The Indian Computer Emergency Response Team, also referred to as (‘CERT-IN‘), issued a new set of Directions on April 28 under Section 70B(6) of the Information Technology Act, 2000 act pertaining to reporting cyber incidents and auxiliary measures toward the defense of the IT and internet ecosystem in India. These Directions, applicable to data centers, selective service providers, intermediaries, Government organizations, and body corporates unanimously referred to as Covered Entities, form the second tier of guidance on CERT-IN after Manner of Performing Functions and Duties) Rules of 2013 and the Information Technology (The Indian Computer Emergency Response Team known as CERT-IN Rules.
Strengthening breach reporting and allied obligations
The Directions reinforce the current breach reporting system and subordinate maintenance obligations under the IT (Intermediary Guidelines and Digital Media Ethics Code) 2021 and CERT-IN rules. Includes
Stringent timelines for reporting: the Directions provide a more rigorous timeline of 6 (six) hours for reporting cyber attacks from being aware of such breaches by email, phone, or fax in the format specified by CERT-IN. Non-compliance with the Direction may lead to penal action under Section 70B(7), which includes imprisonment and fines.
Expansion of reportable incidents: The Directions widen the types of cyber security breaches and incidents reportable under the CERT-IN Rules and include specific auxiliary incidents such as attacks, malicious activities affecting internet of things (IoT) devices, servers, networks, or applications related to blockchain, custodian wallets, and virtual assets. This growth of the ambit of reportable incidents may impact several sectors and cause flow of direct and flow-down reporting in the truancy of any verge of impact.
Maintaining ICT logs for six months within India: the Directions have introduced a mandatory requirement upon Covered Entities to keep records of communication and information systems securely for a rollout period of 180 days within India and provide the same to CERT-IN along with reporting of any incident or as and when solicited.
Guidelines for VPNs: The Directions introduce de-novo obligations not provided under the CERT-IN Rules or the Intermediary Guidelines. These obligations apply to providers of virtual private networks (‘VPN‘), virtual private servers (‘VPS‘), cloud services (especially those providers with servers located in India), virtual asset services, virtual asset exchange services, and custodian wallet services concerning the preservation of identifiable customer and transactional or records of usage and related activities.
VPN, VPS, and cloud service providers are now mandated to maintain detailed customer records relating to ‘validated’ names of subscribers or customers, IP addresses allocated, email addresses, period of hire, IP addresses, and timestamp utilized at the time of registration and onboarding, the purpose of sharing ‘validated’ address, services, and contact numbers and ownership pattern of subscribers for 5 (five) years or longer as mandated after cancellation or withdrawal of registration. These requirements may also threaten user anonymity which may be a significant subscription motive for VPN users.
While these directions aim to make it easier for the government to analyze and respond to cyber security incidents, the storage range of data raises privacy concerns.
Privacy, data localization, and technical challenges with implementation VPN providers have already voiced concerns with applicable requirements. The new Directions are to be complied with by June this year, giving a brief time to sort out issues:
Technical issues with data storage: A primary problem is the technical challenges of complying with the storage requirements due to the RAM-only servers, drawing parallels to the Whatsapp end-to-end encryption issue. When Whatsapp came out with this feature in 2016, its inability to comply with government requests for data and decryption (under S.69, IT Act) came to light. The position of VPNs now is similar, with the CERT-In mandate challenging their current privacy models at a technical level and imposing traceability requirements.
Data localization mandates and cost factors: Even for VPNs who can comply on the technical front, the requirements entail a high compliance cost in acquiring the required storage capacity. Adding to this is the mandate to store ICT logs within India, which prevents the exploration of cheaper solutions in other jurisdictions. While sectoral regulations already impose data localization for some data categories like payments data, issues can arise for different types of data held by the same company if stored separately on foreign cloud servers.
Issues with ICT system logs: Apart from the data localization requirement, other compliance challenges arise with this mandate, including identifying which systems come under the scope of the mandate. The term ICT is undefined under the IT/ CERT-In rules. The generic understanding of the term doesn’t offer clarity, being extremely broad in its scope.
Privacy impact: For customers, the effect on privacy is a primary concern, with the primary advantage of anonymity being lost with the requirements of logging their names and the allotted IP addresses. The record-keeping conditions also raise concerns with core data protection principles like data minimization. Under Indian laws, disclosure of information to the government when required under the law is often allowed. For example, in the financial sector, RBI regulations permit such disclosure when needed under the compulsion of law. Here, some privacy activists are raising concerns about the vires of the new Directions.
Overlap with sectoral regulation: This inevitable overlap in the age of tech innovation is also evident here. The MeitY norms, given the range of entities they apply to, impose overarching requirements that can apply to any entity operating in the digital space today. While these are welcome for governing otherwise unregulated entities, conflicts with sectoral and other specific applicable regulations may arise, leading to a need to identify and streamline them.
The VPNs are crucial to ensure the flourishing of free speech and free access to information without any fear of being surveilled by watchful eyes of authorities. The recent changes in rules poses a threat to privacy of netizens which is derogatory to the idea of cyber peace in cyberspace. The rules should be implemented after weighing its virtues and perils.
Author – Shrey Madaan, Research Associate, Cyber Peace Foundation