The Indian Computer Emergency Response Team (CERT-in) may soon be exempt from responding to queries under the Right to Information Act, the government informed Parliament on Friday. The Department of Personnel and Training has reviewed a proposal from the Ministry of Electronics and Information Technology to include CERT-in in the Second Schedule to the RTI Act, which deals with exempted organisations like the Central Bureau of Investigation (CBI) and the Border Security Force (BSF).
Inter-departmental consultations are ongoing to examine the proposal, with the Ministry of Law and Justice participating, Minister of State for Electronics and Information Technology Rajeev Chandrasekhar said in the response to Biju Janata Dal MP Amar Patnaik.
The exemption would allow CERT-in to reject any application for information, even on policy related matters. This is significant in light of the April 2022 directions the body issued to require Virtual Private Network (VPN) providers and cryptocurrency firms to preserve user requests. The directions are being challenged in the Delhi High Court, and the government has argued that absolute anonymity online is not acceptable. Several major VPN providers have pulled their servers out of India, arguing that the directions would compromise users’ privacy on the internet.
CERT-in coordinates with public and private organisations in India when cyber incidents like data breaches and ransomware attacks are reported. It also issues advisories for software vulnerabilities as guidance for organisations.
When deliberations on exempting CERT-in from the RTI Act were first reported last May, the Delhi-based Internet Freedom Foundation said in a statement, “On the one hand, CERT-In wants our logs [under the April 2022 Cyber Security Directions], non-compliance with which will lead to one year jail time, but on the other hand, doesn’t want to be transparent to the citizens in return.”