The Indian Computer Emergency Response Team (CERT-In) has directed Virtual Private Network (VPN) providers, crypto exchanges, and other service providers to maintain customer records for at least five years.
The body, which operates under the Ministry of Electronics and Information Technology, added that service providers will have to hand over user information within a specified timeline, if it orders them to do so.
The new directions will be applicable from late June, it said.
CERT-In gets its powers from Section 70B of The Information Technology Act, 2000, which says those who don't comply with the directions might face "imprisonment for a term which may extend to one year or with fine which may extend to one lakh rupees or with both."
Since VPNs are often used for anonymous browsing, most services presently claim to have a strict "no-log" policy which means user data isn't collected at all.
What Data Does CERT-In Want?
Data Centres, Virtual Private Server (VPS) providers, Cloud Service
providers, and Virtual Private Network Service (VPN Service) providers, CERT-In said, will be required to maintain logs of the following information:
Validated names of subscribers/customers hiring the services
Period of hire including dates
IPs allotted to/being used by the members
Email address and IP address and time stamp used at the time of registration/on-boarding
Purpose for hiring services
Validated address and contact numbers
Ownership pattern of the subscribers/customers hiring services
Meanwhile, virtual asset service providers, virtual asset exchange providers and custodian wallet providers have been directed to maintain all information obtained from the Know Your Customer (KYC) process and records of financial transactions for a period of five years.
This will include information that can be used to identify people like IP addresses with timestamps and time zones, transaction IDs, the public keys, addresses or accounts, the nature and date of the transaction, and the amount transferred.
CERT-In can demand this information for the purposes of "cyber incident response, protective and preventive actions related to cyber incidents."
The body said this will help "ensure cyber security in the area of payments and financial markets for citizens while protecting their data, fundamental rights and economic freedom in view of the growth of virtual assets."
"Any service provider, intermediary, data centre, body corporate and
Government organisation shall mandatorily report cyber incidents to CERT-In within 6 hours of noticing such incidents or being brought to notice about such incidents," it added.
Data Privacy and Storage Costs
The notification says that these directions are intended to make it easier for CERT-In to analyse and respond to cyber security incidents. However, the range of data that the government is asking service providers to store is concerning, as far as privacy is concerned.
"While well-intentioned, the new rules contain vastly expanded data retention requirements as compared to industry norms. Forcing private players to collect such information without a strong data protection law places the privacy of the average user at risk," said Udbhav Tiwari, Senior Manager, Global Public Policy, Mozilla.
"The rules should be reevaluated under the principles of necessity and proportionality to balance legitimate interests with the fundamental right to privacy guaranteed to every Indian."Udbhav Tiwari, Mozilla
The five-year policy will also mean that VPN providers will see their costs jump significantly, which will then likely have to be borne by the consumer.
"The demand that all records of subscribers, users, etc be retained and maintained for five years will have a profound impact, not only on privacy and data protection of the users, but also impose major financial costs for the companies providing these services," said Saikat Datta, Strategic Advisor, The Dialogue.
"If you burden companies with more costs, it will eventually degrade their business performance as well as their cybersecurity posture. This could have a negative impact on the overall IT and IT-enabled services and products."Saikat Datta, The Dialogue
"When it comes to the adoption of VPNs in India it was around 3.5 percent, at the beginning of the year, and is only the first half of 2021, it grew to 25.7 percent. So the sector is already looking at huge growth. And this is detrimental to the ongoing trajectory," said Anshul Dhir COO and co-founder, EasyFi Network.
Last year, The Parliamentary Standing Committee on Home Affairs asked the Indian government to obstruct access to virtual private networks, alleging that such services enable 'criminals to remain anonymous online.'