Privacy and data security are not mutually exclusive | Media Pyro

Over the past few weeks, we’ve seen a significant new controversy over the Indian government’s ambitions to regulate the Internet. This is because India’s Computer Emergency Response Team (CERT-In) announced cyber security guidelines in May without prior public discussion or consultation. This has led to numerous virtual private network (VPN) firms announcing the removal of their servers from India, voices from industry and Indian SMEs raising concerns about the challenges of being able to meaningfully implement these dictates, and civil society, experts cybersecurity experts and technologists pointed to how they would harm cybersecurity while increasing government intrusion into privacy and other fundamental rights on the Internet.

The temporary pause in the implementation of these cyber security directives announced by CERT-In and the Ministry of Electronics and IT is a small positive step, a temporary reprieve. But this is far from enough. Now we need to have a meaningful, honest conversation, and not rush to implement these rules.

Let’s start by looking at the stumbling blocks. The instructions establish a list of cyber security incidents that must be reported to CERT-In “within 6 hours after they notice such incidents or are notified of such incidents.” First, the six-hour window is too burdensome and will almost certainly lead to frequent defaults and widespread liabilities. Secondly, there is no provision for mandatory notification of affected individuals and legal entities whose data may have been compromised. And finally, there is no clarity and control over the actions CERT-in is required to take to mitigate damage and protect data after they become aware of an incident.

Perhaps the most problematic aspect of the new rules is the extent to which they impose data retention requirements. VPN providers and others will be required to keep user information for five years or longer. VPNs protect online privacy by masking users’ IP addresses, and most VPNs do not log user information. This helps protect Internet users from surveillance, which is especially useful when connecting to public networks such as airports, hotels, and restaurants. It also helps bypass internet blackouts and allows people to stay connected and access information, education and healthcare, for example. This is especially important in India. According to an Access Now report published in April 2022, India was responsible for 106 of the 182 documented internet blackouts in 2021, making it the world’s blackout capital for the fourth consecutive year.

CERT-in’s mandate to broadly collect and store data in a specified manner amplifies the prevailing risk of uncontrolled surveillance in India. This creates a vulnerability that can be exploited by attackers, ultimately compromising an individual’s right to privacy and collective cybersecurity. This comes amid growing impunity for surveillance in India and a legal vacuum where there should be a robust data protection law. In 2021, Project Pegasus again revealed the lack of transparency and accountability surrounding surveillance in India. At a time when the central government is set to launch surveillance reform and introduce rights-respecting data protection legislation, there is instead a growing effort to collect and store more of people’s personal information. Indeed, even these CERT-In guidelines on cyber security seem to have been aimed more at forcing VPNs and other players in the internet ecosystem to play ball with the wishes of the government and law enforcement agencies, rather than improving the cyber security of all Indians.

As the significant number of cyber security incidents and data breaches have shown, there is no doubt that we urgently need concerted action and clear policy at government level. However, recognizing that privacy and cybersecurity can complement each other is key. National cybersecurity policies adopted by other major democracies recognize this and explicitly state the need to protect human rights and ensure a constructive relationship between cybersecurity regulation and data protection laws. India is suffering in this regard. Although Prime Minister Modi announced in his Independence Day speech in 2020 that the publication of a National Cyber ​​Security Strategy is imminent, there is no sign of that happening yet. Also, India does not yet have a data protection law; a bill to that effect is pending in parliament, and there is no indication that the government has prioritized its passage, let alone correcting the many deficiencies found in its current form.

Returning to the CERT-in regulations, as they have a significant impact on the industry, the freedom and security of people on the Internet and the Internet landscape in general, they should be informed by consultation with all interested parties. CERT-in should actively invite comments and amend accordingly prior to implementation

END OF THE ARTICLE