wordpress blog stats
Connect with us

Hi, what are you looking for?

Why is there a need for fresh consultation on India’s cybersecurity directions?

A group of cybersecurity experts criticised India’s cybersecurity directions in a letter warning that they weaken privacy.

A group of more than 20 cybersecurity experts and technologists have expressed their concern over the cybersecurity directions issued by the Ministry of Electronics and Information Technology (MeitY), as per a letter viewed by Medianama.

“The Directions, as they stand, will have the unintended consequence of weakening cyber security, and its crucial component, online privacy,” read the letter.

Why it matters: The cybersecurity directions issued by the government give the state sweeping access to data that may impact the privacy of Indians online. The letter is notable because it highlighted the adverse impact of the directions and the likely outcomes if these directions are implemented.

What did the letter demand: The letter urged the ministry to “defer” the implementation of the guidelines. The deadline, for certain sectors, has been extended to September 25, 2022 as of writing this piece.

  • The experts implored the government to initiate an “in-depth public consultation” and “modify” the guidelines with inputs from all stakeholders.

Why did the group complain: The letter acknowledged the need for a robust framework to govern the reporting of cyber incidents but did not support the framework proposed in the directions.

  • The experts argued that the reporting timelines and excessive data retention mandates prescribed in the directions will have “negative implications in practice” and impede “effectiveness while endangering online privacy and security”.

Never miss out on important developments in tech policy, whether in India or across the world. Sign up for our morning newsletter, with a “Free Read of the Day”, to experience MediaNama in a whole new way.

Recent consultation was insufficient: A consultation was held recently with invitations sent out to a handful of stakeholders picked by the government.

  • “However, we do not believe this to be sufficient, and the public, including the complete range of stakeholders and experts, must be given an opportunity to submit feedback,” read the letter.
  • The signatories said that it was crucial for CERT-In and MeitY to ensure that the regulations “advance systemic and user-centric approaches to cybersecurity, focusing on effective cyber incident response”.
  • They reminded the state that the guidelines should be in line with the “specific, limited rulemaking power” enjoyed by CERT-In under the Information Technology Act, 2000.

Who signed the letter: The document was signed by the following people—

  • Adam Shostack, Author, Threat Modeling: Designing for Security
  • Adebunmi Adeola Akinbo, CEO, DNS Africa Media and Communications
  • Dr. Brian Haberman, Johns Hopkins University & Internet Society Board of Trustees
  • Charles Mok, Member of Board of Trustees, Internet Society
  • Christian Dawson, Executive Director, VPN Trust Initiative
  • Georgia Bullen, Executive Director, Simply Secure
  • Gytis Malinauskas, Head of Legal, Surfshark
  • Jorge Pinto, Cybersecurity Professional, Portugal
  • Joseph Lorenzo Hall, Distinguished Technologist, Internet Society
  • Jyoti Panday, Internet Governance Project, Georgia Institute of Technology
  • Kailash Nadh, CTO, Zerodha
  • Prof. Kapil Goyal, Academic Member, Global Encryption Coalition
  • Karen O’Donoghue, Director, Internet Trust and Technology, Internet Society
  • Keith Robert Fernández, ISOC president Peru Chapter
  • L. Jean Camp, Professor at the School of Informatics and Computing at Indiana University Mallory Knodel, Chief Technology Officer, Centre for Democracy & Technology
  • Moses Owiny, Centre for Multilateral Affairs (CfMA), Uganda
  • Prasanth Sugathan, Legal Director, SFLC.in
  • Prateek Waghre, Internet Freedom Foundation
  • Raman Jit Singh Chima, Senior International Counsel & Global Cybersecurity Lead, Access Now Dr.Stephen Farrell,
  • School of Computer Science and Statistics, Trinity College Dublin, Ireland Tarah Wheeler, International Security Fellow, New America
  • Access Now

What are the cybersecurity directions: The directions were issued in April and mandated that companies will have to report cyber incidents to CERT-In within six hours.

  • Virtual asset service providers, virtual asset exchange providers and custodian wallet providers should mandatorily maintain all information obtained as part of Know Your Customer (KYC) and records of financial transactions for a period of five years.
  • A bunch of entities like data centres, virtual private server (VPS) providers, cloud service providers and Virtual Private Network Service (VPN Service) providers, are required to register the following accurate information about customers and subscribers for a period of 5 years or longer.
  • Companies must mandatorily enable logs of all their ICT systems and maintain them securely for a rolling period of 180 days and the same should be maintained within the Indian jurisdiction.
  • They have already been criticized by multiple industry bodies, tech companies, and cybersecurity experts, and have resulted in two VPN providers shutting down their servers in the country.

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Also read:

Advertisement. Scroll to continue reading.

Written By

I cover several beats such as Crypto, Telecom, and OTT at MediaNama. I can be found loitering at my local theatre when I am off work consuming movies by the dozen.

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Amazon announced that it will integrate its logistics network and SmartCommerce services with the Open Network for Digital Commerce (ONDC).


India's smartphone operating system BharOS has received much buzz in the media lately, but does it really merit this attention?


After using the Mapples app as his default navigation app for a week, Sarvesh draws a comparison between Google Maps and Mapples


In the case of the ‘deemed consent' provision in the draft data protection law, brevity comes at the cost of clarity and user protection


The regulatory ambivalence around an instrument so essential to facilitate data exchange – the CM framework – is disconcerting for several reasons.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ