A Draft for Cyber (In)Security: IFF’s Analysis of the Draft Telecom Cyber Security Rules, 2024

tl;dr

On August 28, 2024, the Department of Telecommunications [“DoT”], Ministry of Communications [“MoC”] released the draft Telecommunications (Telecom Cyber Security) Rules, 2024 [“Cyber Security Rules, 2024”]. First published in the e-Gazette on August 29, 2024, the MoC also released three other draft Rules alongside the Cyber Security Rules, covering internet shutdown, telecom interception, and critical telecom infrastructure. The MoC is seeking objections or suggestions within 30 days of their publication. Given the wide-ranging implications of these draft Rules on our constitutional freedoms, we will be releasing a detailed analysis of each of the Rules (read our in-depth analysis of the draft Suspension Rules, 2024 here and draft Interception Rules, 2024 here). This post includes our in-depth analysis of the draft Cyber Security Rules, 2024, along with a table comparing the relevant modifications/ revisions under the Cyber Security Rules, 2024 with the corresponding provisions under the Prevention of the Tampering of the Mobile Device Equipment Identification Number Rules, 2017 and the Mobile Device Equipment Identification Number (Amendment) Rules, 2022.

Important documents

1. Draft Telecom Cyber Security Rules, 2024 (link)
2. Prevention of the Tampering of the Mobile Device Equipment Identification Number Rules, 2017 (link)
3. Mobile Device Equipment Identification Number (Amendment) Rules, 2022 (link)
4. IFF’s analysis of the draft Cyber Security Rules, 2024 (link)
5. The Telecommunications Act, 2023 (link)
6. e-Gazette notification for enforcement of sections of the Telecommunications Act, 2023 dated June 21, 2024 (link)
7. Public Brief on draft Indian Telecommunication Bill, 2022 dated October 27, 2022 (link)
8. IFF’s first read of the Telecom Bill, 2023 (link)

Background

These draft Rules have been released in pursuance of Section 22(1) read with Section 56(2)(v) of the Telecommunications [“Telecom”] Act, 2023, which was enacted amid widespread chaos in the Parliament while over 140 opposition Members were suspended. The Telecom Act, 2023 received Presidential Assent and was published in the gazette on December 24, 2024. On June 21, 2024, the MoC issued a gazette notification to bring into effect certain sections of the Act, namely Sections 1, 2, 10 to 30, 42 to 44, 46, 47, 50 to 58, 61 and 62, from June 26, 2024. 

The draft 2024 Rules seek to supersede the Prevention of the Tampering of the Mobile Device Equipment Identification Number Rules, 2017 and the Mobile Device Equipment Identification Number (Amendment) Rules, 2022 under the Indian Telegraph Act, 1885. The draft Cyber Security Rules, 2024 will not override existing registrations issued under the old regime and the terms and conditions for such actions will continue to apply. As per a statement made by the Union Minister of Communications, Jyotiraditya Scindia, in July 2024, all the Rules and provisions of the Telecom Act, 2023 will be notified within six months. While some of the Telecom Rules have been notified, and some released for public input, some Rules are yet to be released. 

Comparative analysis of the draft Interception Rules, 2024 

1. Overbroad and ambiguous definitions: The definition of ‘telecom cyber security’ lists the various telecom services, networks, and assets that may be safeguarded against cyber security risks. One of the listed services includes ‘applications’ which is undefined in the 2024 Rules and the Telecom Act, 2023. The term raises concerns about the potential inclusion of online communication services/ applications under the scope of the Rules. The ambiguous phrasing of ‘traffic data’ may be interpreted broadly to include the contents of messages in its definition. As per our analysis of the Telecom Act, 2023, the overbroad and ambiguous definitions of ‘telecommunication’ and ‘telecommunication service’ in the Act may be re-interpreted or further expanded in the future to bring online communication services, such as Signal, under the scope of the Act. 
2. Executive powers in the absence of safeguards: The draft 2024 Rules empower the Union government to issue directions to telecom entities to block the use of telecom equipment with a tampered IMEI number, a provision that did not exist in the 2017 Rules. The draft Rules do not specify which authority within the Union Government will issue such directions, whether a hearing process will be conducted, or if the aggrieved person will be allowed to be heard. Additionally, Rule 8(5) lacks provisions for any review or appeal mechanisms an aggrieved or affected user may avail. This provision exists in the absence of any safeguards to ensure accountability of the state as well as any transparency/ clarity around the nature and/or scope of the directions.

Rule 5(2) allows the Union government to identify the person allegedly responsible for endangering telecom cyber security and issuing a notice to them. Although safeguards like providing them with a reasoned order and a reasonable opportunity of being heard before passing an order exists under the draft Rules, Rule 5(6) eliminates the right to a hearing, provided under Rules 5(4), by allowing the Union government to bypass notice requirements [Rule 5(2)] and directly pass a reasoned order with directions to temporarily suspend the use of telecom identifier if deemed necessary for "public interest" under sub-rule (5). It fails to define what constitutes "public interest" or specify the criteria for issuing such ex parte orders. Consequently, this lack of clarity and procedural safeguards undermines the principles of natural justice, transparency, and fairness, potentially leading to arbitrary and unjust decisions without providing affected parties an opportunity to contest or respond.

Rule 5 of the draft Rules fail to introduce provisions for independent review of and parliamentary or judicial oversight over the orders passed by the Union government. The Rules also do not have any appeal or grievance redressal mechanism. Another safeguard missing from the draft Rules pertains to the lack of an obligation on the Union government to proactively disclose statistical, anonymised data about the number of orders issued, the reasons for issuing them, etc.

Rule 5(9) allows the Union government to maintain a repository of persons and telecom identifiers against whom action has been taken under the Cyber Security Rules, 2024 and even share this list with other persons providing services using the telecom identifiers [Rule 5(10)]. Under Rule 5(9), the Union government can direct telecom entities to prohibit or limit the access to telecom services to such persons and under Rule 5(10), direct entities “to prohibit or circumscribe the use of such telecommunication identifiers for identification of their customers or for delivery of their services in the manner as may be specified.” This provision may have surveillance concerns as well as disproportionate consequences on individual freedom of speech and expression and the right to receive information.

3. Data collection, sharing, and analysis: The 2024 Rules allow the Union government (or any authorised agency) to collect traffic data as well as any other data from telecom entities [Rule 3(1)(a)]. Additionally, the Rules also empower the government to direct a telecom entity to establish necessary infrastructure and equipment for data collection, procession, and storage [Rule 3(1)(b)]. Such overbroad and vague provisions have been introduced in the absence of any safeguard and the provisions pertaining to the development of telecom infrastructure do not abide with the ‘privacy by design’ approach. Rule 3(2) does not specify which authority/ entity can analyse the collected data. Further, the Union government may, to ensure telecom cyber security, allow the collected data to be shared with any Union government agency engaged in law enforcement and security-related activities as well as telecom entities or users. The overbroad phrasing used for both the justification for sharing the data (“protecting and ensuring telecom cyber security”) as well as the entities with whom such data may be shared, opens this provision up to potential misuse. The draft Rules also do not specify any limitation on the duration for which such collected data can be stored, either by the telecom entity or by the entities/ users with whom it has been shared, effectively allowing data to be retained indefinitely without any legal or procedural constraints.  

Notably, Rule 3(3) imposes an obligation on the entities collecting data and receiving the collected data to put in place ‘adequate safeguards’. The Rules however fail to elaborate upon what level of safeguards will be considered ‘adequate’. Rule 6 of the Information Technology (Reasonable Security Practices And Procedures And Sensitive Personal Data Or Information) Rules, 2011 (“SPDI Rules, 2011”), which will be soon superseded by the DPDPA, 2023, states that “disclosure of sensitive personal data by a body corporate to any third party shall require prior permission from the provider of such information, who has provided such information under lawful contract or otherwise, unless such disclosure has been agreed to in the contract between the body corporate and provider of information, or where the disclosure is necessary for compliance of a legal obligation”. Notably, the SPDI Rules do exempt the entity from obtaining prior consent for sharing information with government agencies for certain purposes [Rule 6(1): “verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offence”]. However, the SPDI Rules require the government agency to send a request, in writing, to the body corporate, “stating clearly the purpose of seeking such information”. Similar safeguards are missing from the draft Rules. 

While these provisions under the SPDI Rules pertain to ‘sensitive personal data’, the Cyber Security Rules, 2024 misses an opportunity to expand the obligations to all instances of data collection, sharing, and analysis. The SPDI Rules also require the government agency to state that the information obtained shall not be published or shared with any other person. Rule 8(4) of the SPDI Rules also prohibits the third party receiving the sensitive personal data from disclosing it further. While Rule 3(4) of the Cyber Security Rules, 2024 does introduce principles of purpose limitation by limiting the use and disclosure of collected data for ensuring telecom cyber security, overbroad exemptions afforded to the Union government and its instrumentalities from the application of the Digital Personal Data Protection Act (“DPDPA”), 2023 render much of these safeguards meaningless. 

4. Compliance requirements for telecom entities: The draft Rules require telecom entities to “maintain logs of elements involved in telecommunication services, or  telecommunication network or any other element required for security of telecommunications service or telecommunications network” and to “maintain all records or logs specified herein” for a period that will be specified by the Union government. With respect to the timeline for maintaining records, the draft Rules do not comply with privacy-advancing storage limitation and data retention principles and further delegate delegated powers which creates uncertainty for entities who will have to comply with such overbroad provisions. It also fails to specify different thresholds for different entities based on the type/size of the entity and their capacity to undertake these compliance requirements. Notably, neither the draft Rules nor the parent Act define “logs” or “records” thus making this provision open to subjective interpretation. The telecom entities are also expected to share the logs/ records with and provide necessary support to the agency or person authorised by the Union government. Ambiguity over what is covered under “elements involved” in telecom services or networks and “elements required” for their security leads to concerns around the potential violation of internationally recognised principles of purpose limitation and data minimisation. 

If the scope of the Telecom Act, 2023 is expanded to include ‘OTT’ communication services, certain service providers such as Signal as well as certain VPNs such as Proton, which claim to not retain any logs due to their privacy respecting practises, may have to alter their fundamental modus operandi to collect more information, which may go against their business ethos, or they may be forced to exit the Indian market as a result of these requirements. In fact, as a result of the 2022 CERT-In Directions, which also included provisions relating to the maintenance of logs and sharing of such records with the Indian Computer Emergency Response Team (“CERT-In”), several prominent VPN services such as ExpressVPN, NordVPN and Surfshark decided to stop doing business in India and ProtonVPN classified India as a high-risk country. Such provisions also have an implication on the fundamental right to practice any profession or to carry on any occupation, trade or business cost of doing business under Article 19(1)g as smaller entities may not have the technical capability or capacity or resources to incur this additional compliance and cost burden. 

While the draft Rules mandate the maintenance of secure logs/ records, there is no defined security threshold or standard, leaving the implementation of security measures ambiguous and potentially inadequate. Further, the provision pertaining to the maintenance of logs/ records does not cite the specific purpose for which records are maintained and shared with authorised entities, resulting in a lack of clarity and oversight regarding the use and handling of such records. Lastly, the Rules do not specify any limitation on the duration for which records can be stored, effectively allowing records to be retained indefinitely without any legal or procedural constraints.

5. Potential threats to encrypted platforms: The draft Rules include provisions for identifying the person allegedly responsible for endangering telecom cyber security and issuing a notice to them. As previously mentioned, if the applicability of the Telecom Act, 2023 is expanded to “OTT” communication platforms, this provision may directly threaten online communication applications/ platforms which are end-to-end encrypted. Further, the phrase “as it may consider necessary to identify, or for enabling any person and other stakeholders to identify and report any act that endangers telecom cyber security” creates concerns for potential introduction of mechanisms for tracing the originator of a message. Rule 4(2) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) 2021 [“IT Rules, 2021”], requires major social media platforms/ intermediaries to enable traceability of information origin, although many platforms employ encryption and minimal data retention practices for security. Challenge to the constitutional validity of Rule 4(2) of the IT Rules, 2021 is pending before the Delhi High Court. Regrettably, the Telecom Act, 2023 and the draft Cyber Security Rules, 2024 fail to introduce meaningful reforms in surveillance practices. 
6. Security Incident Reporting Mechanisms: The 2024 Rules also require the telecom entity to report ‘any security incident’, along with relevant details specified under the Rules, to the Union Government within 6 hours. While the telecom entities will be required to investigate and assess the security incident, compliance with the uniform reporting timeline of 6 hours may be infeasible for a lot of entities and also in certain cases of security incidents. Such overbroad provisions will also increase the compliance and cost burden of MSME entities. 

The CERT-In 2022 Direction instructs all entities to mandatorily report cyber incidents to CERT-In within 6 hours of noticing such incidents or being brought to notice about such incidents (Direction ii). Much like the CERT-In Directions, the draft Rules fail to take into account the type/size of entities affected, their capacity to respond, the severity of the incident and the scale of impact, and accordingly, specify reasonable reporting timeframes. The draft Rules require the telecom entities to report a security incident within 6 hours of such occurrence whereas the DPDPA, 2023 do not specify any timeline for reporting breaches and the underlying Rules which may outline such details are yet to be released.  

The second iteration of the Network and Information Systems (“NIS2”) Directive in the European Union was introduced to speed and establish a higher level of cybersecurity and resilience within organisations of the region. Under the NIS2 Directive, every incident with significant impact should be notified by the essential and important entities without undue delay. Within 24 hours, organisations are expected to communicate an early warning, as well as some first presumptions regarding the kind of incident to the competent authority. After 72 hours, organisations must share a full notification report, containing the assessment of the incident, severity and impact and indicators of compromise. After 1 month, a final report must be communicated. Such a graded approach is missing in the draft Cyber Security Rules, 2024.

Rule 7(2) does include a provision pertaining to informing the public at large about a security incident, however, such disclosure is contingent on whether the Union government believes it to be in ‘public interest’. If the government determines that the disclosure is not in ‘public interest’, the government may choose to not inform the public, including the affected users, about the security incident. The various concerns that emerge from this provision are:

1. This provision is inconsistent with the Rule8(6) of the DPDPA, 2023, which mandates all data fiduciaries to inform “each affected Data Principal” in the event of a data breach. This rights-advancing provision is missing from the Cyber Security Rules, 2024.
2. It is unclear how the inconsistency between the DPDPA, 2023 and the Telecom Act, 2023 will be resolved in the event of a personal data breach suffered by a telecom entity. 
3. Since the contours of what would constitute ‘public interest’ have not been outlined, the scope for selective or subjective application, and consequentially, potential misuse of this provision exists. 
4. Rule 7(2) only requires the Union government to disclose the security incident to the public and not share the relevant details about the security incident, an obligation that has been imposed on the telecom entity under the draft Rules. 

This post was drafted with the assistance of Kumar Utsav, Policy Intern at Internet Freedom Foundation.