CERT-In Guidelines on Cybersecurity: An Explainer

On April 28, 2022, the Indian Computer Emergency Response Team (CERT-In) issued fresh directions (No. 20(3)/2022-CERT-In) under section 70B of the Information Technology (IT) Act, 2000 in relation to the information security practices, procedure, prevention, response, and reporting of cyber incidents. Issued without public consultations, these directions raise serious concerns related to state sponsored surveillance and data retention beyond need or purpose. Therefore, we call on CERT-In to recall these directions.

This is a companion discussion topic for the original entry at https://internetfreedom.in/cert-in-guidelines-on-cybersecurity-an-explainer/

“According to sources, the agency could clarify that the norms apply only to VPN providers who offer “Internet proxy like services” to “general Internet subscribers”, and not to corporate VPN service providers.” :point_down:

This is exactly what I feared would happen. Businesses cannot operate without a VPN (needed for “work from home” etc.) So, make an exception for them, but violate citizens’ privacy?!

Folks, we need to somehow get CERT-In to withdraw these rules (for everybody) and rework them based on proper public consultations.
@tejasi_panjiar @Anushka @prateekwaghre @aparatbar

1 Like

Thank you for reaching out to us with your concern, sir. We strongly concur with your suggestion to convince CERT-In to withdraw the directions and hold fresh public consultation. We are pleased to inform you that IFF has had the same demand from CERT-In since the directions were released. But we recognise that the road to victory is long and difficult. In our efforts to achieve our goal, we have taken the following steps:

  1. Published an explainer of the CERT-In directions on our website, with the aim of raising awareness about the concerning provisions (link).
  2. Held a Members’ Call on 14th May to further enable conversation and dialogue on the directions (link).
  3. Acting in public interest, we publicly released an FAQ document which was circulated internally by CERT-In among the press and some sections of industry. In our efforts to advance transparency & public engagement, we are linking the document here as well (link). Please find our initial analysis of the FAQs here.

Following are the steps we plan on taking to continue our efforts towards achieving the goals:

  1. Publish an in-depth analysis of the final FAQ document once it is released publicly by CERT-In.
  2. Potentially sign a joint letter shared by Access Now and supported by other organisations, to further put pressure on CERT-In.
  3. Write a direct representation to CERT-In, elaborating on our concerns and demands.

We hope that CERT-In considers our recommendations and continues to fight cyber security failures in India with the right intent. We promise to keep you as well as all our readers posted about any updates on the matter.


Thanks @tejasi_panjiar for the thoughtful and detailed response!
I fully support your plan for an appropriate joint letter by a broad coalition of Indian digital rights organizations. If it makes sense, such a joint letter could even be open to the general public for online endorsement/signature.

As you say, “the road to victory is long and difficult”, but then again, I am confident of the abilities of the amazing IFF team.
Thanks again and keep up the good work!

1 Like