New CERT-In directions raise grave concerns for data privacy

While some directions seem like the need of the hour (such as mandatorily reporting data breaches) and definitively aim at ensuring cyber security, others (such as collecting and storing personal data by VPN providers) fall short of this aim.

——

THE directions issued on April 28 by the Indian Computer Emergency Response Team (CERT-In) have raised serious privacy concerns. CERT-In is the national agency responsible for analysing cyber threats and dealing with cybercrimes reported to it.

The directions, among other things, call for Virtual Private Network [VPN] providers to collect and store data of their users for a period of at least five years. The directions have been issued under Section 70B of the Information Technology [IT] Act, 2000.

Data leaks and breaches have become quite common due to a surge in the digitalization of personal data online. Usually, independent cyber activity researchers are the ones who inform us of such incidents of leaks and breaches, rather than the data fiduciaries who are entrusted with the responsibility of collecting and storing our data and are obligated to the people from whom the data is being collected.

The fresh directions aim at addressing the above gap identified by CERT-In during the course of dealing with cyber incidents. The directions are set to come into effect after 60 days from the date of their issuance (so towards the end of June), and non-compliance with them may attract penal action.

What does the relevant direction say?

According to Direction 5, Data Centres, Virtual Private Server [VPS] providers, Cloud Service providers and VPNs must register their users’ information and store it for a period of at least five years, and longer if mandated by the law. Such information must be tracked and maintained even after the user has cancelled their subscription to the service.

The directives are in direct conflict with the main function of VPNs, which is to mask the IP addresses of users from Internet Service Providers (ISPs) and other third parties. It disables ISPs and third parties from seeing which websites the user is visiting, and what data is being sent and received online. Most VPN services refrain from storing logs of their users’ activities.

The information that the government wants these companies to collect and store is the name of the subscriber/customer, the duration of hire of service, IP address allotted or used by the subscriber, timestamp recorded at the time of registration, the purpose of hiring the service, address and contact number of subscribers, and the ownership pattern of the customers.

The directives are in direct conflict with the main function of VPNs, which is to mask the IP addresses of users from Internet Service Providers (ISPs) and other third parties. It disables ISPs and third parties from seeing which websites the user is visiting, and what data is being sent and received online. Most VPN services refrain from storing logs of their users’ activities.

Also read: MeitY’s direction to VPN companies to share user data or face jail invites concern over privacy

What is the principle involved?

According to the principle of storage limitation, the personal data of a user must be stored in a form which permits data subjects to be identified only for a period that is necessary for the purpose of the processing. Such personal data may be stored for a longer period only when its storage serves the public interest or is used for achieving scientific, historical research, or statistical purposes. Even in these cases, it is important to safeguard the rights and freedom of the data subject.

The present directions call for “mandatorily enabl[ing] logs of all their (all service providers, intermediaries, data centres, body corporate and Government organizations) ICT systems and maintain[ing] them securely for a rolling period of 180 days” (Direction 4) and “register[ing] the following accurate information which must be maintained by them (Data Centres, VPS providers, Cloud Service providers and VPNs) for a period of 5 years or longer duration as mandated by the law after any cancellation or withdrawal of the registration” (Direction 5).

The abovementioned requirements exacerbate the concern about collecting and storing personal data beyond any purpose or need. Further, the lack of clarity regarding the phrase “or longer duration as mandated by the law” in Direction 5, along with the absence of reasons for which the timeline of five years shall be extended, can create grave privacy violations. Such mandates may also force VPN Providers from leaving the Indian market. VPN service NordVPN recently confirmed that it may consider shutting down its services in India for a lack of a better option.

What are the principles with which the directions are inconsistent?

The principle of purpose limitation provides for personal data to be collected only for expressed, specified and legitimate purposes. It is not permissible to process that data any further and in a way that does not comply with those purposes. However, processing such personal data is allowed if the purpose of such processing falls within the ambit of public interest, scientific, statistical or historical research.

It is unclear how the five-year data retention duration for VPNs will contribute to increased cyber security, as is the aim of the directions.

According to the data minimization principle, personal data must be relevant, limited and adequate for what is necessary in relation to the processing purposes. Simply put, the data cannot be processed unless processing it serves the abovementioned purposes.

The purpose limitation and the data minimisation principles work together to limit the use of personal data to what is consented to by the data subject. Therefore, the new directions directly challenge these principles since they rely on the ubiquitous and indiscriminate collection and usage of data, and provide for the storage of data longer than what is necessary.

Are the directions relevant for cyber security?

The directions, as stated in the subject-line, relate to “information security practices, procedure, prevention, response, and reporting of cyber incidents for Safe & Trusted Internet.” The directions further state that the information required “to coordinate response activities” and “emergency measures” in relation to cyber security is often not readily available, if at all. While some directions seem like the need of the hour (such as mandatorily reporting data breaches) and definitively aim at ensuring cyber security, others (such as collecting and storing personal data by VPN providers) fall short of this aim.

The guidelines compel VPN services to collect and store a variety of customer data categories for a period of five years after the client has cancelled their subscription or account. Such extensive data collection and disclosure regulations will hurt not just VPN service providers but also VPN customers’ individual privacy and liberty. It is also worth noting that it is unclear how the five-year data retention duration for VPNs will contribute to increased cyber security, as is the aim of the directions.

Also read: CERT-In directions 2022: New variant of an old virus?

What is the road ahead?

At present, storing specific data may prove effective to prevent cyber crimes or incidents. However, such retention is bound to be challenged in the absence of stringent disclosure policies. Excessive data retention, on the other hand, can violate individual fundamental rights, particularly the right to privacy. Such extensive data collecting and retention guidelines may have a negative influence on users’ rights and, therefore, such unduly broad clauses must be reconsidered, especially when the Draft Data Protection Bill, 2021 is still pending in the Parliament.

Data fiduciaries are not legally obligated to inform impacted users in case of a data breach. Furthermore, the directions still lack precise instructions on how to notify a user or customer in the event of a data breach.

The CERT-In has issued the directions in the absence of public consultation with relevant stakeholders such as technology and cyber security experts. As a result, multiple unwarranted provisions, including the Know Your Customer [KYC] requirement for data centres/VPN/VPS (Direction 5), KYC for virtual asset service providers (Direction 6), and mandatory logging of data (Direction 4) have been included. It is imperative that CERT-In revisits the directions and involves relevant stakeholders in their implementation to improve cyber security.

Data fiduciaries are not legally obligated to inform impacted users in case of a data breach. Furthermore, the directions still lack precise instructions on how to notify a user or customer in the event of a data breach. A legal obligation must certainly be imposed on data fiduciaries through appropriate regulations so that customers can limit the consequences of such breaches. Furthermore, an adequate amount of compensation must also be stipulated by such a regulation for the affected users.