By Anvitii Rai
The Indian Computer Emergency Response Team’s (CERT-In) guidelines, ostensibly aimed at preventing cybersecurity breaches, have already caused a stir. Expected to come into effect from end-June, these require providers of Virtual Private Network (VPN) services as well as virtual assets (such as cryptocurrency) to mandatorily maintain the personal data of users for five years and hand them over to the government when asked, or face punitive action. Virtual asset providers will have to maintain Know Your Customer (KYC) details for the same period. It is not difficult to understand why these regulations are overreaching and unrealistic. The government and some experts remain of the opinion that these regulations will help strengthen the legal framework required for fighting cybercrime. Union minister for electronics and IT, Ashwini Vaishnaw, has said the regulations should not stir privacy concerns. “Suppose somebody takes a mask and shoots, wouldn’t you ask them to remove that mask? It is like that”, he told The Indian Express. The minister’s assertion notwithstanding, there are several gaping holes in the rules.
For example, according to CERT-In, 212,485 incidents of cybercrime were reported in the first two months of 2022 itself, averaging around 3,600 cases per day. If all incidents are to be reported within six hours, CERT-In would need massive infrastructural capacity to deal with such an overwhelming number of cases. The mechanism to address such incidences is long and tedious, requiring the filling of a form, assessment, triaging, and appointing a team if required. If the new system is implemented, the agency, which already struggles with poor infrastructural and investigative capacity, will get clogged, especially as the global standard for reporting time is 72 hours. Instead, one could look at the US, which very recently signed in its Better Cybercrimes Metrics Act that designates local law agencies to collect and report cybercrime data. In the Indian case, it is unclear whether cases will be delegated to subordinate CERTs. The US Act also requires the categorisation of cybercrimes reported, something that Indian experts also feel is a requirement. Cybercrimes are of several different kinds; thus, one-size-fits-all does not make sense.
The other contentious part of the legislation is asking virtual asset and service providers to maintain user information logs as this is a direct breach of privacy of individual users. The rules require a number of details that include personal identifiers; service providers are required to store not only the email ID and the IP addresses, but also the name, validated address, and contact details of their clients, along with time stamps. The very point of a VPN, for example, is anonymity and encryption of data to facilitate secure transfer of information. The Centre itself is no stranger to this; it mandated IT companies to use VPNs to transfer data in 2020. Thus, asking VPN providers, some of whom don’t even have the technical means to comply with the directive, to maintain an information log contradicts their sole purpose. This has led to several firms expressing their intention to exit the market.
Regulations are a necessity, but over-regulation is certainly not the answer. The point to note is that no public consultations were held by CERT-In before drafting or releasing these regulations which are seeking to put an onerous and impractical reporting burden on companies. A good step would be to make a fresh beginning and work with cybersecurity and vulnerability experts as well as industry insiders to draft a comprehensive policy framework that is light but effective.