India’s CERT-In must withdraw April Directions and strengthen privacy and cybersecurity

The Indian Computer Emergency Response Team (CERT-In) issued Directions on April 28, 2022, without sustained stakeholder consultation, that will weaken cybersecurity, amplify the risk of surveillance, and jeopardise the right to privacy in India. Access Now and an international coalition of organisations and individuals are urging CERT-In to immediately withdraw these Directions.

Unchecked surveillance is a pressing concern in India — one that is severely aggravated by the new data retention mandate in CERT-In’s Directions, which impact millions of people connected in India,” said Raman Jit Singh Chima, Asia Pacific Policy Director and Senior International Counsel at Access Now. “Requiring service providers, including VPN providers, to log information that they may otherwise not collect, for five years or more, violates the right to privacy protected by the Indian Constitution. This outrageous mandate  weakens cybersecurity by creating a vulnerability that can be exploited to the detriment of people’s safety.”

In addition to disproportionate data retention obligations, the Directions also impose onerous obligations with respect to reporting of cybersecurity incidents. 

“Comprehensive reporting procedures for cybersecurity incidents are crucial, but CERT-In’s mandate is impractical and incomplete,” said Namrata Maheshwari, Asia Pacific Policy Counsel at Access Now. “The six hour timeline is too onerous and contravenes international best practices. The Directions fail to provide for timely and comprehensive reporting to the people and entities who may have been affected. There is also a lack of accountability and clarity on CERT-In’s actions to mitigate damage once CERT-In receives a report.”

The signatories to the open letter are calling on CERT-In to withdraw the Directions, and initiate a process of in-depth multi-stakeholder consultation to inform the development of any regulations aimed at strengthening cybersecurity, with the goal of enhancing privacy —  without which robust cybersecurity cannot be achieved. 

Read the full letter.