Privacy and online free expression are once again under threat in India, thanks to vaguely worded cybersecurity directions—promulgated by India’s Computer Emergency Response Team (CERT-In) earlier this year—that impose draconian mass surveillance obligations on internet services, threatening privacy and anonymity and weakening security online.

Directions 20(3)/2022 - CERT-In came into effect on June 28th, sixty days after being published without stakeholder consultation. Astonishingly, India’s Minister of State for Electronics and Information Technology (MeitY) Rajeev Chandrasekhar said the government wasn’t required to get public input because the directions have “no effect on citizens.” The Direction itself states that they  were needed to help India defend against cybersecurity attacks, protect the security of the state and public order, and prevent offenses involving computers. Chandrasekhar said the agency consulted with entities “who run the relevant infrastructure,” without naming them.

Cybersecurity law and policy directly impact human rights, particularly the right to privacy, freedom of expression, and association. Across the world, national cybersecurity policies have emerged to protect the internet, critical infrastructure, and other technologies against malicious actors. However, overly broad and poorly defined proposals open the door to unintended consequences, leading to human rights abuses, and harming innovation. The Directions enable surveillance and jeopardize the right to privacy in India, raising alarms among human rights and digital rights defenders. A global NGO coalition has called upon CERT-in to withdraw the Directions and initiate a sustained multi-stakeholder consultation with human rights and security experts to strengthen cybersecurity while ensuring robust human rights protections. 

What’s Wrong With  CERT-in Cybersecurity Directions from a Human Rights Perspective?

Forced Data Localization and Electronic Logging Requirements

Direction No IV compels a broad range of service providers (telecom providers, network providers, ISPs, web hosting, cloud service providers, cryptocurrency exchanges, and wallets), internet intermediaries (social media platforms, search engines, and e-commerce platforms), and data centers (both corporate and government), to enable logs of  all their internet and communication technology (ICT) systems–and forces them to keep such data securely within India for 180 days. The Direction is not clear about exactly what systems this applies to, raising concerns about government access to more user data than necessary and compliance with  international personal data privacy principles that call for purpose limitation and data minimization. 

Requiring providers to store data within a country’s borders can exacerbate government surveillance by making access to users’ data easier. This is particularly true in India, which lacks strong legal safeguards and data protection laws. Data localization mandates also make providers easy targets for direct enforcement and penalties if they reject arbitrary data access demands.

General and Indiscriminate Data Retention Mandate

Direction No. V establishes an indiscriminate data retention obligation, which unjustifiably infringes on the right to privacy and the presumption of innocence. It forces data centers, virtual private server (VPS) providers, cloud service providers, and virtual private network service (VPN) providers to collect customers' data, including names, dates services began, email addresses, IP addresses, physical addresses, and contact numbers, among other things, for at least five years or longer, even if a person cancels or withdraws from the service.

Mandating the mass storage of private information for the mere eventuality that it may be of interest to the State at some point in the future is contrary to human rights standards. As the Office of the United Nations High Commissioner for Human Rights (OHCHR) has stated, “the obligation to indiscriminately retain data exceeds the limits of what can be considered necessary and proportionate.” Storing the personal information of political, legal, medical, and religious activists, human rights defenders, journalists, and everyday internet users would create honeypots for data thieves and put the data at risk in case of software vulnerabilities, fostering more insecurity than security. Moreover, VPN providers should not collect personal data or be forced to collect any data that are irrelevant to their operations just to comply with the new Directions. Personal data should always be relevant and limited to what is necessary regarding the purposes for which they are processed.

Onerous Cybersecurity Reporting Requirements

Direction No. II forces a broad range of service providers, internet intermediaries, including online game companies, and data centers (both corporate and government) to report cybersecurity incidents to the government within a tight time frame of six hours from detection—compared to 72 hours under the EU’s GDPR to notify data breaches—an onerous requirement for small and medium companies that would need staff available 24-7 to comply in such a short period. Moreover, such a tight time frame can exacerbate human errors. In contrast, the previous rules expected entities to report cybersecurity incidents “as early as possible to leave scope for action.” The new Direction does not mandate that users be notified of cybersecurity incidents. 

The reporting requirements apply to a wide range of cyber security incidents, including data breaches or data leaks, unauthorized access to ICT systems or resources, identity theft, spoofing, phishing attacks, DoS and DDoS attacks, malicious attacks like ransomware, and cyber incidents impacting the safety of human beings, among others. They also apply to “targeted” scanning (the automated probing of services running on a computer) of ICT systems; however, since targeting is ill-defined, this could be interpreted to mean any scanning of the system, which any system administrator can tell you, is the background noise of the internet. What’s more, many pro-cybersecurity projects engage in widespread scanning of the Internet.

Scanning is so ubiquitous on the internet that some smaller companies may choose to just automatically send all logs to CERT-In rather than risk being in violation of policy. This could make an already bad user privacy situation even worse.

Directions Grant CERT-In New Powers to Order Providers to Turn Over Information

Direction No. III grants CERT-In the power to order service providers, intermediaries, and data centers (corporate and government) to provide near real-time information or assistance when the agency is taking protective or preventive actions in response to cybersecurity incidents. The direction provides no oversight mechanism or data protection provision to guard against such orders being misused or abused. The direction also compels the same entities to designate a point of contact to receive CERT-In information requests and directions for complying with such requests.

Why Indiscriminate Data Retention Mandate is Anathema to VPNs

Consumer VPNs play a vital role in securing users’ confidential information and communications. They create a secure tunnel between a user’s device and the internet, enabling people to keep the data they send and receive private by hiding what servers they are communicating with from their ISP, and encrypting data in transit. This allows people to bypass local censorship and defeat local surveillance. 

VPNs are used everywhere. Activists, journalists, and everyday users want to protect their communications from the prying eyes of the government. Research shows that India has the highest growth rates in using VPN services worldwide. VPN installations during the first half of 2021 reached 348.7 million, a 671 percent increase in growth compared to the same period in 2020. Meanwhile, businesses use VPNs to provide secure access to internal resources (like file servers or printers) or ensure they can navigate securely on the Internet.

The massive data retention obligations under Direction No. V is anathema to VPNs—their core purpose is to not hold or collect user data and provide encryption to protect users’ anonymity and privacy. Forcing VPNs to retain customer data for potential government use will eliminate their ability to offer anonymous internet communications, making VPN users easy targets for state surveillance.

This is especially concerning in countries like India, where anti-terrorism or obscenity rules imposed on online platforms have been used to arrest academics, priests, writers, and poets for posting political messages on social media and leading rallies.

If VPNs comply with the CERT-In Cybersecurity Direction, they can no longer be relied upon as an effective anonymity tool to protect VPN’s user's free expression, privacy, and association, nor as an effective security tool. Chandrasekhar has said VPNs must comply with the Directions or curtail services in India. “You can’t say, 'No, it's our rules that we do not maintain logs,'” he told reporters earlier this year. “If you don't maintain logs, then this is not a good place to do business.”

VPNs “should not have to collect data that are not relevant to their operations to satisfy the new directions, just as private spaces cannot be mandated to carry out surveillance to aid law enforcement purposes,” IFF Policy Director Prateek Waghre said in a brief co-authored and published by the Internet Society. “What makes CERT-In’s directions related to data collection even riskier is that India does not have a data privacy or data protection law. Therefore, citizens in the country do not have the surety that their data will be safeguarded against overuse, abuse, profiling, or surveillance.”

The Internet Freedom Foundation (IFF) in India has called on CERT-In to recall the directions, saying the data retention requirements are excessive. The organization has also urged CERT-In to seek input from technical and cybersecurity experts and civil society organizations to revise them.

VPNs Fight Back

VPN operators have strongly objected, as the rules will essentially negate their purpose. Many said they would have to  pull out of India if forced to collect and retain user data. The good news is that most continue to offer services by routing traffic through virtual servers in Singapore, London, and the Netherlands. Meanwhile, Indian VPN service SnTHostings, which has just 15,000 customers, has filed a lawsuit challenging the rules on grounds that they violate privacy rights and exceed the powers conferred by the Information Technology Act 2000, India’s primary electronic commerce and cybercrime law. SnTHostings is represented by IFF in the case.

The CERT-In Directions come as the government has taken other steps to weaken privacy and restrict free expression; read more here, here, here, here, here, and here. Digital rights in India are degenerating, and while civil society organizations and VPN providers are raising red flags,

The Information Technology Industry Council (ITI), a global trade association representing Big Tech companies like Apple, Amazon, Facebook, and Google, has called on CERT-In to revise them, saying they will negatively impact Indian and global enterprises and actually undermine cybersecurity in India. “These provisions may have severe consequences for enterprises and their global customers without solving the genuine security concerns,” ITI said in a May 5 letter to CERT-In. A few weeks later, the agency clarified that the new directions don’t apply to corporate and enterprise VPNs.

A group of 11 industry organizations representing Big Tech companies in Asia, the EU, and the U.S. have also complained to CERT-In about the rules and urged that they be revised. While noting that internet service providers already collect the customer information required by the rules, they said requiring VPNs, cloud service providers, and virtual service providers to do the same would be “burdensome and onerous” for enterprise customers and data center providers to comply with. The threat to user privacy isn’t mentioned. We’d like to see this change. Tech industry groups, and the companies themselves, should stand with their users in India and urge CERT-In to withdraw these onerous data collection requirements.

To learn more, read Internet Freedom Foundation’s CERT-In Directions on Cybersecurity: An Explainer.