CERT-In Directions 2022: New Variant of an Old Virus?
Priyanshi Bhageria (The Leaflet) 09 May 2022
Mandating all service providers, intermediaries, data centres, body corporates and government organisations to enable server logs of all their ICT systems, and maintain the same for a period of 180 days within the Indian jurisdiction, is being seen as yet another attempt at State surveillance.
 
American lawyer Eric H. Holder Jr. famously remarked, “To those in the executive branch who say ‘just trust us’ when it comes to secret and warrantless surveillance of domestic communications, I say ‘Remember your history’.”
 
A recent development has brought yet again to the fore the Union Government’s brazen attitude around issues of data security and privacy. On April 28, the Indian Computer Emergency Response Team [CERT-In], the nodal agency for cyber security set up under Section 70B of the Information Technology Act, 2000, issued a set of directions “to augment and strengthen the cyber security in the country”, that would come into effect from June 27 this year. As per section 70B(7), non-compliance with these directions would attract criminal liability.
 
What are the basic concerns?
 
According to the Union Ministry of Information Technology, a total number of 48,285 cyber security incidents related to government authorities occurred in 2021. This is a serious cause for concern, and any government action to bolster cyber security is welcome.
 
The ambiguity around these guidelines could result in storage of more data than it is actually necessary. This also implies that government agencies and enterprises will have access to more of our data at their disposal.
 
However, the directions mandating all service providers, intermediaries, data centres, body corporates and government organisations to enable server logs of all their ICT (Information and Communication Technology) systems, and maintain the same for a period of 180 days within the Indian jurisdiction, are being seen by some experts as yet another attempt at State surveillance.
 
Additionally the guidelines also mandate that all Virtual Private Network [VPN] service providers collect and store information of Indian users for up to five years. This information is meant to include names, addresses, contact numbers, period of subscription, email, IP address, and client’s purpose of using their services among the other service providers available. This is being seen as a threat to informational privacy.
 
Why are the directions considered as misguided?
 
The direction, which prescribes the maintenance of server logs for a period of 180 days, is problematic due to various reasons. First, the term ‘all ICT systems’ is not clearly defined in the directions. Therefore, the ambiguity around these guidelines could result in storage of more data than it is actually necessary. This also implies that government agencies and enterprises will have access to more of our data at their disposal.
 
Stringent data localization requirements may also increase the cost of flow of data across national borders, and may disincentivize foreign service providers from entering the Indian market.
 
Second, the aim of the provisions is to tackle the menace of cyber security incidents. The nature and types of the same are mentioned in Annexure 1 of the directions. There is a major problem with this at the very outset. The Annexure lists down the types of cyber security incidents which are to be reported to CERT-In by the entities covered by the directions. However, there have been several additions to this list when we compare it to the list of reportable cyber incidents prescribed in the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013. These new additions are not properly justified. For instance, the directions fail to define or even clearly distinguish between ‘data leaks’ and ‘data breaches’. Another item in this list, ‘fake mobile apps’, for instance, is also open to interpretation. Definitions of important terms are ambiguous, which leaves scope for arbitrariness.
 
Third, the guidelines mandate excessive retention requirements for a period of 180 days. This will not only make the users’ data prone to leaks and cyber-attacks, but also require entities to have additional infrastructure in place for data retention and storage. Moreover, longer retention of data implies a greater threat to it.
 
Last, there are also concerns around the data localisation requirement. This direction comes at a time when many jurisdictions like the United States of America are discouraging the practice of data localisation. Stringent data localization requirements may also increase the cost of flow of data across national borders, and may disincentivize foreign service providers from entering the Indian market.
 
The direction that deals with VPN service providers is equally intrusive and harmful. VPN services are widely used by the investigative journalists to access websites which are banned in their own country for investigative purposes or to commit sting operations. VPN is used because it masks the location of the user and also helps in hiding the search history of the user from their internet service providers. However, with the new guidelines in place, the same can no longer be promised.
 
VPN is used because it masks the location of the user and also helps in hiding the search history of the user from their internet service providers. However, with the new guidelines in place, the same can no longer be promised.
 
Moreover, some VPN service providers, such as Proton, have strict guidelines against storage or retention of user data. This direction, which mandatorily requires the same, would result in the exit of such service providers from the Indian market.
 
How can accountability be ensured?
 
The concerns regarding these directions by CERT-In are legitimate. The government has time and again issued such regulations citing national security and public interest without having any accountability for the same. The same is possible because India lacks a comprehensive and people-friendly data protection law.
 
Fixing accountability is necessary when retention of data and storage of the same is being practiced at such a large scale. Unless this is done, such guidelines will be routinely issued with no real recourse.
 
Comments
Free Helpline
Legal Credit
Feedback