India Requires Internet Services to Collect and Store Vast Amount of Customer Data, Building a Path to Mass Surveillance

Privacy and online free expression are once again under threat in India, thanks to vaguely worded cybersecurity directions—promulgated by India’s Computer Emergency Response Team (CERT-In) earlier this year—that impose draconian mass surveillance obligations on internet services, threatening privacy and anonymity and weakening security online.

Directions 20(3)/2022 - CERT-In came into effect on June 28th, sixty days after being published without stakeholder consultation. Astonishingly, India’s Minister of State for Electronics and Information Technology (MeitY) Rajeev Chandrasekhar said the government wasn’t required to get public input because the directions have “no effect on citizens.” The Directionsn itself states that they  were needed to help India defend against cybersecurity attacks, protect the security of the state and public order, and prevent offenses involving computers. Chandrasekhar said the agency consulted with entities “who run the relevant infrastructure,” without naming them.

Cybersecurity law and policy directly impact human rights, particularly the right to privacy, freedom of expression, and association. Across the world, national cybersecurity policies have emerged to protect the internet, critical infrastructure, and other technologies against malicious actors. However, overly broad and poorly defined proposals open the door to unintended consequences, leading to human rights abuses, and harming innovation. The Directions enable surveillance and jeopardize the right to privacy in India, raising alarms among human rights and digital rights defenders. A global NGO coalition has called upon CERT-in to withdraw the Directions and initiate a sustained multi-stakeholder consultation with human rights and security experts to strengthen cybersecurity while ensuring robust human rights protections. 

The Internet Freedom Foundation (IFF) in India has called on CERT-In to recall the directions, saying the data retention requirements are excessive. The organization has also urged CERT-In to seek input from technical and cybersecurity experts and civil society organizations to revise them.

Read the full article on Electronic Frontier Foundation https://www.eff.org/deeplinks/2022/12/india-requires-internet-services-collect-and-store-vast-amount-customer-data

#india #privacy #free #expression #mass #surveillance #humanrights #yokdata #blog