India Warns Against U.S. Security Software

By MALCOLM MACLACHLAN, TechWeb

Internet privacy advocates have said for years that limits on encryption exports could cripple the U.S. software industry, and now the Indian government has agreed with them.

In a statement that has gone mostly unnoticed in the United States, the Indian Defense Research and Development Organization (DRDO) on Monday issued a "red alert" warning against all U.S.-made network-security software.

In a letter to the Central Vigilance Commission (CVC), an Indian intelligence agency, the DRDO cited the limits the U.S. government places on encryption exports as the reason for the alert. The U.S. National Security Agency limits most exported products to relatively weak 64-bit encryption.

"To put it bluntly, only insecure software can be exported," the DRDO letter states. "When various multinational companies go around peddling 'secure communication software' products to gullible Indian customers, they conveniently neglect to mention this aspect of U.S. export law."

The head of the CVC indicated that he might soon make it mandatory for all Indian financial institutions to buy only security software developed in India. In its announcement, the DRDO said it was working on a prototype security protocol for India, due out within three months.

U.S. encryption limits are damaging, according to Sameer Parekh, CEO of Berkeley, Calif., software company C2Net and an encryption advocate. But the alert from India is more a reflection of tense India-U.S. relations, damaged by India's nuclear program and its ongoing war with Pakistan, he said.

"One reason the Indian government would make such a pronouncement is because the U.S. has put a number of embargoes on exports to India," Parekh said. "This could be just their form of retaliation."

Strangely, Parekh said, if U.S. companies were permitted to sell strong cryptography products overseas, the Indian government would probably restrict them. Despite its role as a technology leader, India is not a bastion of free speech and privacy rights, he said.

And things aren't getting any easier in India for free-speech and privacy advocates, said Alexander Fowler, director of public affairs at the Electronic Frontier Foundation. Indian legislators are now debating a bill, the Information Technology Act of 1998, that would set domestic controls on encryption, which don't exist in the U.S.

The act would also let law-enforcement agencies use any message intercepted through an ISP in court. Furthermore, ISPs could be held responsible for "illegal acts" committed over their networks.

"This law, if it goes through, is as restrictive as the things we've seen coming out of China and Singapore," Fowler said. "We haven't seen anything to suggest that they are more enlightened than the U.S."

The Indian alert is certain to be the subject of lively debate at next week's RSA Data Security Conference in San Jose, Calif. RSA has been a leader in the security market in the U.S. and a thorn in the side of U.S. regulators. Last week, the company said it would circumvent U.S. restrictions by selling encryption technology through its Australian subsidiary.