The Indian Computer Emergency Response Team (CERT-In) released directions on April 28 that have sparked severe privacy concerns. CERT-In is the federal agency in charge of analysing cyber threats and responding to cybercrime reports.
As per the guidelines, Virtual Private Network [VPN] providers must gather and preserve data on their customers for at least five years, according to the guidelines.
Section 70B of the Information Technology [IT] Act of 2000 has been invoked to issue the directives.
Due to an increase in the digitization of personal data online, data leaks and breaches have become increasingly regular. Independent cyber activity researchers, rather than data fiduciaries tasked with the obligation of collecting and preserving our data and committed to the persons from whom the data is gathered, are usually the ones that notify us of such events of leaks and breaches.
The new directions attempt to close the gap highlighted by CERT-In when responding with cyber events.
What does the relevant direction say?
According to Direction 5, Data Centres, Virtual Private Server [VPS] providers, Cloud Service providers and VPNs must register their users’ information and store it for a period of at least five years, and longer if mandated by the law. Such information must be tracked and maintained even after the user has cancelled their subscription to the service.
The directives are in direct conflict with the main function of VPNs, which is to mask the IP addresses of users from Internet Service Providers (ISPs) and other third parties. It disables ISPs and third parties from seeing which websites the user is visiting, and what data is being sent and received online. Most VPN services refrain from storing logs of their users’ activities.
The new laws, which are set to take effect in late June, also require businesses to disclose any cybersecurity problems to CERT-In within six hours and, if requested, to pass over user information to the government.
Cybersecurity breaches are typically hard to detect, let alone disclose, within six hours, according to experts.
While the goal of these guidelines is to make it easier for the government to analyse and respond to cyber security problems, the amount of data that will be maintained raises privacy issues.
“The new Indian VPN regulations are an assault on #privacy and threaten to put citizens under a microscope of surveillance.” Proton VPN has commented.
In a tweet it has stated as under :
The new Indian VPN regulations are an assault on #privacy and threaten to put citizens under a microscope of surveillance. We remain committed to our no-logs policy and recommend everyone using our servers in India to follow these guidelines: https://t.co/85WTkUJ5Z6. (1/2)— ProtonVPN (@ProtonVPN) May 5, 2022
Nord VPN has suggested that it might altogether stop its operations in India.
Washington-based trade association Information Technology Industry Council (ITI) said that the current provisions “may have severe consequences for businesses and customers without solving the genuine security concerns.”
“In particular, we have concerns with several of the incident reporting obligations, including the mandatory reporting of cyber incidents within 6 hours of noticing,” it said in a letter to CERT-In.
ITI requested the government to open the matter up to a wider stakeholder consultation, take another look at the difficult-to-execute provisions, and delay implementing these directives until there’s clarity.