Defending the provision of storing subscriber information mandated by the Indian Computer Emergency Response Team’s (CERT-In) cybersecurity directions, the Indian government has argued that retaining basic identity information such as names and addresses of subscribers ‘does not alter the nature of VPN’.
VPN, or a virtual private network, is a tunnel between one’s device and the internet and it helps in masking a device’s IP address, thus providing a certain level of anonymity and helping in hiding one’s identity.
Introduced in April and enacted in June, one of the provisions of CERT-In’s cybersecurity directions mandate data centres, virtual private server (VPS) providers, cloud service providers and VPN service providers, to register details such as names of subscribers/customers, period of hire, IPs allotted to the members, email address and IP addresses used at the time of registration, etc.
These provisions invited a lot of criticism, and currently, the central government is battling a legal challenge on the cybersecurity directions at the Delhi High Court. The government’s comments come after the court issued a notice and asked it to file a reply on the matter.
Moneycontrol has reviewed the affidavit filed by the central government.
![[Deeptech Digest] This startup quietly secured an airbase; its encryption now guards railways, laptops and more](https://images.moneycontrol.com/static-mcnews/2025/10/20251105054148_Pantherun.jpg?impolicy=website&width=168&height=118 "[Deeptech Digest] This startup quietly secured an airbase; its encryption now guards railways, laptops and more")
In its reply, the government, while arguing that collecting ‘basic identity information’ does not alter the nature of VPNs, said that anonymity cannot be used as a ground for evading authorities or not complying with the law.
The government said the operation of State and non-State actors on the internet or in cyberspace with ‘total anonymity’ may cause ‘havoc’.
The government also justified the collection of such personally identifiable information as ‘sine qua non’ or as absolutely necessary for analysing and investigating cyber security incidents.
In fact, one of the reasons behind the introduction of the cybersecurity directions, the government said in its affidavit, was the lack of information – it was either not readily available with service providers/data centres/body corporates or not available at all.
The government, while citing Rule 3 of the Information Technology (IT) (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, also pointed out that the collected user details such as name and addresses were not ‘sensitive information’.
The government said this while stating that the cybersecurity directions do not require disclosure of ‘sensitive personal information’, which includes details such as passwords, sexual orientation, medical records and so on.
Increase in cybersecurity reporting
The CERT-In directions also mandate that anybody corporate or government organisation has to report cybersecurity incidents within six hours of noticing them or being brought to notice about such incidents.
This has resulted in an uptick in the registration of such incidents with CERT-In.
The government said that overall there has been a 51 percent increase in reported cyber security from January-June 22 to July-September 2022.
The CERT-In directions came into force in late June.
Overall, as of now, CERT-In has recorded 1,019,180 cyber security incidents up to September 2022. In 2021, the figures stood at 1,402,809 and in 2020, around 11 lakh.
Does not violate the Right to Privacy
Countering the petitioner’s allegation that the cybersecurity directions violate the Right to Privacy judgement, the government said the cybersecurity directions meet the requirements necessary for the right to privacy.
The KS Puttaswamy judgement notes that the right to privacy is not absolute and is subjected to reasonable restrictions provided it meets the test of proportionality, has a legitimate goal and so on.
The government argued that measures to enhance cyber security do not mount to ‘unreasonable restriction’ as the directions have a ‘legitimate’ goal of analysing cyber incidents.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
Find the best of Al News in one place, specially curated for you every weekend.
Stay on top of the latest tech trends and biggest startup news.
