Perverted priorities

CERT-In has shown more interest in collecting data and imposing restrictions on businesses than warding off cyber-attacks, writes Software Freedom Law Centre’s Mishi Choudhary

The government and its relationship with the privacy of citizens has always been disproportional. The state operates as if these were still colonial times, and every attempt to make its work transparent is met with hostility. However, the state machinery feels entitled to spy upon citizens for reasons even beyond the limits of law. This behaviour has been political party-agnostic in India. When in power, every political party has used the “security of state” to impede on citizens’ privacy and liberty. A new minister of state with a technological background was supposed to inject rationality for business and rights, but all we see is the same acidic vinegar being sold as wine.

Each country has an agency called the CERT (computer emergency response team) or something similar to do exactly what the name suggests. The agencies co-ordinate with one another and are expected to fulfil the role of firefighters in cyberspace. They collect information on cyber incidents and co-ordinate responses to enhance security and resilience. In India, this power is given to CERT-In, which has been operational since 2004 and operates under the Ministry of Electronics and Information Technology (MEITY) through section 70B of the Information Technology Act, 2000 (IT Act).

Generally, the CERT-In has been pretty laid back in its approach to data breaches. In fact, our organisation, SFLC.in, represented a concerned citizen in Delhi High Court to ask them to do their job by taking action against Domino’s, MobiKwik, Air India, BigBasket and Tamil Nadu Public Distribution System. The monthly bulletin and annual reports section of the CERT-In’s website, which analyses previous attacks and provides information related to them such as key factors, trends, etc., has also been inactive. But when an opportunity to collect data about users and impose restrictions on businesses arises, the CERT-In immediately springs into action.

IGNORING THE RIGHT TO PRIVACY

On 28 April, the CERT-In released directions relating to information security practices, procedures, prevention, response and reporting of cyber incidents. Non-compliance with the rules would be punished with imprisonment of up to one year or a fine of INR100,000 (USD1,270). The new rules require reporting of cyber incidents within six hours, designating a point of contact to interface with the CERT-In.

But most importantly, the rules require registration and maintenance of user details by cloud services, virtual private server (VPS) and virtual private network (VPN) service providers with the CERT-In for a period of five years, and maintenance of KYC (know your customer) and transactional records by virtual asset providers, virtual asset exchange providers and custodian wallet providers for a period of five years. As per the parent act, the CERT-In has no power to do this. Instead, under the guise of security, this is an attack on citizens’ rights to privacy.

A VPN is a protected network connection used to disguise online identity and encrypt internet traffic. This enables a user to browse the internet securely and safeguard their data from being stolen, and their identities getting tracked online. It’s because of these VPNs that one is able to work from home and log into work networks securely. In addition, dissidents and human rights activists can co-ordinate their work, and regular people can surf the web in a safe manner.

HEADING TOWARDS THE DOOR

Not only are these directions cumbersome and against the very nature of businesses that offer VPNs, they also run afoul of the four-part test laid down by the Supreme Court in the case of Justice KS Puttaswamy v Union of India. The CERT-In direction, which seeks to gather and store user data, is a restriction on right to privacy. It is also not the least restrictive alternative and goes against the principle of “data minimisation” as mentioned by the court.

Several digital rights organisations have expressed their concerns about these directions to the MEITY. Many VPN providers, including ExpressVPN and Surfshark, have decided to pull out of India by removing their India-based VPN servers. Trade associations like the Business Software Alliance has also cautioned that commercial operations, R&D and investment in India would be affected.

For a long time, we have been crying hoarse about the fact that Indian laws, policies and practices with respect to surveillance are not in conformity with international human rights law. Unlike other democracies, state surveillance of citizens’ private communications in India has no parliamentary or judicial oversight and suffers from opacity. Despite revelations like the Pegasus spying scandal and the use of facial recognition technology to arrest protesters, in addition to several lawsuits, no change seems imminent.

Our privacy is in our hands and if attempts by the state to take away this right are not resisted, no other right can be exercised. We will have squandered the last chance of our generation. Let’s not lose this chance.