wordpress blog stats
Connect with us

Hi, what are you looking for?

Why is there a need for fresh consultation on India’s cybersecurity directions?

A group of cybersecurity experts criticised India’s cybersecurity directions in a letter warning that they weaken privacy.

A group of more than 20 cybersecurity experts and technologists have expressed their concern over the cybersecurity directions issued by the Ministry of Electronics and Information Technology (MeitY), as per a letter viewed by Medianama.

“The Directions, as they stand, will have the unintended consequence of weakening cyber security, and its crucial component, online privacy,” read the letter.

Why it matters: The cybersecurity directions issued by the government give the state sweeping access to data that may impact the privacy of Indians online. The letter is notable because it highlighted the adverse impact of the directions and the likely outcomes if these directions are implemented.

What did the letter demand: The letter urged the ministry to “defer” the implementation of the guidelines. The deadline, for certain sectors, has been extended to September 25, 2022 as of writing this piece.

  • The experts implored the government to initiate an “in-depth public consultation” and “modify” the guidelines with inputs from all stakeholders.

Why did the group complain: The letter acknowledged the need for a robust framework to govern the reporting of cyber incidents but did not support the framework proposed in the directions.

  • The experts argued that the reporting timelines and excessive data retention mandates prescribed in the directions will have “negative implications in practice” and impede “effectiveness while endangering online privacy and security”.

Never miss out on important developments in tech policy, whether in India or across the world. Sign up for our morning newsletter, with a “Free Read of the Day”, to experience MediaNama in a whole new way.

Recent consultation was insufficient: A consultation was held recently with invitations sent out to a handful of stakeholders picked by the government.

  • “However, we do not believe this to be sufficient, and the public, including the complete range of stakeholders and experts, must be given an opportunity to submit feedback,” read the letter.
  • The signatories said that it was crucial for CERT-In and MeitY to ensure that the regulations “advance systemic and user-centric approaches to cybersecurity, focusing on effective cyber incident response”.
  • They reminded the state that the guidelines should be in line with the “specific, limited rulemaking power” enjoyed by CERT-In under the Information Technology Act, 2000.

Who signed the letter: The document was signed by the following people—

  • Adam Shostack, Author, Threat Modeling: Designing for Security
  • Adebunmi Adeola Akinbo, CEO, DNS Africa Media and Communications
  • Dr. Brian Haberman, Johns Hopkins University & Internet Society Board of Trustees
  • Charles Mok, Member of Board of Trustees, Internet Society
  • Christian Dawson, Executive Director, VPN Trust Initiative
  • Georgia Bullen, Executive Director, Simply Secure
  • Gytis Malinauskas, Head of Legal, Surfshark
  • Jorge Pinto, Cybersecurity Professional, Portugal
  • Joseph Lorenzo Hall, Distinguished Technologist, Internet Society
  • Jyoti Panday, Internet Governance Project, Georgia Institute of Technology
  • Kailash Nadh, CTO, Zerodha
  • Prof. Kapil Goyal, Academic Member, Global Encryption Coalition
  • Karen O’Donoghue, Director, Internet Trust and Technology, Internet Society
  • Keith Robert Fernández, ISOC president Peru Chapter
  • L. Jean Camp, Professor at the School of Informatics and Computing at Indiana University Mallory Knodel, Chief Technology Officer, Centre for Democracy & Technology
  • Moses Owiny, Centre for Multilateral Affairs (CfMA), Uganda
  • Prasanth Sugathan, Legal Director, SFLC.in
  • Prateek Waghre, Internet Freedom Foundation
  • Raman Jit Singh Chima, Senior International Counsel & Global Cybersecurity Lead, Access Now Dr.Stephen Farrell,
  • School of Computer Science and Statistics, Trinity College Dublin, Ireland Tarah Wheeler, International Security Fellow, New America
  • Access Now

What are the cybersecurity directions: The directions were issued in April and mandated that companies will have to report cyber incidents to CERT-In within six hours.

  • Virtual asset service providers, virtual asset exchange providers and custodian wallet providers should mandatorily maintain all information obtained as part of Know Your Customer (KYC) and records of financial transactions for a period of five years.
  • A bunch of entities like data centres, virtual private server (VPS) providers, cloud service providers and Virtual Private Network Service (VPN Service) providers, are required to register the following accurate information about customers and subscribers for a period of 5 years or longer.
  • Companies must mandatorily enable logs of all their ICT systems and maintain them securely for a rolling period of 180 days and the same should be maintained within the Indian jurisdiction.
  • They have already been criticized by multiple industry bodies, tech companies, and cybersecurity experts, and have resulted in two VPN providers shutting down their servers in the country.

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Also read:

Written By

I cover several beats such as Crypto, Telecom, and OTT at MediaNama. I can be found loitering at my local theatre when I am off work consuming movies by the dozen.

Free Reads


This should facilitate quicker settlement of funds for merchants and also boost user confidence in digital payments, RBI Governor said.


While Chandrasekhar said the advisory doesn't include startups, the advisory itself does not make any such classification based on platform sizes.


The case dates back to 2019 when Spotify filed a complaint against Apple's anti-steering rules which prevented apps like Spotify from informing their users...

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



NPCI CEO Dilip Asbe recently said that what is not written in regulations is a no-go for fintech entities. But following this advice could...


Notably, Indus Appstore will allow app developers to use third-party billing systems for in-app billing without having to pay any commission to Indus, a...


The existing commission-based model, which companies like Uber and Ola have used for a long time and still stick to, has received criticism from...


Factors like Indus not charging developers any commission for in-app payments and antitrust orders issued by India's competition regulator against Google could contribute to...


Is open-sourcing of AI, and the use cases that come with it, a good starting point to discuss the responsibility and liability of AI?...

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ