A group of more than 20 cybersecurity experts and technologists have expressed their concern over the cybersecurity directions issued by the Ministry of Electronics and Information Technology (MeitY), as per a letter viewed by Medianama.
“The Directions, as they stand, will have the unintended consequence of weakening cyber security, and its crucial component, online privacy,” read the letter.
Why it matters: The cybersecurity directions issued by the government give the state sweeping access to data that may impact the privacy of Indians online. The letter is notable because it highlighted the adverse impact of the directions and the likely outcomes if these directions are implemented.
What did the letter demand: The letter urged the ministry to “defer” the implementation of the guidelines. The deadline, for certain sectors, has been extended to September 25, 2022 as of writing this piece.
- The experts implored the government to initiate an “in-depth public consultation” and “modify” the guidelines with inputs from all stakeholders.
Why did the group complain: The letter acknowledged the need for a robust framework to govern the reporting of cyber incidents but did not support the framework proposed in the directions.
- The experts argued that the reporting timelines and excessive data retention mandates prescribed in the directions will have “negative implications in practice” and impede “effectiveness while endangering online privacy and security”.
Never miss out on important developments in tech policy, whether in India or across the world. Sign up for our morning newsletter, with a “Free Read of the Day”, to experience MediaNama in a whole new way.
Recent consultation was insufficient: A consultation was held recently with invitations sent out to a handful of stakeholders picked by the government.
- “However, we do not believe this to be sufficient, and the public, including the complete range of stakeholders and experts, must be given an opportunity to submit feedback,” read the letter.
- The signatories said that it was crucial for CERT-In and MeitY to ensure that the regulations “advance systemic and user-centric approaches to cybersecurity, focusing on effective cyber incident response”.
- They reminded the state that the guidelines should be in line with the “specific, limited rulemaking power” enjoyed by CERT-In under the Information Technology Act, 2000.
Who signed the letter: The document was signed by the following people—
- Adam Shostack, Author, Threat Modeling: Designing for Security
- Adebunmi Adeola Akinbo, CEO, DNS Africa Media and Communications
- Dr. Brian Haberman, Johns Hopkins University & Internet Society Board of Trustees
- Charles Mok, Member of Board of Trustees, Internet Society
- Christian Dawson, Executive Director, VPN Trust Initiative
- Georgia Bullen, Executive Director, Simply Secure
- Gytis Malinauskas, Head of Legal, Surfshark
- Jorge Pinto, Cybersecurity Professional, Portugal
- Joseph Lorenzo Hall, Distinguished Technologist, Internet Society
- Jyoti Panday, Internet Governance Project, Georgia Institute of Technology
- Kailash Nadh, CTO, Zerodha
- Prof. Kapil Goyal, Academic Member, Global Encryption Coalition
- Karen O’Donoghue, Director, Internet Trust and Technology, Internet Society
- Keith Robert Fernández, ISOC president Peru Chapter
- L. Jean Camp, Professor at the School of Informatics and Computing at Indiana University Mallory Knodel, Chief Technology Officer, Centre for Democracy & Technology
- Moses Owiny, Centre for Multilateral Affairs (CfMA), Uganda
- Prasanth Sugathan, Legal Director, SFLC.in
- Prateek Waghre, Internet Freedom Foundation
- Raman Jit Singh Chima, Senior International Counsel & Global Cybersecurity Lead, Access Now Dr.Stephen Farrell,
- School of Computer Science and Statistics, Trinity College Dublin, Ireland Tarah Wheeler, International Security Fellow, New America
- Access Now
What are the cybersecurity directions: The directions were issued in April and mandated that companies will have to report cyber incidents to CERT-In within six hours.
- Virtual asset service providers, virtual asset exchange providers and custodian wallet providers should mandatorily maintain all information obtained as part of Know Your Customer (KYC) and records of financial transactions for a period of five years.
- A bunch of entities like data centres, virtual private server (VPS) providers, cloud service providers and Virtual Private Network Service (VPN Service) providers, are required to register the following accurate information about customers and subscribers for a period of 5 years or longer.
- Companies must mandatorily enable logs of all their ICT systems and maintain them securely for a rolling period of 180 days and the same should be maintained within the Indian jurisdiction.
- They have already been criticized by multiple industry bodies, tech companies, and cybersecurity experts, and have resulted in two VPN providers shutting down their servers in the country.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
- How India can improve its cybersecurity directions #NAMA
- “You don’t need to have a blanket law that treats everyone as a criminal”, says Dr. Joe Hall of Internet Society on India’s Cybersecurity directions
- Impact of India’s cybersecurity directions on the global internet