FDPPI would like to form a group of professionals interested in NeuroTech and Neuro Rights to take the study further.
This will be an exploratory group to identify the requirements of developing Neuro Rights legislation in India and application of Privacy laws in the Neuro tech context.
Interested persons may contact Naavi
Naavi
Following the several representations fired at CERT In by industry organisations opposing the directive of CERT In dated 28th April 2022 which prescribed
a) Mandatory reporting of Data breach within 6 hours
b) Synchronisation of system clocks
c) Maintenance of logs for 180 days
d) Registration of users and maintenance of KYC records for 5 years
e) Designation of a Point of Contact
CERT In has today issued a FAQ explaining the different aspects of the regulation.
The copy of the FAQ is available here:
Naavi
Some companies and their paid media friends seem to believe that it is better if India does not pass the PDPB 2019/DPA 2021. Various strategies are being used to create doubts in the minds of people that India does not need this law for the time being.
The latest Economic Times campaign is to suggest that ITA 2000 requires amendment since it is 22 years old and hence DPA 2021 can be re-drafted from scratch. I presume that these are only the wishes of some companies who are comfortable with the lawlessness that prevails in the Privacy and Data Security in India and wants to push the Indian Government into a situation where it can be blamed for not following the directive of the Supreme Court on introducing a robust Privacy protection law.
Though there must be sympathizers of the industry in the MeitY, their sympathy may not be able to stop the passage of the DPA 2021 though delays can be expected further on the implementation of different provisions.
It is necessary for the industry to recognize that India is not really dependent only on the PDPB2019/DPA 2021 to have a data protection law in India. In fact India already has a reasonable data protection law in place in the form of ITA 2000/8 and even if the Government intends to re-draft the ITA 2000, it cannot abandon the existing provisions of ITA 2000/8.
In the recent days, we have seen the Intermediary Guidelines and the CERT IN guidelines on Data Breach Notification issued under ITA 2000 which shows flashes of intention on the part of the Government to use the existing provisions of law even if the new provisions are obstructed.
ITA 2000 has the CERT IN which through its powers under Section 70B can issue directives and enforce Data Breach related provisions. Through the Data Breach prevention mechanism, it can exercise regulation on how data needs to be handled by organisations.
Though at present CERT IN is not talking about personal data, nothing prevents them from stating that “Data Protection Responsibilities” under Section 70B includes both personal data and non personal data and the protection of personal data is in the interest of all citizens and protection of Indian constitution.
Secondly, while CERT IN has the powers to impose its own penalty regarding non compliance of its directive, nothing prevents CERT IN from filing a complaint with the Adjudicator or inform the Police about any contravention of the ITA 2000 whether it is of Section 43A or 43 or any of the sections of Chapter XI.
The Adjudicator of ITA 2000 has the powers to start an inquiry suo-moto and need not wait for a complainant. Penalties upto Rs 5 crores can be imposed by the adjudicator of a State and money kept for the benefit of meeting the claims from prospective claimants.
These are the powers now available in ITA 2000/8 but not implemented so far because the CERT IN or the Adjudicators are not keen. But if the Government of India wants, it can make them active.
If so, companies who are opposing the DPA 2021 now would feel that it is better to have the act in place rather than being tried under ITA 2000 which has far more stricter provisions than DPA 2021.
When I look at these persons opposing DPA 2021 and feeling happy that their wishes are receiving some traction, I am reminded of the idiom “From the frying pan to Fire”.
Naavi
FDPPI, which is often referred to as the “Dada of Data Protection” in India has been publishing a quarterly journal (presently in e-form) in the name of “Data Protection Journal of India”.
The journal started in January 2021 has now seen six editions and they are available at www.dpji.in.
 |
 |
 |
 |
 |
 |
While we are partially proud of the achievement, we are fully aware that we have miles to go in terms of making DPJI more useful and better looking.
I request professionals and Students from educational institutions to contribute articles to DPJI.
Presently Mr M G Kodandaraman is in charge of the DPJI content management. Those of you who would like to contribute articles to DPJI.
The next DPJI issue is scheduled for July 2022. In the forthcoming issues, we want to add one section exclusively on “Technology” where we want to discuss issues of technology relevant to Privacy Professionals.
I invite all professionals to contribute articles of relevance to the DPJI.
Additionally, if any body has a proposal to speak at FDPPI’s weekly web meetings, they are welcome to send their requests.
The requests may be sent by email to fdppi and it will be directed to the relevant persons for further follow up.
Let us make DPJI the “Voice of Data Protection Professionals in India”.
Naavi
One of the interesting and at the same time informative criticisms about the new CERT-IN guidelines came from medianama.com.
In multiple articles under the by lane of Mr Sarvesh Methi, the website has argued
Yesterday’s Economic Times has followed through with its own in the article titled “Tech companies have a few queries on CERT-In s cyber security rules”.
It is also reported that the Information Technology Industry Council (ITI) has sent a letter to the Direcor General of IN-CERT, Dr Sajay Bahl asking for a pushback.
Further, today’s ET report “UnCERT-IN times for VPN Services Providers in India” has openly expressed that some service providers are refusing to follow the CERT-IN guidelines and face the bulldozer if need be.
The same report also states that the VPN user base is surging over the past two years and the number users in India increased from a mere 3.28% in 2020 to 20% of the population according to an adoption tracker maintained by AtlasVPN. The total user base is estimated at 270 million according to another estimae.
Some service providers like Surfshark and NordVPN have stated that they are unlikely to be able to adhere to the directive. Some of these service providers indicate that they do not even have the means to collect the user information and keep it for 5 years as required under the guidelines. Some of them say that they are only working on the RAM based service and pride themselves on “No Log Retention” as their USP.
More than the other measures indicated in the new guidelines such as “Synchronization of Clocks”,” Data breach Report within 6 hours”, the VPN log requirement seems to have shaken up the industry more since it directly affects the illegal activities such as the Crypto transactions, anti national activities, Phishing activities, ransomware attacks, Crime as a Service operators and virtually all Dark web activities.
Over the last few years, the Internet based attacks on the country through social media fake accounts and the operations of the Crypto Currencies to fund terrorism in the country has adversely affected the law enforcement in India. Operators like “Proton Mail” have made it virtually impossible to trace phishing e-mails and website hosts and email providers hide under “Privacy” and refuse to part with the identity of criminals who use their services.
We have pointed out many times that the fundamental personal right of “Privacy” has no role in hiding criminal activities and any service provider who resorts to such excuse will be an “Abettor” of crime and must be punished as a facilitator of crime.
Naavi.org has at the same time advocated that “Regulated Anonymity” is the recommended system where the users can claim anonymity subject to the rights of the law enforcement to claim the information under a due process from the service provider who provides the anonymization service. This is an alternative to blocking the service which supports crime against people of India.
The entire campaign against the guidelines therefore is having the motive to keep Cyber Crimes remain undetected and hence has to be opposed.
Technical Excuses
Since some journalists still hold a fig leaf to cover their nefarious intentions of supporting Cyber crimes, several technical excuses are presented to confuse the public.
It is accepted that the new regulations require some tweaking of the systems and involve cost. But the law enforcement cannot dilute the security to make “Crime as a service” more profitable. Hence the arguments on the basis of cost deserve to be brushed aside with the contempt it deserves.
The argument of “Latency” and need to connect to the nearby time source instead of the NIC/NPL “Nearness to the time source” apply to the data centers which are not in India. Guideline also permits use of accurate and standard time source other than NPL and NIC in case of entities having ICT infrasructure spanning multiple geographies.
India however prefers a copy of all sensitive data to be kept within India and hence servers need to be in India. Whether the present capacity in India is adequate or not is a matter that needs to be sorted out for which six month time has been provided even now.
(PS: Naavi has pointed out that this law has been in existence since at least 27th October 2009 and Naavi.org has pointed out several times the need to enforce the same which the CERT IN and Government of India has failed to do so far).
Media Nama article points out that one researcher indicates that
“There could be privacy concerns. Depending upon whether you want the government of India to know that you have a server with so and so IP”.
In case the service provider is so apprehensive and distrustful of the Indian Government that if their time server connects to an Indian server, the Government may know the IP address of the server, they need to stop doing business in India and exit. CERT IN has a mandate for Cyber Security and if any company is operating a server in India or transacting with the Indian population, it is the duty of the security agency to know the server. These objection itself can be called a bigger joke and not the regulations.
As regards the 6 hour reporting time, these crime supporters are misleading the public. We all know that companies take on an average 270 days to detect a data breach. But what the guidelines is asking is that after the company comes to know of the breach report within 6 hours with whatever information is available and supplement it later.
Critics should note that most of the laws in US and elsewhere may state that the data breach should be reported “As soon as possible” and ASAP could mean even earlier than 6 hours.
We know that the company would like to hide the incident “as long as possible” for preventing reputation damage but hiding it longer may only expose more individuals to the adverse consequences of the breach.
It is however open to the companies to discuss with CERT IN on how do they classify “Cyber Incidents” and “Cyber Data Breaches” and what needs to be reported within 6 hours and what is to be logged for future reference.
According to the CERT In rules of 2014
“Cyber Security Incident” means any real or suspected adverse event in relation to cyber security that violates as explicitly or implicitly applicable security policy resulting in unauthorised access, denial of service or disruption, unauthorised use of a computer resource for processing or storage of information or changes to data, information without authorization”
“Cyber Security breaches” means unauthorized acquisition or unauthorised use by a peon as well as an entity of data or information that compromises the confidentiality, integrity or availability of information maintained in a computer resource”.
These definitions provide an opportunity to distinguish actual security compromises which needs to be reported within 6 hours and the targeted scanning information detected and blocked by the security systems. Hence the objections raised in this regard are imaginary.
As regards the volume of log records, Medianama article quotes that a company may generate 1TB of data every day and how can they share the log records in PDF format etc. If a company has the business to generate 1TB of data per day, it would definitely have the resources to store the 1TB data for 180 days if they can invest in storage facilities. These need not be passed on to CERT IN immediately and held in whatever form it is convenient for the organization under their custody. Only when any specific information is called for by CERT IN, they need to extract the records and provide it with a Section 65B certificate in a form which can be in a digitally signed soft copy format also. During investigations, it is expected that the investigators would not make a request such as “All Logs for last five years”. At best they may ask specific device log records for about 15 days to one month. If this is required for security reasons, all of us including the tech companies need to cooperate with a sense of social responsibility rather than complaining.
Media name article also gives an excuse that there could be GDPR violation. It is not worth commenting on this since every data protection law has an exception for law enforcement purpose and GDPR cannot lord over Indian sovereignty. Further, if an organization is collecting data from India and storing it in India, it is subject to Indian DPA 2021 and not GDPR. GDPR applies to data collected from EU and companies are welcome to store it abroad.
In fact if the companies prefer to store their GDPR data in India, DPA 2021 provides an exception under Section 37 (DPA 2021/PDPB2019) to seek exemption of DPA 2021 by a notification. This could prevent any unintended GDPR violation. However if GDPR data is being used for committing crimes which are under investigation in India, no protection should be claimed.
One expert has quoted as stating that the exercising of powers by CERT IN could be considered as a “Warrantless Search”. It is a point to be noted but CERT IN is one of the entities which has been statutorily empowered under Section 70B of ITA 2000/8 and as long as the due process is followed and the information gathered is further protected appropriately, there should be no concern. If there are any Indian Courts will consider.
Afterall we know that the Supreme Court is always responsive to senior advocates and would even meet in the mid night if the situation warrants. Indian Supreme Court may perhaps be considered far more independent than Courts at least in USA and is always ready to accept any challenge of a law or even a departmental circular or even a tender notification as long as some key words such as “Privacy”, “Freedom of Speech”, “Constitutional Rights” are used in the petition.
The Supreme Court will not even insist on the case travelling through the lower courts and will accept a writ petition directly so that any company receiving a notice from CERT IN can approach the Supreme Court immediately within the Six hour dead line. Some would say 24 hours would be a better time interval for negotiating with the advocates but considering the possibility of “Midnight hearings ” and “Telephone Stays” that are possible in India, influential companies can perhaps manage the six hour deadline and obtain stays on CERT IN orders.
While we hold our view that “Security” is paramount and “Right to be secured” is as much a fundamental right as other rights, we hope that the Government will be able to hold its fort against the objections from the tech companies and the media. We will not be surprised if CERT IN and MeitY develops a cold feet and this guideline will be shelved like many similar guidelines.
Naavi
(Comments welcome)
Reference Articles:
Global tech industry body seeks revision in India’s directive on cyber security breaches
Tech companies have a few queries on CERT-In’s cybersecurity rules
India Limits Internet Freedom Again; Mandates User Data Collection For VPNs-INC42
5 issues with the recent Cert-In directions and what they mea… Mnoney Control
Why India’s New Cybersecurity Directive Is A Bad Joke… Medianama.com
Reference Circulars
CERT In Rules dated 16th January 2014
Notification of 4th January 2017
Notification of April 28, 2022
Earlier Articles at Naavi.org
CERT-In Re-issues its order of 4th January 2017
Shadow DPAI required for CERT-IN
Raising objections to Government Actions has become a habit for Tech Companies
Whenever an important action is undertaken by the Government, a part of the industry and the media is always objecting. It appears as if these companies are so used to operating without regulations in India that even a small guideline makes them feel that there is a great injustice committed.
Unfortunately, our judicial system is so sympathetic to anti-Government petitions that at the drop of the hat, a stay would be granted. Hence the Government has been rendered impotent in taking any firm decision related to IT.
For example, on October 17, 2000, India notified ITA 2000. This had a section 70 where the Government was empowered to declare any computer system as a “Protected System” and impose special penalties for contravening the provisions of the guidelines under this section. Under this section the Central Government had the power to notify any system as a “Protected System” and notify how they could be accessed, who would access etc.
On 19th January 2004, the Ministry of IT set up a division within its office and called it as “CERT-IN” to monitor the implementation of the security aspects in Government networks.
From October 27, 2009, the amended ITA 2000 became effective as per the amendments of 2008. This introduced modifications to Section 70 and also introduced two new sections namely Section 70A and Section 70B.
Under Section 70, the systems to be protected were designated as “Critical Information Infrastructure” which was defined as ” the computer resource, the incapacitation or destruction of which , shall have debilitating impact on national security, economy, public health or safety”. It was a definition that could include both Government and Private Systems.
According to Section 70A, a provision was made to recognize a “Nodal Agency” which was responsible for all measures of security including “Research” related to the protection of Critical Information Infrastructure.
According to Section 70B, the Computer Emergency Response Team (IN-CERT) was designated as the National Nodal Agency and vested the quasi judicial powers envisaged under ITA 2000/8.
Under Section 70B(4), it was prescribed that :
The Indian Computer Emergency Response Team shall serve as the national agency for performing the following functions in the area of Cyber Security,-
(a) collection, analysis and dissemination of information on cyber incidents
(b) forecast and alerts of cyber security incidents
(c) emergency measures for handling cyber security incidents
(d) Coordination of cyber incidents response activities
(e) issue guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, prevention, response and reporting of cyber incidents
(f) such other functions relating to cyber security as may be prescribed
It was clear that with this change in ITA 2000, it became a duty of the CERT IN which was only a department of MeitY to be responsible for national cyber security. The person in charge was also re-designated as “Director General” and he had the power to prosecute any service provider or intermediaries, data centers, body corporate or any person who does not comply with his direction with a possible punishment of an imprisonment of 1 year and fine of Rs one lakh.
Though this power and responsibility came into existence from 27th October 2009, the CERT IN never assumed the changed role of IN-CERT and did not seriously grow out of its earlier departmental status.
On 16th January 2014, Government notified the “Information Technology (The Indian Computer Emergency Response Team and manner of Performing functions and duties) Rules 2013.
The rules prescribed that any non compliance of directions shall be put up to a review committee consisting of the Secretary of MeitY, Joint Secretary, Ministry of Law and Justice, Officer of DOT, Joint Secretary of Ministry of Home and the Group Coordinator for Cyber Law in Meity, for necessary action.
It is not clear whether this committee has met in the past and whether the powers envisaged under this notification has been properly exercised.
However, it is necessary for us to recognize that this data breach reporting requirement existed in law since 27th October 2009 with procedures available since 16th January 2014.
The industry which is today raising objections on the regulations notified on 28th April 2022 has not been aware of the developments of 2008 amendments of ITA 2000 or the rules notified in October 2009 or 2014. Further on 4th January 2017, a notification was again issued regarding the data breach notification where it was mandated that the Cyber Security incident reports have to be notified within a reasonable time.
Now the Government has again come up with a notification about the same mandatory requirements giving a further 6 months for implementation as if even the Government does not recognize that it has been its duty to collect the Cyber Security breach incident reports since 27th October 2009 and it has already issued many notifications for the same purpose.
The media is now raising excuses why the notification is difficult to implement. The website INC42.com which is known for its anti-Modi stand says that “India has limited Internet freedom again”.
The US-based technology industry body ITI, having global tech firms such as Google, Facebook, IBM and Cisco as its members, has sought a revision in the Indian government’s directive on reporting of cyber security breach incidents as if they are running the Indian Government and India cannot pass any law which is not acceptable to these Tech Companies.
Some of the Indian Companies who are ignorant of the ITA 2000 and the fact that this regulation has been in existence for 12 years without being implemented are raising their own objections such as “Increased Cost”, “Technical Difficulties” etc.
We would like to directly respond to some of the questions raised in some of the articles that have appeared in Economic Times and Indian Express in this regard and try to clarify the position.
Concern 1: ITI: According to ITI Country manager Kumar Deep, Incident reporting is counter productive and may negatively impact Indian and Global enterprises and undermine cyber Security.
It appears that ITI considers data breach notification is detrimental to the interest of the country where as hiding the incidents is acceptable. Does ITI hold the same view regarding the data breach notification requirements in each of the states of US as well as laws such as CCPA, GDPR etc? If reporting under those laws are not detrimental to the interests of USA, how does the data breach notification to the Indian Government authority alone is detrimental to the interest of India?
Concern 2: ITI: ITI has raised concerns over the mandatory reporting of breach incidents within six hours of noticing, to enable logs of all ICT systems and maintain them within Indian jurisdiction for 180 days, the overbroad definition of reportable incidents and the requirement that companies connect to the servers of Indian government entities.
It is noted that the objection is incorrect to the extent that companies need not connect to the servers of Indian Government Entities. What has been prescribed is only to ensure that the time servers are synchronized.
Reporting the incident within 6 hours is only after the organization comes to know of the incident and does not cover the inefficiency of the companies which surveys state take more than 9 months to detect a breach.
Keeping log records is a routine activity which may only require more domestic storage facilities and does not create any other issue. It is not necessary that these have to be shared with the Government on an ongoing basis. Only when an appropriate Government agency demands the information for any investigation, the information has to be shared. This is a law enforcement requirement which these Tech Companies are trying to avoid.
ITI should realize that the Tech Companies need to work within the laws of our country and cannot be considered as tools of terrorists and anti India elements.
Concern 3: INC 42: INC 42 suggests that VPNs should not be asked to keep the records of their subscribers and make it available to the Government if required. It has also objected to the extension of this requirement to Crypto Exchanges.
It is to be noted that the directives donot require the VPN hosting companies to share the content transmitted but only who is using their services. Allowing anonymous VPN services is the “Dark Web” operations of the Cyber Criminals and it cannot be supported by any law abiding country.
Concern 4: Money Control: According to the views from some experts, Money Control reports that the log retention capacity has to be newly created and hence would add to the cost. It also says that whether the companies are equipped to report such cases within six hours is questionable. Some experts have also raised the issue if they have to report every phishing mail received or attempted targeted scanning etc.
It is to be noted that reporting within 6 hours does not mean that the report should be complete with investigation, root cause analysis etc. What is required is the report that a data breach has happened. Under every law including GDPR or DPA 2021, it is envisaged that the report may be in phases and as and when more information is available, the report will be updated. However the first report within 6 hours ensures that the national body is aware of some thing going wrong in one company and it may help it plan a defence if similar incidents can occur in other companies.
What the companies need to do is to draft an email which records the data breach event the general description of the nature of the attack, its adverse impact etc. It is possible that IN CERT may actually help those companies who if they are not equipped to send an email within 6 hours will also not be capable of mitigating the risk in 60 days . Afterall we are talking of companies who take 270 days to even recognize a data breach and call themselves as champions of Cyber Security.
As regards whether every targeted scanning has to be reported etc., companies need to define what is a “Data Breach” and distinguish it from “Attempted Attacks”. When the attempted attack succeeds then only a “Data Breach” gets recognized. The rest gets recorded in the log records and could be useful for future investigations. In case of Phishing, it is not the incoming phishing mails that become reportable unless they have been responded to leading to a data compromise. What is important is whether the Company’s identity has been used by fraudsters in their phishing attacks. If so appropriate measures need to be taken to bring down the fake servers delivering the phishing messages and provide disclaimers and notifications in their websites.
In summary we can state that the objections raised by some of the industry members through the media are unreasonable and needs to be ignored.
It is unfortunate that in all such cases, it is Naavi.org which has to come to the defence of the Government and the Government agency itself remains a mute spectator to the media onslaught to the extent that Courts also feel that there should be some thing wrong with the Government since it is not confident of itself.
The IN-CERT should come of age at least now and realize that it is not the old CERT-IN and I urge the Director General to come out with his own Press Conference defending the notification more strongly than what Naavi,org needs to do.
We are once again reminded of the story in Ramayana where Hanuman did not know his powers and had to be reminded by Jambavanta before Hanuman got the confidence to jump across the ocean. IN-CERT is also like the Hanuman who does not know its powers and has to reminded.
Naavi.org has already suggested that after the DPA 2021 is passed, the role of DG, IN CERT may get further marginalized. Just as the late Mr T.N. Seshan revived the self respect of the Election Commission, the current DG, In CERT has the responsibility to assert the role of the office of DG, IN-CERT and ensure that the interest of the office is protected. I urge the Secretary of MeitY to facilitate this transition of CERT-IN to IN-CERT and make it a relevant body.
(Comments are welcome)
Naavi
Reference Articles:
Global tech industry body seeks revision in India’s directive on cyber security breaches
Tech companies have a few queries on CERT-In’s cybersecurity rules
India Limits Internet Freedom Again; Mandates User Data Collection For VPNs-INC42
5 issues with the recent Cert-In directions and what they mea… Mnoney Control
Why India’s New Cybersecurity Directive Is A Bad Joke… Medianama.com
Reference Circulars
CERT In Rules dated 16th January 2014
Notification of 4th January 2017
Notification of April 28, 2022
Earlier Articles at Naavi.org
