be broken in seconds with pencil and paper by the average newspaper puzzle aficionado.  We MUST interpret the above quoted clauses, as accidentally or ignorantly misstated.

Guidelines – will hasten “Braindrain” and exodus of enterprise from India

This 40-bit encryption impractical restriction, also invites violation by any competent administrator.  It eliminates the potential for the development of "home grown" security systems, by persons of a patriotic bent, and importation of such systems from still-patriotic émigrés.

It PROPAGATES emigration of our technically skilled people, our computer professionals and keeps the body-shoppers in business.  It totally eliminates India from the marketplace for offshore software design and construction.  Security MUST be a consideration in solid software design and construction. 

Further, it is the WORST detriment to Internet enabled (offshore) services being provided from India to overseas organisations.  As such, if this 40-bit encryption requirement were to be given the weight of law, it undermines (irretrievably) the entire data storage, processing and retrieval part of the electronic-network age in India.  It is like axing our own feet by murdering our “new economy” export earning opportunities.  Once passed, such things are not easy to get undone.  The slog of Government action would set India into the definite position of "timid consumer" for the Internet.

Consequently, ALL E-Commerce hosting and processing would have to remain overseas.  An exodus of enterprise we can least afford.

Guidelines compel our Internet community to be outlawed, internationally

People WILL get to the point, the world around, where they disable 40-bit encryption in web browsers (as many tech-savvy professionals do routinely) hence sites limited in this way would become unreachable.  Moreover, licensing 128-bit encryption for E-Commerce sites doesn't help, with key escrow, considering the practical aspect that browsers are single key encrypted with a different key each connection. 

Guidelines attract risk of abuse and unprecedented litigation

There is already a persistent problem internationally, with potential man-in-the-middle attacks.  Man-in-the-middle attacks are by malicious hackers who stealthily impersonate their own site to unsuspecting surfers (instead of the site the surfer intended to reach) with a view to steal the encrypted information on-line (which for instance, may be pertaining to banking and credit card, or any other financial transactions).  A 40-bit encryption is like abetting such crime.  Even a higher-level encryption with private key escrow is no good either.  Whoever has the private key is the person identified by that key.  The man-in-the-middle attack truly commits a forgery of this situation. 

It is fraudulent on the surface to demand anyone’s active private key for RSA/DH encryption.  Period.  The very fact of obtaining that key becomes a source to which the needle of suspicion points in the event of any identity theft, in the electronic realm.  Will the Telecom Authority be legally and financially prepared to face a series of criminal and financial litigation arising out of this situation?  Is the Telecom Authority ready to expose itself to such an explosive risk of being suspected in every Internet crime that should emerge out of this situation in India?  It is like saying, that everyone with a vault must give the private key to the Telecom Authority for the safety of the nation.  Fair enough.  The natural corollary to this would compel the key-depositors to be entitled to point fingers at the Telecom Authority for any breach of their confidence when any crime should surface.  The volume of resulting litigation will be unimaginable.  In such an event, it would be GROSSLY WRONG & UNFAIR (being against public interest), for the Telecom Authority to hide their face under the (misinterpreted) provisions of clause 17, saying that the Telecom Authority is absolved of all consequences arising from complaints of any nature concerning the services rendered through a Landing Station in India.

Quite frankly, an ISP anyplace else in the world would BLOCK https to a country in which E-commerce transactions were key-escrowed.  ISPs would do that FASTER than blocking "undesirable vulgar sites", and as fast as shutting down a customer who was obviously engaging in illegal activities.

Even if there were ANY validity whatsoever in the idea of key-escrow, which has been disclaimed the world around by the best experts in cryptography and cryptosystems, the potential of placing those keys in the hands of people who also can cause a re-routing of traffic ... wow!  Its madness!

Restricting the technology to 40-bit asymmetric encryption, will also block any Java technology (or other signed items) from being certifiable as properly signed, if a stronger key signed it.  That includes Win2k software updates, Active-X, Java, and even signed JavaScript.

Why exclude Sanskrit based languages from browsing the Internet

It may perhaps be known to many of us, that ROT-13 encoding is a toy used occasionally by children in E-Mail, and it could be called a one-bit encryption.  Probably, many of us may have playfully engaged ourselves in this kind of encryption (so to speak) that involves replacing each alphabet of a word by the 13th alphabet that follows it.  This in simple words is the ROT-13 algorithm.  Most E-Mail clients and newsreaders allow the toggling of the display to enable/disable such obfuscation of the text.  Many people can read the ROT-13 text without electronically decoding it. 

Several of the popular encoding for Sanskrit based languages, when combined with ROT-13 could arguably violate the "40-bit key length in the RSA algorithms or its equivalent", without even TRYING to be actual encryption.  They would extend the encoding modification from one-bit to perhaps 16 - four times the "equivalent" to a "40-bit key length in the RSA algorithms or its equivalent".  It may be a good idea to have this examined or else the authorities could be blamed for trying to EXCLUDE the use of Indian Languages from browsing the Internet?  Let us hope that the Department of Official Languages awakens to this.

A simple conclusive translation will read as:

This crypto-restriction is a case of "We will cut off all of our feet, rather than allow anyone to POSSIBLY walk down the wrong road, where we would need to catch them doing it".

Destruction through regulation

[QUOTE – Clause 10]

"The ISP shall provide information about all ISPs that would be connected to the Landing Station. Any addition shall be with the prior written permission of the Telecom Authority "

[END QUOTE]

This type of prior restraint of trade tends to invite governmental abuse through discretionary, selective and perhaps arbitrary decisions.  A framework under which corruption is inevitably, encouraged through an official guideline.  The guidelines, requires every newly set up private Internet Gateway, to (not only) identify customers for its bandwidth in advance, but also contract its bandwidth to all its "potential customers" in order to seek prior permission to service them, even before obtaining a landing permit for the submarine fiber cable.  An advance MOU registration, so to speak, is now mandated.  And this process would have to continue, for every fresh customer that may be serviced, at any time in the future.  In pursuit of our policy for fair and healthy competition, is this a "level playing field"?  Only the umpire decides, which bowler can bowl to which batsman!

It is quite apparent that the writer of these restrictive guidelines is trying to preserve Telephone-like controls, not really appropriate in the digital age.  The key reason for Telephone-like controls has been traditionally, to help insure the defense-use (both in a military and economic sense) of a solid infrastructure.  But that's not what's needed to preserve operational stability in the packet-switched age.  What is needed is fast-response automated and supervised operations at interconnect points, guided perhaps by government policies, but NOT delayed in action by the mechanisms of bureaucracies nor specific legislations.  Regulators may have forgotten the basic national defense reasoning for a close control of telecommunications, and come to believe that it is a nebulous reasoning, that gives them the benefit and workload, as it keeps power centralized.

Guidelines IMPOSSIBLE to implement – a regulatory effort that ENSURES failure

[QUOTE – III Monitoring Requirements Clauses 24, 25 & 30]

"It should be possible to effectively monitor the traffic at the Landing Station from the national security point of view and that only the Internet data traffic is carried.  The requirements would include, but not limited to: ... On-line and off-line (capture, store and retrieve) monitoring of all classes of traffic (Internet, video, audio etc.) specified by various attributes viz. destination, recipient, sender, key words etc."

"Each of the security agencies should be provided with a specified dedicated space/memory/directory/storage in the Monitoring Centre computer"

[END QUOTE]

Having stipulated that a specified dedicated storage and retrieval capacity has to be provided to each security agency who should be able to have traffic captured and stored by “various” (read as unlimited) attributes, one may wonder how this is possible.  There are a number of UNSPECIFIED variables that come into play here, although the reading of the stipulation seems quite deceptively well defined.  Firstly, the exact number of security agencies that will require this astronomical monitoring facility, is left undefined.  Next, the attributes by which all traffic will need to be captured and stored by these undefined numerous agencies, is left to be anyone’s guess.  Lastly, the storage capacity that is purported to be specified for each of these unspecified number of security agencies, is left unknown, in the text of the guidelines.  In these circumstances, one is justified in presuming and providing for the worst scenario, implying that in the worst case, the entire traffic could be captured, stored and retrieved.  Even by this presumption, one may fail to determine the number of times this will need to be duplicated separately for each security agency, since the number of such agencies is left undefined.  On the other hand, if one hazards a guess, that only 5% of the volume of traffic at any given time may fall under any of the specified attributes of a security agency and that there are 20 such security agencies requiring different portions of the traffic to be captured, it implies capturing and storing (5 * 20 = 100%), the entire traffic at some time or the other.  Theoretically a need one can believe must be met in the absence of any specifics, in this regard as explained.   

The estimated cost to fully comply with this provision for a single Terabit pipeline could be anybody’s guess (in the vicinity of Rupees 13500 crores?), if the technology can be developed to handle that bit rate for the capture, process, and monitoring called for by this provision.  If a single-computer design is enforced, as this policy seems to require, it may not be reasonably possible to accomplish this requirement, at any absurd price.

 So what kind of housing, equipment and monitoring infrastructure would this entail?  The equivalent of: fill to overflowing, a half-million 20-giga-bytes of hard disk drives will be required per day at a full operation for a 1-Terabits per second capacity to permanently capture raw data for storage.  One cannot imagine how much additional disk capacity will be required to store this data in a retrievable state with index tables that will permit any meaningful search on it.

(In case any one may wish to understand and validate this finding here’s the math – which need not be read otherwise).

(For just the raw data excluding any index tables for its retrieval)

Volume of traffic in a day for a one-terabit bandwidth: 

1 terabit is

    (1024 * 1024 * 1024 * 1024) bits

(Dividing this by 8 bits per byte, we get the number of bytes that make a terabit) =    [(1024 * 1024 * 1024 * 1024) bits / 8] bytes 

(And by multiplying this by 86400 seconds in a day, we will get the volume of traffic in terms of bytes per day, as =[(1024 * 1024 * 1024 * 1024) bits / 8] bytes * 86400 (seconds in a day)]

Capacity of one 20 GB hard disk drive is derived as follows:

1 megabyte is 1024 * 1024 bytes and 1 gigabyte is    (1024 * 1024 * 1024) bytes,

(By multiplying this by) * 20

we will get the number of bytes that make twenty gigabytes i.e,

The capacity of storing raw data in 1 hard disk drive of 20GB is   =  (1024 * 1024 * 1024) * 20

Accordingly the number of hard disk drives required is:

   (1024 * 1024 * 1024 * 1024) * 86400        1024 * 86400      512 * 1080

   ----------------------------------------------------   =    ----------------   = -----------------

   (1024 * 1024 * 1024) * 20 * 8                20  *  8                    1

Therefore, 552,960 hard disk drives of 20GB each, will be required EACH DAY for PERMANENTLY storing raw data of traffic on a 1 terabit bandwidth at ONE Landing Station.  In addition, many more drives will be needed to index this data and make it meaningfully retrievable. 

To provide the storage and access booths for each agency would require a significant building of its own to house the equipment, provided that specialty integrated circuits can be commissioned at the edge of current technology.

Certainly no more than one landing station could be permitted for the ENTIRE COUNTRY, because of the fiscal impact on the national budget to HANDLE the data so collected.  A parallel Internet must be established for government-only use, using (elsewhere forbidden) encryption for access.  Staff increases are likely in the quantity of (minimally) 50,000 highly trained individuals per government agency, plus support for these new departments.

Even the "Echelon" espionage systems stationed in the United States surely could not handle the monitoring requirements as described. 

[QUOTE – Clause 31]

"It should be possible for the monitoring agencies to access the monitoring center computer through PSTN line, ...

[END QUOTE]

This was the real tip-off that the license requirements were a parody and COULD NOT BE ACCURATE.  Each agency is going index through  

  11,874,725,579,980,800 bytes/day of data (552,960 * 20*1024*1024*1024)

using a modem (PSTN line), Can any one imagine, how that may be achieved?   Should the licensees also provide 300bps modems to each agency?

[CONTINUE QUOTE – Clause 31]

.... ISDN line or dedicated lines (Cable pair or Optical link).  Adequate number of all types of interfaces may be provided at the monitoring center to facilitate remote accessing for the security agencies.

[END QUOTE]

So in order for any ISP to build a landing station, it must also create a parallel super-Internet, running nothing but encrypted communications in support of these agencies.  What is "adequate" can anyone imagine?   The traffic for inefficient searches would quickly exceed that of the base data flow.

[QUOTE – Clause 32]

"Remote Accessing/Log-in facility for security agencies should be through fully secured unique password.  Each agency must have different password.  The access password should be re-definable (changeable) by security agency concerned."

[END QUOTE]

A single AGENCY password for each AGENCY to be shared among the 50,000 or so employees required to handle the manual access to snapshot data and impose days-at-a-time searches through the accumulated data?  Nothing can be more unbelievable and absurd.

There is really no point in anyone building ANY kind of facilities, with regulatory requirements ensuring failure.  That 40-bit plus key-escrow cryptography restriction does just that, for the entire nation.  The monitoring station requirements, turns the key in the lock as if it were a final blow, for a predetermined end.

Review and re-write of the guidelines and similarly the IT Bill is inevitable

Nothing can better fulfill the critical need of the hour, than the best minds from non-commercial organizations such as IITs, IIMs, Defence, ISRO, Atomic Energy, etc., (who have no vested commercial or business interest at stake), coming together to examine relevant issues (for these guidelines and similarly for the IT Bill as well), solely with the well being of India at heart.  It is needless to say that such an exercise has to be time-bound with recommendations being finalized and reported in the shortest possible time, perhaps before October 2000 with a view to implement a possible re-write of the policies in this regard.  Any patchwork will cause only further turmoil.

Conclusions

As the world becomes more and more network dependent for their commercial infrastructure, the best defense is a strong advanced defense.  NOT remedial action, perhaps delayed by requirements of legislative or bureaucratic action.  In addition to mere regulatory roles, the importance of intelligent governance based on academic leadership in the new national endeavour of promoting an Internet economy, is unquestionable.  It is necessary that the Government intelligently lead the nation rather than mandate and punish.  If encouraged, this tone of leadership, should spread beyond governance, and work for society, at large.

A dynamic and wise policy can in the new Internet Millennium give India the potential to establish leadership with even stringent requirements for defensively strong digital security that can make India a world capital for an International Network Economy.  The country which can combine its traditional intolerance for criminal activities with its absolute demand for strength in law to support strength in economic security will automatically attain an incomparable advantage in hosting an entire Internet economy to the world which has been so-far denied to India, as even Indian businesses go offshore for Internet activity.

Yet this potential is phenomenally inexpensive.  Use of strong encryption is as cheap as use of weak encryption.  The nearly undetectable slow-down in ongoing processing for use of strong algorithms with sufficient key-sizes is negligible in real-world time considerations.  Encouragement to secure systems against fraudulent entry and other abuse is just that - a leadership position, SAVING the costs of repairs, at a comparatively smaller fore-cost in labour.

Cryptography is only one aspect of overall Electronic Data Security, but a very important aspect.  This MUST be recognized.  It is an economic necessity.

What we see is the need of an attitude adjustment which does not "follow false leads" seen some other places in the world.  It's not a difficult twist of logic.  It is no aspersion on any country to see to it that they have their electronic doors locked, and especially where those doors open on the WORLD, rather than on a single patrolled street.  The cost of maintaining a strong digital infrastructure (from a security standpoint) is LOWER than the cost of any remedial action, even when damages are comparatively small.  The world regions that are prepared in this way will become a magnet for use of their infrastructure.  The perceived US lead is not necessarily solid.  There has been a great laxity in the way the US (as a nation) conducts business, striving for expediency above safety.  But the US had and has a lead.  Can India presume to do the same?  Japan has had great success in the past 50 years in taking what others are doing, but tweaking the methods to fit their own society -- making improvements upon what is done elsewhere.

Here's India's perhaps greatest chance to do similarly in becoming a world leader of an International Network Economy.  A talented and intelligent Indian people can use that advantage now, while the cost of utilizing that resource is low but will grow quickly in value, as it already is doing.  This fits the aspirations and the dreams of the forefathers of our nation.



Copyright © 2000 Dr. Raj Mehta. All rights reserved.