Over to you MeitY: IFF's representation on CERT-In's Responsible Vulnerability Disclosure and Coordination Policy

CERT-In responded to our representation on the Responsible Vulnerability Disclosure and Coordination Policy and clarified that the Policy is following the existing provisions of the law. Therefore, now we ask MeitY to amend the law to provide a safe harbour for security researchers.

10 December, 2021
4 min read

tl;dr

CERT-In responded to our representation about the issues with their Responsible Vulnerability Disclosure and Coordination Policy, explaining that the Policy is an executive decision and so must follow the existing provisions of the law. In light of this, we have written to MeitY, asking them to amend the Information Technology Act, 2000 to provide a safe harbour for genuine security researchers.

Introduction

On 3rd September 2021, the Indian Computer Emergency Response Team (CERT-In) released its new ‘Responsible Vulnerability Disclosure and Coordination Policy’ with the aim of strengthening trust in the ‘Digital India’ and ‘Make in India’ campaigns, and encouraging responsible vulnerability research. The Policy provides information about where cybersecurity vulnerabilities in products and services can be reported, the details expected in vulnerability reporting, the procedure by which CERT-In will examine and act upon such reports, and the timelines for resolving issues.

However, the Policy effectively discourages the reporting of vulnerabilities! Clause 7 of the Policy states that: “The reporting party must ensure to comply with all the extant laws and regulations while discovering the vulnerabilities. Reporting a vulnerability to CERT-In does not imply being exempt from compliance. Discloser shall be responsible for any action performed by her/him for discovering the vulnerability whatsoever”.

In response to this, we wrote to CERT-In on 13th October 2021 indicating our concerns about this provision. In our representation, we highlighted that such a policy may lead to a regulatory regime in which genuine security researchers may be penalised for disclosures. We also stated that Clause 7 of the Policy may also be in conflict with the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 which adopt a more cooperative and collaborative approach to vulnerability disclosures.

CERT-In responds!

On 26th October 2021, CERT-In responded to our representation. In their response, CERT-In stated that the Policy was an executive decision of CERT-In taken in consonance with section 70B(4) of the Information Technology Act, 2000 (IT Act), and so, “the policy is non-statutory in nature in nature and not a law itself”, with the provisions of clause 7 more akin to a “disclaimer”.

Further, CERT-In argued that it “cannot own the responsibility nor is competent to exempt anyone from legal obligations”, and that the Policy “is not legally capable to cause any modification to the provisions of applicable law”. Thus, CERT-In suggested that we take this matter up with the Cyber Law Division of the Ministry of Electronics and Information Technology.

We thank CERT-In for their response to our representation. We acknowledge the arguments made by CERT-In and appreciate the statutory limits by which CERT-In is bound. In accordance with this, it is imperative that MeitY consider suitable amendments to the IT Act and also look towards making suitable policy and regulatory frameworks for vulnerability disclosures.

Urgent amendments needed

An IBM study reported the average data breach in India cost 16.5 crores INR, an increase of 17.85% from 2020. The report also noted that the average time to detect a breach increased from 230 days to 239 days while the average time taken to contain a breach reduced from 83 to 81 days respectively. This indicates a significant amount of information and data loss for users.

It is also important to note that several data breaches are not discovered and/or disclosed by the data fiduciaries but rather by independent digital security researchers. Previously, several independent digital security researchers and news organisations reported that a large amount of data - over 8.2 TB in size - of MobiKwik users was put on sale over the dark web; a similar breach of personal data of 50 crores plus Facebook users, which includes over 60 Lakh Indian Facebook users was reported by several researchers. Thus, there is a clear need to provide these researchers with legal safeguards.

We have previously highlighted this legal lacuna in an earlier submission to MeitY dated 3rd June 2020, as well as in our comments on the National Cyber Security Strategy 2020 dated 13th January 2020 and our submissions to the Joint Parliamentary Committee (JPC) on the Personal Data Protection Bill, 2019.

Thus, we believe that MeitY must urgently consider amending section 43 of the IT Act to prevent data fiduciaries from bringing vexatious legal claims and proceedings against vulnerability testers and cyber security experts. Additionally, we recommend that MeitY offer its inputs to the JPC on the Personal Data Protection Bill, 2019 so that the Schedule to the Bill can be amended to include narrowly tailored good faith exceptions for vulnerability testers and cyber security experts.

In addition to this, MeitY may consider offering rewards and recognition to genuine cyber security researchers for upholding and securing our national interest, in lieu of which bug bounty programmes and responsible vulnerability disclosure mechanisms need to be adopted by the government and its agencies.

Important documents

  1. CERT-In’s Responsible Vulnerability Disclosure and Coordination Policy (link)
  2. IFF’s representation to CERT-In regarding ‘CERT-In’s Responsible Vulnerability Disclosure and Coordination Policy’ dated 13th October 2021 (link)
  3. CERT-In’s response to IFF’s representation dated 26th October 2021 (link)
  4. IFF’s representation to the Ministry of Electronics and Information Technology (link)

Subscribe to our newsletter, and don't miss out on our latest updates.

Similar Posts

1
#FreeAndFair: Launching IFF’s Election Website

As the country gears up for the 2024 Lok Sabha elections, we watch every technological development that may affect electoral integrity. Visit the IFF election website freeandfair.in to read about IFF’s actions and efforts. 

5 min read

2
Your personal data, their political campaign? Beneficiary politics and the lack of law

As the 2024 elections inch closer, we look into how political parties can access personal data of welfare scheme beneficiaries and other potential voters through indirect and often illicit means, to create voter profiles for targeted campaigning, and what the law has to say about it.

6 min read

3
Press Release: Civil society organisations express urgent concerns over the integrity of the 2024 general elections to the Lok Sabha

11 civil society organisations wrote to the ECI, highlighting the role of technology in affecting electoral outcomes. The letter includes an urgent appeal to the ECI to uphold the integrity of the upcoming elections and hold political actors and digital platforms accountable to the voters. 

2 min read

Donate to IFF

Help IFF scale up by making a donation for digital rights. Really, when it comes to free speech online, digital privacy, net neutrality and innovation — we got your back!