SFLC.in's COMMENTS ON NEW CERT-IN DIRECTION

1. Summary of existing rules

The Indian Computer Emergency Response Team (“CERT-In”) is the national agency empowered under Section 70B of the Information Technology Act, 2000 (“IT Act”) to respond to cyber security incidents in India. It has been operational since 2004. Section 70B of the IT Act empowers CERT-In to act as a national agency for collecttion, analysis and dissemination of information on cyber incidents; forecast and alerts of cyber security incidents; emergency measures for handling cyber security incidents; coordination of cyber incidents response activities; issue guidelines, advisories, vulnerability notes and whitepapers relating to information security practices, procedures, prevention, response and reporting of cyber incidents; and other functions relating to cyber security.

The Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (“CERT-In Rules”) was brought into force on 16 January, 2014. In addition to the roles assigned under Section 70B of the IT Act, the CERT-In Rules further provide for the functions, responsibilities, services and operations of CERT-In. Rule 6 of the CERT-In Rules provides for the constitution of an “Advisory Committee” that advises CERT-In on policy matters and services related to cyber security. Rule 14 and 15 of the CERT-in Rules empower the authorities under CERT-In to seek information from and issue directions to service providers, intermediaries, data centres, body corporates and other persons. Rule 19 of the CERT-In Rules provides for the constitution of “Review Committee” that is empowered to review reports of non-compliance of orders issued by CERT-In and to term such non-compliance as an offence under Section 70B (7) of the IT Act. Rule 20 of the CERT-In Rules empowers the Director General of CERT-In to authorise filing of a complaint against the service providers, intermediaries, data centres, body corporates and other persons that the Review Committee has termed as non-compliant.

2. Instances in the past

The CERT-In Rules do not provide for a concrete timeline for reporting of a cyber security incident. It only makes reporting mandatory by for service providers, intermediaries, data centres and body corporates. In addition to this, it has been observed at multiple instances that CERT-In has been inactive when such incidents have taken place. For example, when there were multiple large scale data breaches involving Air India, Big Basket and Dominos there was no action taken by CERT-In. SFLC.in has provided legal assistance to Yarlagadda Kiran Chandra, General Secretary of Free Software Movement of India (“FSMI”) in a Writ Petition filed before the Hon'ble Delhi High Court, seeking issuance of directions to CERT-In for taking appropriate and necessary action and investigate the data breaches at Domino’s, MobiKwik, Air India and BigBasket. The Petition filed can be found here. In addition to this there was another data breach in the Tamil Nadu Public Distribution System where no action was taken by CERT-IN despite SFLC.in sending out a representation to CERT-In. The representation can be found here. The monthly bulletin and annual reports section which analyse previous attacks and provide information related to attacks such key factors, trends etc. is also inactive. A report on the same by Centre for Internet Society can be found here.

3. Summary of new CERT-IN direction

CERT-In on 28 April, 2022 released direction No.20(3)/2022-CERT-In (“CERT-In direction”) relating to information security practices, procedure, prevention, response and reporting of cyber incidents to CERT-In. The CERT-In direction lays down mandatory requirements that are to be complied with by service providers, intermediaries, data centers, body corporates and government organisations respect to the following:

  1. synchronization of all Information and Communication Technology (“ICT”) clocks withthe Network Time Protocol (“NTP”) Server of National Informatics Centre (“NIC”) or National Physical Laboratory (“NPL”)

  2. Reporting of cyber incidents within 6 hours providing information to CERT-In, including near real – time related to cyber incidents

  3. designating a Point of Contact to interface with CERT-In

  4. enable logs of all ICT systems for a rolling period of 180 days

  5. registration and maintenance of user details by Virtual Private Server (“VPS”), Cloud Services providers and Virtual Private Network Service (“VPN Service”) providers with CERT-In for a period of 5 years

  6. Maintenance of KYC and transactional records by virtual asset providers, virtual asset exchange providers and custodian wallet providers for a period of 5 years

The CERT-In direction further states that anyone who is not complying with the above mentioned requirements would be punished with imprisonment of upto 1 year or with fine of Rs. 1,00,000 as per Section 70B (7) of the Information Technology Act, 2000 (“IT Act”). The CERT-In direction will come into effect from 27 June, 2022.

The CERT-In direction is ultra vires of the powers and jurisdiction conferred upon CERT-In IT Act and the CERT-in Rules. The powers and jurisdiction of CERT-In as discussed earlier is limited to cyber security incidents. Rule 8 of CERT-In Rules, mandates CERT-In to function as a referral agency of cyber users for “responding to cyber security incidents” and to assist cyber users in “implementing measures to reduce the risk of cyber security”. CERT-In is overstepping its powers and jurisdiction by issuing directions in the interest of “sovereignty or integrity of India, defence of India, security of the state, friendly relations with foreign states or public order or for preventing incitement to the commission of any cognizable offence”.

These CERT-In directions have come under heavy criticism by various civil society organisations and private players for not following the Pre Legislative Consultation Policy as mandated by the Government of India.

4. Comments on the CERT-In Directions

4.1. Virtual Private Networks

VPN is a protected network connection which uses public networks to establish an encrypted service. VPN service providers are geographically located across the world. VPNs are used to disguise online identity and encrypt internet traffic. This enables a user to use Internet in a secure manner and safeguard their data from being stolen and their identities getting tracked online. The encryption on VPNs takes place on a real time basis. VPN service providers usually also have the policy to collect only essential data of the user during the time they are subscribed to the VPN service.

Currently many providers follow a“no-log policy” on how the subscriber uses the VPN services post activation. VPN service providers currently do not ask for the details or the categories of data as being mandated by the CERT-In direction. The CERT-In direction requires the data centers, VPNs and cloud service providers to “register the following accurate information which must be maintained by them for a period of 5 years or longer duration as mandated by the law after any cancellation or withdrawal of the registration as the case may be:

a. Validated names of subscribers/customers hiring the services

b. Period of hire including dates

c. IPs allotted to / being used by the members

d. Email address and IP address and time stamp used at the time of registration / on-boarding

e. Purpose for hiring services

f. Validated address and contact numbers

g. Ownership pattern of the subscribers / customers hiring services

4.1.1 Register

It is not clear whether the term register means that the information has to be registered with the VPN service providers or if the information has to be registered with the CERT-In which would effectively mean disclosure of information to the MeitY. In case the information is disclosed to the Ministry there is no mention of any privacy policy that shall be followed by MeitY to maintain privacy of user information.

4.1.2. Article 21

In the case of Justice K.S. Puttuswamy v. Union of India (2017) 10 SCC 1 (“Puttaswamy II”) the Hon’ble Supreme Court held that the right to privacy was recognised as a right under Article 21 of the Constitution of India that laid down the four pronged test for determining the proportionality of a restriction on the said right. The CERT-In direction which seeks to gather and store user data is a restriction on right to privacy. Further, the CERT-In direction essentially takes away the privacy which VPNs provide for its users while accessing internet. The heavy compliance and restriction imposed are by the CERT-In direction fails the proportionality test laid down by the Hon’ble Supreme Court under Puttaswamy II.

The test lays down that (I) there must be a law; (ii) the law must aim to achieve a legitimate state goal; (iii) there must be a nexus between the goal to be achieved and the restriction and (iv) the restriction must be the least restrictive alternative. The CERT-In direction is not the least restrictive alternative as the information that is required to be stored is wide reaching and not purposes specific to cyber security incidents that take place. In case, all the information has to be registered with the MeitY, then too it can be challenged on the ground that the CERT-In must ask for information only when an incident takes place on a case to case basis and not on a real time basis.

4.1.3. Article 19 (1) (a)

As held in Hon’ble Supreme Court under the PUCL v Union of India (1997) 1 SCC 301, each citizen under the right to freedom of speech and expression also has the right to communicate privately. VPNs provide that platform to citizens to communicate privately by maintaining anonymity. A disproportionate restriction on this right, as discussed above, will be ultra vires of Art. 19(1)(a) of the Constitution of India.

Furthermore, the CERT-In direction can also add a regulatory burden causing an increase in cost for data service providers, VPNs and cloud service provider. The 5 year long data retention period is a heavy burden for a small scale VPN service provider. This includes storage costs and security costs among other things. In absence of a data protection law, security of the personal data of lakhs of users is at risk. The fundamental right to privacy as enshrined in under Puttaswamy II also envisions purpose limitation of data. Storing this data for a period of 5 years will disregard the principle of purpose limitation as well. In addition to this, the direction further goes against the principle of “data minimisation”. The principle of data minimisation is laid down under the Statement of Object and Reasons of the Personal Data Protection Bill, 2019. In absence of a data protection law and adequate safeguards to protect the personal data of individuals such a massive data collection can be a major risk.

4.2. Cloud Service Provider and Data Centers

A data center can be owned by a single entity and an owner of the data center can use it to fuilfil different requirements such as site hosting, cloud services, running computations etc. In the present scenario, Data Centers do not obtain information of the client’s activities on the server. It is assumed that the purpose of server keeps changing over a period of time. A VPN provider is similar to a data center. They might have a number of servers located in different geographical locations at a given time. They might also have a number of virtual servers which undisclosed locations. A client at times has the autonomy to choose a preferred location.

In the given CERT-In direction, the definition of a Cloud Service Provider suffers from some ambiguity. There is no classification based on size of the Cloud Service Provider. A small cloud service provider has to follow the same set of rules that a large scale Cloud Service Provider has to follow. This will greatly increase the regulatory burden on Small Scale Cloud Service Providers.

4.3. Network Time Protocol

The role of Network Time Protocol (“NTP”) is intended to synchronize all subscribing computers to within a few milliseconds of Coordinated Universal Time (UTC) by querying a master server for the current time and then resetting its own local clock to match. NTP utilizes specific algorithms to effectively coordinate time between hosting time servers and adjust local time calibrations with variables like network latency.

The CERT-In direction requires entities to connect to NTP to synchronise all ICT system clocks. Tracing of internet packets sometimes gets difficult due to extra milliseconds errors. And since many organisations have systems running on multiple jurisdictions, this error tends to increase. By mandating connection of all ICT system clocks in India to NTP for synchronisation would essentially lead to better tracing of internet packets due to the shaving off of the extra milliseconds error.

4.4 Reporting of cyber security incidents within 6 hours

The CERT-In direction provides a list of 20 cyber security incidents that are to be mandatorily reported to CERT-In within 6 hours of noticing such incidents or being brought to notice of service providers, intermediaries, data centres, body corporates and government organisations.

4.4.1. Cyber Security Incidents

Annexure to the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Function and Duties ) Rules, 2013 (“CERT-In Rules, 2013”) as notified on 16 January, 2014 originally constituted of 10 cyber security incidents that were to be mandatorily reported to CERT-In under Rule 12 (1) (a) of the CERT-In Rules, 2013. The CERT-In direction has expanded the list by adding another 10 cyber security incidents to the Annexure.

The CERT-In direction expands the list of cyber security incidents from data breaches, data leaks, fake mobile apps to attacks or malicious/ suspicious activities affecting different systems/ servers/ software/ application related to different emerging technologies. However, the categorisation of the cyber security incidents are not specific and are extremely broad in nature. There is lack of clarity on the threshold, severity and scale of the incidents that are to be reported to CERT-In.

4.4.2. 6 hour reporting period

The 6 hour reporting period is extremely short and unrealistic in nature. The 6 hour reporting period further goes against the recommendations of the Joint parliamentary Committee in it’s report (“JPC Report”) on the Personal Data Bill, 2019 (“PDP”). Clause 2.111 of the JPC Report recommends that the data fiduciaries must report any breach in personal data to the Data Protection Authority (“DPA”) within a period of 72 hours. The JPC Report further notes that a 72 hour reporting period would be “realistic and finite”.

CERT-In direction further fails to take into account the severity and scale of the incident along with the size of entities and their capacity to respond to the incident. This lack of grading of severity and scale of the cyber security incidents coupled with unrealistic reporting period would ultimately result in placing unrealistic compliance standards on all entities. It is therefore recommended that the definitions of the cyber security incidents are well defined and that the reporting period be changed to 72 hours from 6 hours.

4.5. Point of contact

The CERT-In direction mandates that every entity designate Point of Contact (“PoC”) to interface with CERT-In for all communications, from seeking information to providing directions for compliance. However, the CERT-In direction is very ambiguous in nature. The CERT-In direction further fails to specify if the PoC to be designated is to be from within the entity itself or it can be outsourced to a third party. Since the nature of the data that the PoC would be dealing with would be extremely sensitive and confidential in nature, it is suggested that the CERT-In direction lay down specific criteria of PoC to be designated.

4.6. Maintenance of logs for 180 days

Maintenance of logs for a period of 180 days is critical for any entity. Logs usually include data with respect to timestamp, user information and the event information. Every component in a network generates a different type of data and each component collects that data in its own log. Based on the type of data collected, logs can be classified as event logs, server logs, system logs, authorisation logs, access logs, security logs, resource logs etc. Each log has it’s own volume. Log volume is one of the most critical factor as it is directly related to infrastructure. The amount of log volume that is to be maintained has a direct impact on data retention policy, report/search performance, aggregation performance and correlation performance. Maintenance of logs helps in resolution and prevention of cyber attacks and data breaches by identifying patterns quickly. However, on the other hand, placing a blanket requirement for maintenance of logs would have a high impact on the user privacy and an additional burden of cost and infrastructure on the service provider.

The CERT-In direction fails to define the kind of logs that is to be maintained by the entities. In addition to the lack of clarity, the CERT-In direction further fails to take into account the infrastructural costs and requirements for maintenance of logs. Maintenance of logs further requires high security practices in addition to infrastructure. Placing a blanket requirement for maintenance of logs could essentially result in service providers pulling out of the market.

The CERT-In direction requires different entities to register, maintain, report and retain voluminous amount of data for prolonged periods of time ranging from 180 days to 5 years or more. The CERT-In direction in its entirety goes against the concepts “purpose limitation, storage limitation and the data minimisation” as laid down under the Statement of Object and Reasons of the Personal Data Protection Bill, 2019.

4.7. KYC

The CERT-In direction requires virtual asset service providers, virtual asset exchange providers, and custodian wallet providers to maintain all information obtained as part of Know Your Customer (“KYC”) processes and financial transaction records for a period of 5 years. Currently, there is no legislation, guideline, rule or regulation passed by the Ministry of Finance or any competent authority that lays down the definition of “virtual asset service providers”, “virtual asset exchange providers” or “custodian wallet providers”. Even the most recently passed Finance Act, 2022 only defines the term “virtual digital asset” and is silent on the above mentioned definitions.

The object of the CERT-In direction is stated to be inter-alia to prevent incitement to commission of any cognizable offence using computer resource or handling of any cyber incident. However, mandating maintenance on records, for a prolonged period of 5 years without having a clear definition of the these entities coupled with the absence of stringent data protection law adverse consequences with respect to the personal and non personal data of the users.

4.8. Broad and vague terms

The CERT-In direction uses a number of broad and vague terms that lack clarity and definition under law. The CERT-In direction lays down mandates on different entities such as “cloud service providers”, “virtual asset service providers”, “virtual asset exchange providers”, “custodian wallet providers” but fails to provide clarity and definition of who are the entities that would fall under the said categories. The CERT-In direction lacks legal coherence since it tries to impose mandates and compliance on entities for which there is no clear definition that can be found in the current law and neither are there any codified objective parameters.

The CERT-In direction further places blanket mandates of “all service providers, intermediaries, data centers, body corporate and government organisation” without having any threshold criteria with respect to the institutional structure and size of the entities or number of users or the volume of data. Placing heavy data retention and compliance requirement would adversely affect the data of users. User data in smaller entities is vulnerable to be exposed to data theft and data breaches when compared to larger entities. Placing heavy data retention and compliance requirements on such broad terms would result in small entities moving out of the market.

5. Conclusion

The CERT-In direction is broad, vague and can cause a detrimental impact on the privacy of users. The COVID-19 pandemic has increased the use of VPNs. As per the Global VPN Adoption Index maintained by AtlasVPN there are approximately 270 million users in India. Before the Pandemic only 3.28% of users had opted for VPNs as compared to the current 20% users. Individuals are far more concerned about their privacy than they ever work. There have been statements from various VPN providers such as Nord VPN and Express VPN that compiling with these regulations is going to be difficult for them. Indian citizens have a fundamental right to privacy and these guidelines work against that.