India's CERT given exemption from Right To Information requests

Activists worry investigations may stay secret, and then there's those odd incident reporting requirements

India's government has granted its Computer Emergency Response Team, CERT-In, immunity from Right To Information (RTI) requests – the nation's equivalent of the freedom of information queries in the US, UK, or Australia.

Reasons for the exemption have not been explained, but The Register has reported on one case in which an RTI request embarrassed CERT-In.

That case related to India's sudden decision, in April 2022, to require businesses of all sizes to report infosec incidents to CERT-in within six hours of detection. The rapid reporting requirement applied both to serious incidents like ransomware attacks, and less critical messes like the compromise of a social media account.

CERT-In justified the rules as necessary to defend the nation's cyberspace and gave just sixty days notice for implementation.

The plan generated local and international criticism for being onerous and inconsistent with global reporting standards such as Europe's 72-hour deadline for notifying authorities of data breaches.

The reporting requirements even applied to cloud operators, who were asked to report incidents on tenants' servers. Big Tech therefore opposed the plan.

India gave some ground by extending the compliance deadline for small and medium businesses by an additional 90 days. But the regs eventually came into force, despite CERT-In not explaining how it would ingest or analyze the likely flood of data.

The Register sent multiple requests to CERT-In seeking clarification of its capabilities and the extent of compliance. We received no responses.

Indian outlet MediaNama used an RTI request and learned that a mere 15 entities had complied – and that India recorded 1,391,457 cyber security incidents in all of 2022. If they occurred evenly throughout the year, that would mean roughly 350,000 took place after the September deadline for filing after CERT-In's requirements came into effect.

CERT-In's exemption from India's 2005 Right To Information Act has generated criticism from India's Internet Freedom Foundation (IFF), which called the move "certainly not in the public interest as it weakens the rights of the people by diluting an Act meant to empower them."

"The exclusion of CERT-In from application of the Act, in an environment where data breaches, device vulnerabilities, and deployment of illegal spywares occur frequently, significantly erodes its accountability," the org further alleged.

According to IFF, any exemption of an organization from the RTI must go before parliament, but at this time there is no certainty that will occur for CERT-In.

"The notification which exempted them contains no reasons," warned lawyer and IFF founding director Apar Gupta. "Here, the message is simple: while the Union Government wants to peep into your private lives and then leak it to the world, it does not want to answer any of your questions."

The change has also raised eyebrows in the context of the recent warnings of state-sponsored attacks on Apple devices sent to some Indian politicians. Activists fear an RTI ban may make it harder to learn more about those warnings.

India's IT minister, Rajeev Chandrasekhar, has kept quiet over the change, choosing instead to reprise his fight against deepfakes.

The minister last week held a meeting with social media platforms to discuss deepfakes – the day after the CERT-In RTI exemption announcement was made.

CERT-In reportedly joins 26 other intelligence and security organizations already exempt from the purview of the Act. ®

Send us news

India and EU finally advance HPC collaboration project hatched in 2022

Seek ideas for thorny problems related to both HPC and real-world problems

Microsoft teases deepfake AI that's too powerful to release

VASA-1 framework can turn a still image and a cloned voice file into a plausible video of a person talking

Indian PM's 25-year roadmap laid out with help from AI

AI is so good at drawing pictures and driving cars, why not let it govern a country?

Use of India's CBDC declines, but central bank presses ahead

Work to make the digital rupee programmable has begun

Apple stops warning of 'state-sponsored' attacks, now alerts about 'mercenary spyware'

Report claims India's government, which is accused of using Pegasus at home, was displeased

Australian operation of web host BlueVPS laid low by storage failure

PLUS: AWS expands India payment options; Alibaba co-founders unite in criticism; Korea invests in AI; and more

India's Uber clone Ola Cabs hails ride out of the international market

Australian drivers given two days' notice, UK and New Zealand services also shuttered

OpenAI claims its software can clone your voice from 15 seconds of you talking

Super lab loves to big up things it says it couldn't possibly let loose on the world for now

Vigorous US lobbying reportedly reversed India PC import license scheme

Washington was most displeased and New Delhi knew it made a mistake

Indian court halts operations of government-run social media fact checker

Rights groups protested potential for sneaky censorship of political rivals

India's competition regulator orders Google Play payment probe

Choice of alternative payment providers labelled 'illusory' – because none existed

India celebrates rapid adoption of its internet of livestock

Latest piece of digital public infrastructure is positively beastly