Privacy depends on cybersecurity — why government must rethink the new rules 

While increasing surveillance, the directions issued by CERT-In present few, if any, benefits for security of the state or individuals

If you had to choose between privacy and security, which would you prefer? While the answer may lean towards security for many, imagine losing out on both. This is likely to be the fallout of directions issued by the Indian Computer Emergency Response Team (CERT-In) on April 28, 2022. 

Let’s first cover the basics. CERT-In is a body established under the Information Technology Act, 2000 tasked with the broad mandate of “securing Indian cyberspace”, and reports to the Ministry of Electronics and IT (MEITY). With ubiquitous digitisation, cyber security has gained prominence in recent years. For instance, as per a parliamentary response CERT-In reported an almost nine-fold increase over six years to a total of 48,285 cyber security incidents related to government authorities. It mirrors the experience of users and the private sector who feel unsafe with their personal data being routinely breached, often leading to cyber crime. As per the Crime In India report in 2020, there has been an almost 12% rise  in cyber crimes, with the large majority clustered in the categories of fraud, sexual exploitation and extortion. These are serious consequences for national and user security that increase the importance of CERT-In’s mission.

Woefully, the directions issued by CERT-In, while increasing surveillance, present few, if any, benefits for security of the state or individuals. These directions go into effect on June 27, 2022, and have six operative provisions whose violation carries a one-year term of imprisonment. While much of the concern has arisen from users of Virtual Private Networks (VPNs), the directions go much further. 

Let us deal with each direction individually, starting with the requirement for all service providers to connect their system clocks to the network time protocol servers of the government. On the face of it, this is a welcome move, as all computer systems contain logs which require verifiable timestamps. However, by linking them to government servers, security experts have observed that it creates a single point of failure and increases the attack surface for a supply chain attack. 

The second direction requires all service providers to inform CERT-In whenever any “cyber incidents” occur, within six hours of gaining knowledge. This is again another direction which is positive at first glance, as it indicates that the government will now need to be informed any time there is a data breach rather than the information being tucked away in a corporation’s black box. However, there are core deficiencies which undermine the positives. One, “cyber incident” is not properly defined and makes reference to vague categories such as “fake mobile apps”. Even routine events such as “unauthorized access to social media accounts” will need to be reported. This will not only increase the reporting burden of system administrators, but flood CERT-In with notifications beyond their response capacity. Furthermore, there is no obligation on CERT-In to inform users who are ultimately at risk. There is no mention of what actions CERT-In must take and how its actions will be publicly disclosed. Reporting “cyber incidents” is also an incomplete measure, given there is no provision for penalties and fines on the public or private sector. 

The third direction enhances the power of CERT-In to seek information from service providers by extending them to “protective and preventive actions”. Again, there is little transparency on how CERT-In will exercise this power which now includes seeking “real time” information that could be used for the purpose of surveillance. Quite simply, CERT-In can direct any system provider even without a security incident occurring, with little oversight, and seek any data. Such surveillance fears become obvious when we look at the next two directions. 

Imagine that each online service provider will now maintain and store logs of all your online activity for 180 days and store them within India. This is not all — some, including data centres and VPNs, will be required to mandatorily register users. These two directions have gathered the bulk of public criticism from many users of VPNs. VPNs provide a tunnel for online activity in which a user first plugs into a VPN server that in turn fetches information from the Internet. Hence, all it shows to an Internet service provider such as Airtel or Jio, or even the websites a user visits, is the connection and address of the VPN server. This permits accessing blocked content, geolocating to another country or also, as claimed, surfing the Internet without logging. While the privacy claims of VPN providers are contentious, according to the Freedom of the Press Foundation if chosen well they “offer key security benefits to your workflow”. All of this will be a thing of the past with the mandate to store logs, that will essentially mean that whether you are a VPN user or not, each service provider will be required to collect and store more personal data of users. This may result in zero knowledge services such as messaging applications like Signal or secure browsing technologies like Tor being blocked in India. In addition to this, providers will now need to mandatorily register users on seven data points like a bank’s KYC process and store it for five years. This is a tremendous expansion in data collection which will match a person’s online activity with their real world identity.