“Increased transparency, more engagement with technology service providers, international agreements, more focus on fundamental rights, and finally, narrowly targeted requests [by law enforcement agencies],” Venkatesh Krishnamoorthy, from BSA-The Software Alliance, listed out his wish-list when asked about what are his expectations from the Digital India Act at MediaNama’s MarketsNama conference on May 19, 2023.
Krishnamoorthy was speaking as a panelist for the fourth session, which focused on interactions between law enforcement agencies and companies or service providers in the context of cybercrime and cybersecurity. As the panelists debated on the challenges that companies face when they have to meet data-requirement requests of law enforcement agencies, they also touched upon what the upcoming Digital India Act (DIA) must cover to improve cooperation between the two parties when it comes to the investigation of crimes.
In addition to specifically addressing the abovementioned matter, panelists and other speakers briefly listed some of their expectations from the DIA towards the end of the session. Here’s a quick roundup of the key points:
- Emerging tech and definition of harm:
Panelist Atul Kumar, from the Data Security Council of India, talked about the evolving definition of harm alongside emerging technologies. He states that the harm or damage is not just limited to users but can also include entities, communities, enterprises, etc., and with newer technological developments, defining harm will get trickier. Kumar is of the view that there is a need to qualify the technological aspect when defining harms and cybercrimes in future legislation.
MediaNama hosted this discussion with support from Salesforce, Google and Mozilla. Internet Freedom Foundation, and our community partners, the Centre for Internet and Society and Alliance of Digital India Foundation.
FREE READ of the day by MediaNama: Click here to sign-up for our daily newsletter with the top story of the day delivered daily before 9 AM in your inbox.
- Non-criminalising cyber-enabled crimes:
Panelist Sukanya Thapliyal, Project Officer at the Centre for Communications Governance, believes that speech-based offences must not be criminalised. She adds that criminalising cyber-enabled crimes can cause more harm and that the government must look for “milder ways” to tackle them in the Digital India Act.
- Addressing cybercrimes against women and children:
Thapliyal also pointed out that crimes against women, children, LGBTQ groups and other minorities need attention and stated that India needs to delve deeper when it comes to provisions dealing with such crimes. “We can think about criminalising even non-monetarily motivated crimes against women, or in terms of how children are interacting with technology and what kind of harms are emanating from them,” she added.
- Categorization of timelines:
MediaNama Editor Nikhil Pahwa asked about the uncertainties about timelines set for addressing data requests of law enforcement agencies. As an example, he referred to the Cert-In cybersecurity directions issued in 2022 that require service providers, data centres, and others to report cyber incidents within 6 hours of noticing such incidents or being brought to notice about such incidents. Krishnamoorthy noted that there needs to be a difference in the timelines depending on the information requested and the risks related to harm. He adds that the Digital India Act must include guidelines on this to enable companies to respond effectively to such incidents.
Emphasising the need to categorise data requests for a given time frame, Kumar added that since the Cert-In directions are horizontal and applicable for every company, irrespective of the company size, there is a need to build “reasonable security practices and procedures”. This will help the company, based on the nature and the domain, to be ready with the required data and information. “I may not say codify in the law itself, but in one way or other, it should be there in the procedure,” Kumar added.
- On regulation by FAQs:
Vivek Abraham, an attendee at the event, shed light on procedural gaps between what’s written on paper and how entities operate in real life. Abraham was referring to the Cert-In cybersecurity directions and stated that during several meetings and discussions, they were assured about certain aspects of the directions and “inferences” were drawn on how they must be operating. While companies may be operating as per these confirmations, Abraham states that customers and other regulators are going by the initial directions layout.
“…today in the Cert-In framework that we are operating in, there is something that’s written on paper. There’s FAQs. There’s a lot of discussions and meetings from which we’ve got inferences and we’ve got comfort on how we can operate. But we are operating at the inference and the confirmations and everything at that level. But a lot of people, including our customers, other sector regulators, are going by what is there in the initial directions. I would love it if the government can put all the understandings and meetings and inferences put together in the official document so that it’s much easier for us to operate according to what is realistic,” Vivek explained.
In addition, Abraham pointed out that a lot of these discussions went beyond the scope of concerns covered by the FAQs on Cert-In directions that the IT Ministry released last year. The speaker’s wish list mainly includes an official document published by the government, which would collate all the inferences from these meetings and “informal briefings” and would enable companies to operate as per realistic practices.
“I think we are at a place where everybody understands there’s a lot of wink-wink, nudge-nudge going on. We understand that the directions are basically unimplementable. But it’s okay, as long as we are able to show good intent and we are working hard to meet the standard, people are okay with it,” he adds.
Note: This article’s headline was updated on May 29th, 2023, at 2:55 pm to improve clarity.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
Also Read:
What Are India’s Focus Areas In Its Proposals At The UN Cybercrime Convention? #NAMA
What Are The Problems That Companies Face When Law Enforcement Agencies Demand For Data? #NAMA
