The Indian Computer Emergency Response Team (CERT-In) is set to come out with a clarification on the April 28 directions, with it likely to state that the rules of maintaining customer logs may not apply to enterprise and corporate virtual private networks.
The April 28 directions stated that “virtual private server (VPS) providers”, “VPN service providers” will be required to maintain logs including names of customers, their IP addresses etc for a period of 5 years. Since then, this mandate has raised privacy concerns and it has also been criticised by major VPN companies such as NordVPN, Surfshark and others.
According to information available with Moneycontrol, the term “VPN service providers” will just apply for entities that provide ‘internet proxy liek services’ through the use of VPN technologies to general Internet subscribers. These recommendations and clarifications have still not been finalised, and are expected to be released in the coming days.
The clarifications are also likely to mandate that service providers, data centres and body corporates who do not yet have a physical presence in India will be required to designate a point of contact for liaising with CERT-In. Apart from that, CERT-In is expected to clarify that non-compliance of the April 28 directions which has been issued under Sec 70B of the IT Act 2000 will attract penal provisions of the same Act.Earlier, VPN provider Surfshark’s legal department head Gytis Malinauskas had told Moneycontrol that the company has a strict no-logs policy, which implies that it does not collect or share customer browsing data or any usage information. In a tweet, Proton VPN said that India’s new VPN regulations are “an assault on privacy, and that it will continue maintaining its no-log policy”.
The new Indian VPN regulations are an assault on #privacy and threaten to put citizens under a microscope of surveillance. We remain committed to our no-logs policy and recommend everyone using our servers in India to follow these guidelines: https://t.co/85WTkUJ5Z6. (1/2)
— ProtonVPN (@ProtonVPN) May 5, 2022
Apart from this, the upcoming CERT-In clarifications are also expected to include statements on the distinction between the IT Rules 2021 and the April 28 directions, clarification on reporting cybersecurity incidents and so on.
However, it is not just the provisions regarding VPN that had irked different quarters of the industry. Concerns were also raised regarding the direction that all body corporate will have to mandatorily retain logs of their systems for 180 days. Experts had pointed out to Moneycontrol that compliance to this provision may involve additional expenses.
The direction that cybersecurity events will have to be reported within six hours was also criticised. For instance, Supratim Chakraborty, partner in Khaitan and Co had questioned whether companies will be equipped to report such cases within the timeframe.CERT-In also wants companies to synchronise their servers’ clocks to the servers of National Informatics Centre or the National Physical Laboratory. Now time servers are important because it is a key aspect of cyber security investigation. Experts have said that by choosing NIC or NPL time servers, issues regarding server time latency may prop up, and it has also been pointed out that there are other better options than NIC or NPL.