Cybersecurity has been an important policy concern for the Indian government since at least the early 1990s. Until today, however, the landscape of its cybersecurity policies remains an uneven patchwork. In particular, as this essay will illustrate, where the concerns of technology users are at odds with the interests of law enforcement and intelligence agencies, the former tend to lose out. Thus, while India was one of the first countries, in 2000, to pass a law dealing with cybercrime and electronic commerce and has, in 2019, also approved law to strengthen consumer protection in the digital age, at the time of writing the country still does not have a horizontal personal data protection law. At the same time, law enforcement and intelligence agencies can legally access and retain user data under a wide range of loosely worded provisions. In the absence of additional checks and balances, the relationship between the citizens of India and the state is, thus, fundamentally reconfigured. Moreover, with the focus so firmly on surveillance and control of digital spaces, other aspects of cybersecurity policy, such as cyberdefence, have taken a backseat.