'Assault on Privacy': VPN Providers, Experts Decry CERT-In's New Rules

Industry players and experts have questioned the directions issued by The Indian Computer Emergency Response Team (CERT-In) on 28 April telling Virtual Private Network (VPN) providers, crypto exchanges, and certain other enterprises to maintain customer records for at least five years.

The new rules, slated to come into effect from late June, also require companies to report any cybersecurity incidents to CERT-In within six hours and hand over user information to the government, if so directed.

Experts have pointed out that it is often impossible to even identify, let alone report, cybersecurity breaches within six hours.

While these directions are purportedly aimed at making it easier for the government to analyse and respond to cyber security incidents, the range of data to be stored raises privacy concerns.

Here's what VPN providers, most of which claim to have a strict no-logs policy, had to say about CERT-In's new rules.

Proton VPN said it will remain committed to its no-logs policy and called the regulations an "assault on privacy" that threatens to "put citizens under a microscope of surveillance." It added a link to a three-year-old blog post titled "Using VPN servers in high-risk countries".

Surfshark’s legal head Gytis Malinauskas told Moneycontrol that the service only operates on RAM servers, and cannot comply with the logging requirements. He said that the company was still investigating the new regulations and its implications.

Another VPN service, Windscribe, was more liberal with its language. It told MediaNama that these rules were a "massive overreach on behalf of a so-called democratic government."

In a statement to Mint, Nord VPN, one of the most popular service providers, said it might have to stop operations in India altogether.

“As there are still at least two months left until the law comes into effect, we are currently operating as usual. We are committed to protecting the privacy of our customers therefore, we may remove our servers from India if no other options are left,” spokesperson Patricija Cerniauskaite told the publication.

An Express VPN spokesperson also told Wired that the company would never log user information or activity and will adjust its "operations and infrastructure to preserve this principle if and when necessary".

Washington-based trade association Information Technology Industry Council (ITI) said that the current provisions "may have severe consequences for businesses and customers without solving the genuine security concerns."

"In particular, we have concerns with several of the incident reporting obligations, including the mandatory reporting of cyber incidents within 6 hours of noticing," it said in a letter to CERT-In.

ITI requested the government to open the matter up to a wider stakeholder consultation, take another look at the difficult-to-execute provisions, and delay implementing these directives until there's clarity.

Saikat Datta, Strategic Advisor, The Dialogue, also pointed out that the six hour rule was impractical.

"Without full knowledge of the actual extent of the breach, it is impossible to meet the definition of a “cyber incident” as specified under the Information Technology Act and the subordinate rules," Datta told The Quint.

"How will any entity understand whether “changes to data”, have taken place or not, or whether the breach “threatens public safety” and undermines “public trust” as detailed in the IT Act 2000 and the CERT-In rules, 2013?" he added.

The five-year policy will also mean that VPN providers will see their costs jump significantly, which will then likely have to be borne by the consumer.

"The demand that all records of subscribers, users, etc be retained and maintained for five years will have a profound impact, not only on privacy and data protection of the users, but also impose major financial costs for the companies providing these services," said Datta.

(With inputs from Moneycontrol, MediaNama and Mint)