In a move that has raised concerns about transparency and accountability, the Indian Computer Emergency Response Team (CERT-In) has been exempted from the Right to Information (RTI) Act of 2005 by the Indian government.
The Department of Personnel and Training (DoPT) issued a notification on Friday exempting CERT-In from RTI queries under the powers given to it by Section 24 (2) of the RTI Act, 2005. As of writing this piece, the notification is not visible on the official Gazette of India website maintained by the Directorate of Printing, Department of Publication under the Ministry of Housing and Urban Affairs.
This makes CERT-In the 27th government organisation exempted under RTI. Other organisations where RTI doesn’t apply include the Intelligence Bureau, Research and Analysis Wing of the Cabinet Secretariat, Directorate of Revenue Intelligence, Central Economic Intelligence Bureau, Narcotics Control Bureau, and Special Frontier Force.
The section reads as follows: “The Central Government may, by notification in the Official Gazette, amend the Schedule by including therein any other intelligence or security organisation established by that Government or omitting therefrom any organisation already specified therein and on the publication of such notification, such organisation shall be deemed to be included in or, as the case may be, omitted from the Schedule.”
The process to exclude CERT-In from the ambit of RTI started somewhere around the March end of this year. The Hindu reported on March 31 that DoPT is reviewing the proposals from the Ministry of Electronics and Information Technology to include CERT-In in the second schedule of the RTI Act.
In May, The Economic Times reported that DoPT is in the final stages of completing the process, and the discussions of the committee of secretaries with the Cabinet Secretary are complete.
This development comes at a time when cybersecurity incidents are on the rise in India, making it crucial for the public to be informed about the measures taken by CERT-In to address these issues.
“This move is certainly not in the public interest as it weakens the rights of the people by diluting an Act meant to empower them. The exclusion of CERT-In from the application of the Act, in an environment where data breaches, device vulnerabilities, and deployment of illegal spyware occur frequently, significantly erodes its accountability,” said the Internet Freedom Foundation.
The exemptions limit public access to information and hamper the scrutiny of implementing cybersecurity directions issues by CERT-In in April 2022. These infamous directions were criticised by various sections of civil society and were found to have unclear and challenging provisions.
CERT-In is India’s nodal agency to combat cybercrime and draws power from the Information Technology Amendment Act, 2008. The Act gives various powers to the organisations, including collecting, analysing and disseminating cyber security incidents, issuing guidelines and alerts, and handling other cybersecurity-related incidents as prescribed.
With the agency’s newfound immunity from RTI requests, it now functions more like a black box, further intensifying concerns about the lack of openness surrounding its operations.
In the News: Dbrand and Zack Nelson are suing Casetify for design theft
