Pune-based virtual private network (VPN) service provider SnTHostings.com has written to the ministry of electronics and information technology (MeitY), asking it to recall a set of cybersecurity directions that come into force on June 27.
The April 28 directions issued by the Indian Computer Emergency Response Team (CERT-In) require service providers such as SnTHostings to maintain logs of all information and communication technologies (ICT) system for a period of 180 days. They also have to register and maintain personal information of subscribers for five years or longer and provide this data to CERT-In if demanded in case of a cybersecurity incident.
In the letter, drafted with the help of Internet Freedom Foundation, SnTHostings.com said asking VPN service- providers to collect personally identifiable data “violates the right to privacy of users and completely changes the true nature of services provided by VPNs”.
SnTHostings.com said the requirements to maintain logs for 180 days and customer information for five years were concerning.
“Firstly, many service providers do not maintain such data because they respect the privacy of their users. As stated above, mandating them to start collecting such data for unstated reasons violates the privacy of users,” Harsh Jain, founder and CEO of SnTHostings said in the letter.
Secondly, the directions didn’t offer any explanation on why data must be stored for such an arbitrarily long period of time. It would come with significant additional costs on service providers, he said.
These norms have been a sore point not just for SnTHostings but also other VPNs. Express VPN, NordVPN and Surfshark have said they will remove their servers from India.
The directions, which were ambiguously worded, were driving business outside India, the letter said.
“Direction 4 mandates the aforementioned entities to maintain logs of ‘all their ICT systems’ but does not explain what is covered under the same. As a result, there is ambiguity over whom the directions are applicable to as well as what the entities covered ought to do to comply with them,” Jain said.
“This is a matter (of) concern because if entities do not comply with the directions, they may be punished with imprisonment even though, as a result of the ambiguity, they may have reason to believe that the directions do not apply to them or that they have, in fact, complied with them.”
The norms have also been widely criticised in the other quarters of the industry. Lobby groups and trade bodies representing major companies such as Google, Microsoft wrote to MeitY earlier, seeking modifications and a delay in the implementation of these rules.
A week ago, MeitY held a round of consultation with stakeholders to explore the possibility of setting up a portal to report cybersecurity incidents as mandated in the CERT-In directions.
The ministry also said it was open to providing "support" to startups and small companies to comply with the directions. Small companies told the ministry they would require 300 days to comply with the directions.
Generally, when a person tries to access a website, the internet service provider receives the request and redirects to the destination. However, according to NordVPN, when a person connects to a VPN, it redirects the internet traffic through a VPN server first before sending it over to the destination, providing the user a degree of anonymity.
