An amendment to the Second Schedule to the RTI Act, 2005 was notified by the Department of Personnel and Training (DoPT) on November 24, 2023, exempting the Indian Computer Emergency Response Team (CERT-In) from providing information under the Act. This move is certainly not in the public interest as it weakens the rights of the people by diluting an Act meant to empower them. The exclusion of CERT-In from application of the Act, in an environment where data breaches, device vulnerabilities, and deployment of illegal spywares occur frequently, significantly erodes its accountability. Around 29,20,52,503 Indians were reportedly affected by a breach from 2004 till the second quarter of 2023, i.e. 9904 breaches per 1 lakh people. The average cost of a data breach in India is at an all-time high, at ₹17.9 crore in 2023. An institution such as the CERT-In, whose actions or inaction is consequential for the status of cyber security and individual privacy in the country, must remain under the purview of the Act.
A principal agreement to exempt CERT-In was reportedly reached in May 2022. Earlier that year in March, as per a Parliamentary response, a proposal to include CERT-in in the Second Schedule to the RTI Act was reviewed. Although the decision has been formalised through the notified amendment, Clause 24(3) of the RTI Act, 2005 states that any notification for exempting organisations has to be placed before the Parliament/state assembly for scrutiny. It remains to be seen whether this rights diluting notification will be placed before the Parliament and be subject to any well deserved scrutiny.
An attack on the RTI Act
The RTI Act was enacted to promote transparency and accountability to the operations of Indian public authorities, and for preventing them from acting in private interest, or otherwise undermining democratic processes.When organisations investigating cyber-security vulnerabilities in public and private infrastructures like CERT-In are made opaque, decisions impacting citizens’ right to privacy are guarded from scrutiny and accountability. This step patently undermines the constitutional rights of citizens to their privacy, and to information.
The infamous 2022 CERT-In Directions
The data security and privacy concerns emerging from the Direction No. 20(3)/2022-CERT-In (“2022 Directions”) makes this exemption even more alarming. The 2022 Directions has overbroad compliance requirements, at the cost of user privacy, which are applicable to a range of services, including but not limited to data centres, virtual private server (VPS) providers, cloud service providers, and Virtual Private Networks (VPN) service providers. These requirements range from enabling logs and storing them for a rolling period of 180 days within the Indian jurisdiction (Direction 4) to maintaining extremely detailed and invasive personal information of users, even after any cancellation or withdrawal of registration of a user (Direction 5).
Non-compliance with these directions is a punishable offence carrying imprisonment of up to a year and/ or fine. Furthermore, these services may be required to hand over this information at any time to CERT-In. The 2022 Directions do not impose any limitations on how long CERT-In could retain this data or with whom it could share it. After the release of the 2022 Directions, several prominent and commonly used VPN providers pulled their servers out of India, unwilling to compromise on users’ privacy on the internet.
The need for transparency
It is interesting and unfortunate that on one hand, CERT-In wants our logs and data under the garb of addressing cyber security incidents, non-compliance with which will lead to one year jail time, but on the other hand, it itself doesn’t want to be transparent and held accountable to the citizens. This discrepancy in how Meity envisions citizens’ interaction with the state is further visible in Section 15(c) of the Digital Personal Data Protection Act, 2023, wherein individuals are bound to share information with the State or any of its instrumentalities, but the latter has no such obligation, and is instead protected against it. Such inconsistent and continued steps to weaken accountability mechanisms towards citizens inflict untold damage to our digital rights.
Given that most companies fail to even acknowledge these breaches resulting in a near complete lack of information, IFF recognised the need to maintain a public list of data breaches that occurred in the country since 2020 on a publicly accessible database, PlugTheBreach. IFF also provided legal assistance in a petition in the Delhi High Court challenging the legality of the 2022 Directions. IFF filed RTIs with the CERT-In to better understand the institutional process put in place to facilitate the implementation of the 2022 Directions. Disappointingly, in the response, CERT-In was non-responsive and evasive, hindering our efforts to gather necessary information and understand the processes in place.