The constitutionality of the new Indian CERT-In VPN rules

Abstract

This article examines the constitutionality of the Cyber Security Directions released by Computer Emergency Response Team India (CERT-In). The new guidelines issued by CERT-In, the nodal agency of the Ministry of Electronics and Information Technology, have been in the news in India due to concerns being raised by various companies and privacy watchdogs like the Internet Freedom Foundation that the guidelines were affecting the fundamental right to privacy and personal autonomy of the individuals. The guidelines promulgated give CERT-In the authority to demand and retain various kinds of personally identifiable information for more than 5 years. The mandates related to virtual private network service providers are unreasonable and violative of user privacy, while the domain of information that is to be collected is ambiguous and unspecified for the purpose, thus increasing the chances of surveillance and potential censorship. The authors also give suggestions on how to overcome anomalies which are present in the guidelines issued by CERT-In.