FAQ: Despite Concerns, India’s Keeping Its New VPN Rules – All You Need To Know
The rules also require tech companies to report data breaches within six hours of noticing them.
The government on Wednesday, 18 May, said that it isn't making changes to the new rules that force Virtual Private Network (VPN) providers, cloud service providers and crypto exchanges to maintain user logs for five years.
The rules, issued by Indian Computer Emergency Response Team (CERT-In), also require tech companies to report data breaches within six hours of noticing them.
Even though industry players and experts had expressed concerns about privacy, impracticality, and increasing costs, Minister of State for Electronics and IT Rajeev Chandrashekhar said that there will be no changes going forward.
Here's all you need to know about the new rules.
Who all are required to maintain user logs for 5 years?
Data centres, virtual private server (VPS) providers, cloud service providers and virtual private network (VPN) providers, will be required to maintain user logs for a period of 5 years.
However, this rule won't apply to corporate and enterprise VPNs, only to "internet proxy like services" being used by "general internet subscribers or users".
What information will they keep with them?
Validated names of subscribers or customers
Period of hire, including dates
IPs allotted to or being used by the members
Email address, IP address, and time stamp used at the time of registration or on-boarding
Purpose for hiring services
Validated address and contact numbers
Ownership pattern of the subscribers or customers
What about crypto exchanges?
All virtual asset service providers, virtual asset exchange providers and
crypto wallet providers will have to mandatorily maintain all information obtained as part of Know Your Customer (KYC).
They will also have to maintain records of financial transactions for a period of five years in such a way that individual transactions can be reconstructed and relevant parties can be identified.
What do the rules say about reporting cybersecurity incidents?
According to the new rules, every "service provider, intermediary, data centre, body corporate and government organisation" is required to a report cyber incident, as specified by CERT-In, within 6 hours of noticing it or being brought to notice about it.
They also have to maintain IT and communications logs for six months.
Can the government access the logged data?
Yes, the new rules require all the aforementioned service providers and tech companies to provide the logged data in a specified format, whenever CERT-In asks for it.
CERT-In says it will only ask for the data for the purposes of "cyber
incident response, protective and preventive actions related to cyber
How did the industry and experts react to the rules?
Experts have pointed out that it is often impossible to even identify, let alone report, cybersecurity breaches within six hours. The range of data that the government wants collected also raises privacy concerns.
Several VPN providers said that they were committed to their no-logs policy and Nord VPN even indicated that it would remove its servers from India.
A Washington-based trade association requested the government to open the matter up to a wider stakeholder consultation and delay implementing these directives until there's clarity.
What happens to those who don't comply?
Rajeev Chandrashekhar said that the service providers who want to "hide and be anonymous about those who use VPNs" and don't want to follow the new rules will have no choice but to pull out from the country.
On the six hour report time, he said that India was being "very generous" because several other countries have even stricter requirements.
CERT-In gets its powers from Section 70B of The Information Technology Act, 2000, which means those who don't comply with the directions might face "imprisonment for a term which may extend to one year or with fine which may extend to one lakh rupees or with both."
When will the new rules come into effect?
The new rules are slated to kick in from late June – exactly 60 days from the date of issuance, which was 28 April.
Subscribe To Our Daily Newsletter And Get News Delivered Straight To Your Inbox.