tl;dr
On April 28, 2022, the Indian Computer Emergency Response Team (CERT-In) issued Direction No. 20(3)/2022-CERT-In (“Directions”) under Section 70B (6) of the Information Technology (“IT”) Act, 2000. The Directions are ostensibly aimed to address information security practices, procedures, prevention, response, and reporting of cyber incidents. These Directions threw up significant challenges for users’ privacy through mandatory data collection and storage by service providers, and undisclosed data sharing by CERT-In.
To mark the first anniversary of the notification of the 2022 Directions, we had filed two Right to Information (“RTI”) applications with the Department of Electronics and Information Technology, seeking details on the issuance of compliance notices under this new regulatory mandate.
Why should you care
VPNs are tools that help users conduct internet activities anonymously and protect their privacy. However, if VPN providers are required to collect and share users' personal data with CERT-In, it would seriously affect the users' privacy. At the very least, the risk must be accompanied by necessary but CERT-In has denied crucial information.
Background
As discussed in detail here, the 2022 Directions impact how service providers over the internet conduct their business at the cost of their users' privacy. The Directions mandate a range of entities, including hosting, VPN and VPS companies, to maintain a record of every activity of their customers. These service providers could be required to hand over this information at any time to CERT-In. The 2022 Directions do not impose any limitations on how long CERT-In could retain this data or with whom it could share it. Non-compliance with these directions is a punishable offence carrying imprisonment of up to a year and/or a fine.
The 2022 Directions put your privacy at risk by potentially making your activities over the internet available to an undetermined number of entities. The constitutional validity of the 2022 Directions is currently being challenged before the Delhi High Court. Notice was issued in September 2022 and CERT-In filed a counter affidavit in December 2022.
Direction (iii) pertains to data breaches, specifying that near real-time information will have to be provided by the service provider for the purposes of protective and preventive actions related to cyber incidents as well as for cyber incident responses.
Direction (v) requires VPN service providers to collect and retain extensive personal information about their customers, including validated names, addresses, contact numbers, email addresses, hiring periods, allocated Internet Protocols, the purpose of hire, and ownership patterns, for a minimum of five years, regardless of whether the user cancels or withdraws their registration. This move weakens the efficacy of VPNs, which help to maintain net neutrality and internet safety, and violates the right to privacy.
RTI Responses
We filed two RTI applications with CERT-In on March 16, 2023. One focussed on Direction (iii) and the other on Direction (v).
How many notices has CERT-In issued to VPNs requiring them to furnish details and what is the deadline for compliance? Further, what are the consequences of non-compliance with such notices? Have any VPN services been blocked, and have any legal proceedings been initiated?
CERT-In’s responses stated that the information sought pertains to “unspecified third parties” and that in February 2023, notices seeking compliance with Direction (v) were issued to some VPN service providers. Further, responses received by the abovementioned VPN services providers are “under examination” and there is “no issue” of any blocking or initiation of “any other proceedings” as a result of non-compliance.
In response to our RTI regarding Direction (iii), CERT-In reiterated the other response and stated that the information pertains to “unspecified third parties” and that only VPN service providers were issued notices seeking compliance with Direction (iii). No notices have been issued to service providers, Intermediates, data centres, body corporate and Government organisations.
The purpose of these reasonable questions was to attempt to gain a better understanding of the institutional process put in place to facilitate the implementation of the 2022 Directions. However, on April 14, 2023, we received a response that was disappointing and evasive. CERT-In did not disclose the total number of compliance notices; the list of entities to whom such notices were served; or the timeframe for compliance and the consequences of non-compliance.
This lack of transparency and unresponsiveness from CERT-In has hindered our efforts to gather necessary information and understand the processes in place. We are planning to file first appeals against the responses and pursue these RTIs to their logical conclusion. The lack of transparency around the CERT-In Direction 2022, is extremely disconcerting, especially since recent news reports suggest that CERT-In may soon be exempted from the purview of the RTI Act, 2005.
Important Links:
- RTI on direction (iii) filed with the Department of Electronics and Information Technology on 16.03.2023 (link)
- RTI on direction (v) filed with the Department of Electronics and Information Technology on 16.03.2023 (link)
- Response on RTI on direction (iii) from the Department of Electronics and Information Technology on 14.04.2023 (link)
- Response on RTI on direction (v) from the Department of Electronics and Information Technology on 14.04.2023 (link)
- IFF’s explainer on the CERT-In April 2022 Directions (link)
- Direction No. 20(3)/2022-CERT-In of 28.04.2022 under Section 70B(6) of the Information Technology Act, 2000. (link)