On April 28, 2022, the Indian Computer Emergency Response Team (CERT-In) issued fresh directions (No. 20(3)/2022-CERT-In) under section 70B of the Information Technology (IT) Act, 2000 in relation to the information security practices, procedure, prevention, response, and reporting of cyber incidents. Issued without public consultations, these directions raise serious concerns related to state sponsored surveillance and data retention beyond need or purpose. Therefore, we call on CERT-In to recall these directions.
Why should you care?
Due to the increased digitisation of valuable personal data, data breaches and cyber attack incidents have become the order of the day. We are often made aware of these incidents not by the data fiduciaries who control the collected data and have a duty towards the data principals from whom the data has been collected, but by independent cyber security researchers. These fresh cyber security directions were an attempt to fill this major regulatory gap. However, provisions of these directions cause more harm than good, especially in the absence of a data protection law.
The ‘leaked’ story so far
In the past few months, we have seen numerous data breaches. As a result of these breaches, the data of Indian users may be available to third parties over the internet for nefarious use. Such cyber security incidents have not just been restricted to private enterprises. A parliamentary response by the Minister of State for Electronics and Information Technology dated April 1, 2022 revealed that CERT-In has reported a total number of 48,285 cyber security incidents related to government authorities during 2021. The government on other occasions have not always been transparent about such incidents. The Ministry for Electronics and Information Technology (MeitY) claimed that as per information provided by National Critical Information Infrastructure Protection Centre (NCIIPC), no cyber attack was reported to NCIIPC in the declared Critical Information Infrastructures (CIIS) / Protected Systems (PS). The response is surprising given the admission by the Nuclear Power Corporation of India Ltd. (NPCIL) in 2019 that malware had infected its administrative system at the Kudankulam Nuclear Power Plant. In such a scenario of inadequate legal framework, lack of transparency and high risk of privacy violation, action from CERT-In was much needed.
One step forward, two steps back
Following are the causes of concerns:
Lack of public consultation and compliance with existing laws erodes the value of the directions:
- Lack of consultation with technical experts: The directions were released by CERT-In without any public consultation with technology and cyber security experts, which has led to the inclusion of multiple unwarranted provisions in the directions such as mandating the retention Know Your Customer (KYC) authentication information for virtual asset service providers (Direction 6) and NTP-based time-keeping (Direction 1).
- Lack of compliance with existing cyber security provisions: Direction 6 of the directions, which relates to service providers maintaining all KYC information, is incongruent with the IT Act, 2000 as it doesn’t fall under the ambit of section 70B. Direction 19 of the CERT-In notification dated January 16, 2014, mandated the formation of a review committee by the Central Government, tasked with dealing with non-compliance of directions issued. However, the current directions don’t provide any information with respect to whether these Review Committees have been formed. Moreover, now that even government organisations are liable under these directions, as opposed to the directions dated 2014, there is no clarity on the appointment and composition of the committee.
Ambiguity in scope and phrasing of directions results in confusion:
- Lack of definitions: CERT-In has instructed the above-mentioned entities to “...mandatorily enable logs of all their ICT systems…” (Direction 4). Ambiguity over what is covered under “all their ICT systems” leads to various concerns such as the government having access to or enterprises storing more data than necessary. Clarity over such a phrase would implement internationally recognised principles of purpose limitation and data minimisation. Additionally, terms such as “Data Centres”, “Virtual Private Server (VPS) providers”, “Cloud Service providers” and “Virtual Private Network Service (VPN Service) providers” mentioned in Direction 5 aren’t defined. Similarly, definitions for terms like “service providers”, “intermediaries”, and “body corporate” are missing (Direction 4).
- Vague additions to the Annexure: The types of cyber incidents to be mandatorily reported (Annexure 1) by the entities mentioned in Direction 1 have considerably expanded as compared to the directions dated 2014. Once again, CERT-In fails to define or elaborate on many of these new additions. For instance, while “data breach” and “data leak” have been included in the annexure as separate categories of cyber incidents, they have not been defined and it is unclear how they have been distinguished from each other.
- Use of NIC/NPL NTP servers: The requirements to synchronise system clocks directly with the Network Time Protocol (NTP) servers of the National Information Centre (NIC) or National Physical Laboratory (NPL) or with NTP servers traceable to them (Direction 1) are vague. The allowance for multinational firms with network infrastructure that span multiple countries to use time sources other than NIC and NPL appear to be contradicted by the direction to ensure that "their time source shall not deviate from NPL and NIC." Additionally, preliminary investigation by researchers already indicate challenges with regard to discoverability and reliability of these NTP servers.
Excessive compliance requirements raise privacy concerns:
- Excessive data retention requirements: Concerns around collecting and storing of data beyond purpose or need are further exacerbated through the requirements of “mandatorily enabl(ing) logs of all… ICT systems and maintain(ing) them securely for a rolling period of 180 days” (Direction 4) and “maintenance of data for 5 years or longer, as mandated by the law after any cancellation or withdrawal of registration” for certain categories of data required for registration with data centres, virtual private server (VPS) providers, cloud service providers and Virtual Private Networks (VPN) service providers (Direction 5). Such requirements go against internationally recognised principles of “storage limitation” related to the processing of data. The ambiguity around the time frame along with the lack of reasoning behind extending it could lead to serious privacy violations. Further, there are certain service providers such as Signal as well as certain VPNs such as Proton, which claim to not retain any logs due to their privacy respecting practices. These service providers may be forced to exit the Indian market as a result of these requirements.
- Burdensome soft data localisation requirements: Through the statement, “...shall mandatorily enable logs of all their ICT systems …and the same shall be maintained within the Indian jurisdiction”, CERT-In puts in place soft data localisation requirements on the above-mentioned entities, wherein a copy of the data must be stored in India (Direction 4). This is a cause for concern as data localisation can stifle innovation and the free flow of data across borders. Moreover, added compliance cost would disincentivize foreign companies from bringing their services and products to India. This could result in Indian users not being able to access these services.
- Weakened Virtual Private Networks (VPNs): VPNs help to protect information security in multiple ways. Firstly, VPNs are increasingly used by business and government agencies to secure confidential information online. Not only do VPNs provide a secure channel for storing and sharing information, organisations can also use their local VPNs to provide remote access to network resources for their employees. VPNs also help secure digital rights under the Constitution of India specially for journalists, whistleblowers and activists. The encrypted nature of information transfer over VPNs allows them to not only to secure the confidential information but also to safeguard their own identity, thus protecting them from surveillance and censorship. VPNs as a privacy-advancing technology that often implement encryption protocols fall squarely within the protection of the fundamental right to privacy articulated by the Supreme Court in the Right to Privacy judgement. Lastly, VPNs are a key tool in the fight for net neutrality as they allow users to sidestep arbitrary blockings of websites by ISPs that are without any legal basis. The directions require VPN services to collect as well as maintain a wide number of customer data categories (mentioned below), even after the customer has cancelled their subscription or account for a period of 5 years. These categories of customer information include, but are not limited to, names of subscribers/customers, validated physical, email and IP address used at the time of registration, contact number, and other such personally identifiable information. Such excessive requirements for collecting and handing over data will not just impact VPN service providers but VPN users as well, harming their individual liberty and privacy. Here, it is also important to notice that it remains unclear how the 5 year period of data retention for VPNs will help in increasing cyber security.
- Enabling mass surveillance: The data retention and localisation requirements in the directions raise severe concerns of state sponsored mass surveillance. Further, upto and near real-time information will have to be provided by the service provider for the purposes of protective and preventive actions related to cyber incident as well as for cyber incident response (Direction 3). In the absence of sufficient oversight and a data protection framework to protect against misuse, such requirements have the potential to enable mass surveillance.
Directions ultimately fail to protect service providers and users:
- One size fits all reporting periods: CERT-In has instructed all entities to mandatorily report cyber incidents to CERT-In within 6 hours of noticing such incidents or being brought to notice about such incidents (Direction 2). There is a need for any reporting requirement to take into account the type/size of entities affected, their capacity to respond, the severity of the incident and the scale of impact, and accordingly specify reasonable reporting timeframes.
- No relief for end-users: The recent directions contain no directions mandating disclosure for users, who are the actual victims of a cyber attack or data breach. In the absence of a legal obligation on data fiduciaries to inform the users in case of a data breach, the latter will be unable to mitigate the privacy-related harm. Additionally, there is no clarity on the processes and grievance redressal mechanisms in place after an incident has been reported to CERT-In. These gaps in the directions lead to serious lack of transparency and accountability.
Miles to go
- In today’s day and age, retention of certain data may prove effective to fight cyber crimes but only under strict disclosure policies. However, excessive data retention can also infringe individual fundamental rights, in particular the rights to privacy. In the absence of a data protection law in India, such broad data collection and retention directions may negatively impact the rights of users. Thus, till the Draft Data Protection Bill, 2021 is pending in the parliament, such overly broad provisions must be revisited, while taking into consideration opinions from technical and cyber security experts as well as civil society organisations.
- Digital security researchers and vulnerability testers are important stakeholders in the cyber security arena. It is thus imperative that CERT-In moves towards improving cyber security by encouraging, promoting and protecting Indian security researchers (for a detailed analysis on the need for protecting security researchers, see here).
- There is currently no legal obligation on data fiduciaries to notify affected users in case a breach takes place. Furthermore, the directions still don’t have any specific directions on informing the customer or end-user in case of a data breach. Provisions clearly mandating the data fiduciaries to do so must be included in the directions so that the customers are able to mitigate the impact of such breaches. Moreover, citizens who have been impacted by data breaches must be provided with adequate compensation.
- Active and direct investigation into the conduct of data fiduciaries must be undertaken by CERT-In, with special mechanisms addressing the scale and sensitivity of data involved.
- India faces the twin problems of low capacity levels and weak & unsecure infrastructure. Thus, it is imperative that the regulatory framework for security be robust. In addition to an oversight mechanism, introduction of a data protection law is the need of the hour.
We call on CERT-In to recall these directions. We hope that CERT-IN considers our recommendations and continues to fight cyber security failures in India with the right intent. It is imperative that the government and government-owned entities as well as private commercial enterprises start taking steps to prevent such failures and develop mechanisms to provide redressal to users. As far as what we as users can do, read our 6th edition of “Cybersec Charcha” to better understand how to implement strong digital security practices.
This post was drafted by Capstone Fellow Tejasi Panjiar, and reviewed along with edited by Associate Policy Counsel Anushka Jain and Policy Director Prateek Waghre.
- CERT-In’s new directions dated April 28, 2022 (link)
- CERT-In’s directions dated January 16, 2014 (link)
- Representation dated 11.06.2021 along with recommendations by Mr. Suman Kar (link)