wordpress blog stats
Connect with us

Hi, what are you looking for?

Why is there a need for fresh consultation on India’s cybersecurity directions?

A group of cybersecurity experts criticised India’s cybersecurity directions in a letter warning that they weaken privacy.

A group of more than 20 cybersecurity experts and technologists have expressed their concern over the cybersecurity directions issued by the Ministry of Electronics and Information Technology (MeitY), as per a letter viewed by Medianama.

“The Directions, as they stand, will have the unintended consequence of weakening cyber security, and its crucial component, online privacy,” read the letter.

Why it matters: The cybersecurity directions issued by the government give the state sweeping access to data that may impact the privacy of Indians online. The letter is notable because it highlighted the adverse impact of the directions and the likely outcomes if these directions are implemented.

What did the letter demand: The letter urged the ministry to “defer” the implementation of the guidelines. The deadline, for certain sectors, has been extended to September 25, 2022 as of writing this piece.

  • The experts implored the government to initiate an “in-depth public consultation” and “modify” the guidelines with inputs from all stakeholders.

Why did the group complain: The letter acknowledged the need for a robust framework to govern the reporting of cyber incidents but did not support the framework proposed in the directions.

  • The experts argued that the reporting timelines and excessive data retention mandates prescribed in the directions will have “negative implications in practice” and impede “effectiveness while endangering online privacy and security”.

Never miss out on important developments in tech policy, whether in India or across the world. Sign up for our morning newsletter, with a “Free Read of the Day”, to experience MediaNama in a whole new way.


Recent consultation was insufficient: A consultation was held recently with invitations sent out to a handful of stakeholders picked by the government.

  • “However, we do not believe this to be sufficient, and the public, including the complete range of stakeholders and experts, must be given an opportunity to submit feedback,” read the letter.
  • The signatories said that it was crucial for CERT-In and MeitY to ensure that the regulations “advance systemic and user-centric approaches to cybersecurity, focusing on effective cyber incident response”.
  • They reminded the state that the guidelines should be in line with the “specific, limited rulemaking power” enjoyed by CERT-In under the Information Technology Act, 2000.

Who signed the letter: The document was signed by the following people—

  • Adam Shostack, Author, Threat Modeling: Designing for Security
  • Adebunmi Adeola Akinbo, CEO, DNS Africa Media and Communications
  • Dr. Brian Haberman, Johns Hopkins University & Internet Society Board of Trustees
  • Charles Mok, Member of Board of Trustees, Internet Society
  • Christian Dawson, Executive Director, VPN Trust Initiative
  • Georgia Bullen, Executive Director, Simply Secure
  • Gytis Malinauskas, Head of Legal, Surfshark
  • Jorge Pinto, Cybersecurity Professional, Portugal
  • Joseph Lorenzo Hall, Distinguished Technologist, Internet Society
  • Jyoti Panday, Internet Governance Project, Georgia Institute of Technology
  • Kailash Nadh, CTO, Zerodha
  • Prof. Kapil Goyal, Academic Member, Global Encryption Coalition
  • Karen O’Donoghue, Director, Internet Trust and Technology, Internet Society
  • Keith Robert Fernández, ISOC president Peru Chapter
  • L. Jean Camp, Professor at the School of Informatics and Computing at Indiana University Mallory Knodel, Chief Technology Officer, Centre for Democracy & Technology
  • Moses Owiny, Centre for Multilateral Affairs (CfMA), Uganda
  • Prasanth Sugathan, Legal Director, SFLC.in
  • Prateek Waghre, Internet Freedom Foundation
  • Raman Jit Singh Chima, Senior International Counsel & Global Cybersecurity Lead, Access Now Dr.Stephen Farrell,
  • School of Computer Science and Statistics, Trinity College Dublin, Ireland Tarah Wheeler, International Security Fellow, New America
  • Access Now

What are the cybersecurity directions: The directions were issued in April and mandated that companies will have to report cyber incidents to CERT-In within six hours.

  • Virtual asset service providers, virtual asset exchange providers and custodian wallet providers should mandatorily maintain all information obtained as part of Know Your Customer (KYC) and records of financial transactions for a period of five years.
  • A bunch of entities like data centres, virtual private server (VPS) providers, cloud service providers and Virtual Private Network Service (VPN Service) providers, are required to register the following accurate information about customers and subscribers for a period of 5 years or longer.
  • Companies must mandatorily enable logs of all their ICT systems and maintain them securely for a rolling period of 180 days and the same should be maintained within the Indian jurisdiction.
  • They have already been criticized by multiple industry bodies, tech companies, and cybersecurity experts, and have resulted in two VPN providers shutting down their servers in the country.

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Also read:

Advertisement. Scroll to continue reading.

Written By

I cover several beats such as Crypto, Telecom, and OTT at MediaNama. I can be found loitering at my local theatre when I am off work consuming movies by the dozen.

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.

Views

News

Do we have an enabling system for the National Data Governance Framework Policy (NDGFP) aiming to create a repository of non-personal data?

News

A viewpoint on why the regulation of cryptocurrencies and crypto exchnages under 2019's E-Commerce Rules puts it in a 'grey area'

News

India's IT Rules mandate a GAC to address user 'grievances' , but is re-instatement of content removed by a platform a power it should...

News

There is a need for reconceptualizing personal, non-personal data and the concept of privacy itself for regulators to effectively protect data

News

Existing consumer protection regulations are not sufficient to cover the extent of protection that a crypto-investor would require.

You May Also Like

News

Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...

Advert

135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...

News

Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

News

By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Name:*
Your email address:*
*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ