The Indian Computer Emergency Response Team (CERT-In) has released a set of clarifications on the April 28 directions, where it has stated that the rules of maintaining customer logs will not apply to enterprise and corporate virtual private networks.
The April 28 directions had stated that “virtual private server (VPS) providers’ and ‘VPN service providers’ will be required to maintain logs including names of customers, their IP addresses etc. for a period of five years. Since then, this mandate has raised privacy concerns and it has also been criticised by major VPN companies such as NordVPN, SurfShark and others.
According to the document released by CERT-In titled “Frequently Asked Questions on Cyber Security Directions of 28.04.2022”, the term “VPN service providers” will just apply for entities that provide “internet proxy like services through the use of VPN technologies, standard or proprietary, to general Internet subscribers”. The clarifications also state that the directions will also apply to foreign firms.
Earlier, in response to the CERT-In directions, VPN provider Surfshark’s legal department head Gytis Malinauskas had told Moneycontrol that the company has a strict no-logs policy, which implies that it does not collect or share customer browsing data or any usage information; and that it would ‘aim’ to continue doing so. Similarly, NordVPN had said that it may pull its servers out of India if they find no way out.
And in a tweet, Proton VPN said that India’s new VPN regulations are “an assault on privacy, and that it will continue maintaining its no-log policy”.
However, it is not just the provisions regarding VPN that have irked different quarters of the industry. Concerns were also raised regarding the direction that all ‘body corporate’ will have to mandatorily retain logs of their systems for 180 days and will have to report cybersecurity events within six hours.
CERT-In also wanted companies to synchronise their servers’ clocks to the servers of the National Informatics Centre or the National Physical Laboratory. Time servers are a key aspect in a cyber security investigation. Experts have said that by choosing NIC or NPL time servers, issues regarding server time latency may prop up, and it has also been pointed out that there are other better options than NIC or NPL.
Here are other important points made by CERT-In in the recent document:
Intermediaries will have to report all kinds of cybersecurity incidents
Unlike in the April 28 directions, where CERT-In specified 20 different kinds of cybersecurity incidents which would have to be reported within six hours, the current FAQ has clarified that the intermediaries will also have to report incidents which are excluded from the April 28 direction and another CERT-In direction from 2013.
According to IT Act, an intermediary", "means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes;"
This clarification came in response to a query about the Information Technology Rules, 2021 which states that “Intermediary shall report cyber security incidents and also share cybersecurity incidents related information with the Indian CERT”. It was asked whether intermediaries have to report “any and all cybersecurity incidents” or only those specified in the April 28 directions.
In response, CERT-In said, “It is, thus, imperative that the intermediaries may also report those types of cyber security incidents which are not mentioned either in the annexure of the CERT-In Rules, 2013 or in the Cyber Security Directions of 28.04.2022, to CERT-In considering the nature, severity and impact of the incident.”
CERT-In also clearly made a distinction between the applicability of the IT Rules 2021 and the April 28 directions. While the IT Rules are applicable to significant intermediaries , the latter is not just limited to intermediaries but also to service providers, intermediaries, data centres, body corporate etc.
Another important clarification that CERT-In has made in the recent document is regarding the applicability of the 6-hour timeframe of the cybersecurity incident. “The cyber incident needs to be reported to CERT-In within 6 hours of noticing the incident or being brought to notice about such incident.”
Even those bound by contract will have to disclose incidents
While answering another FAQ in the document on whether companies that have contractual obligation to not disclose cybersecurity incidents to their customer will have to disclose the same, CERT-In pointed towards Section 81 of the IT Act, 2000 which gives it the power to override any such contractual obligation.
“The obligation of reporting of Cyber Security incidents to CERT-In as enshrined in Section 70B of the IT Act, 2000 read with CERT-In Rules, 2013 is statutory in nature and overrides by virtue of the provisions of section 81 of the IT Act, 2000,” the answer read.
The document also clarifies the consequence of non-compliance with the April 28 directions. “The act of non-compliance of Cyber Security Directions of 28.04.2022 issued under sub-section (6) of section 70B of the Information Technology Act, 2000 may attract the penal provisions of sub-section (7) of section 70B of the Act.”
Section 70 B (7) of the IT Act states that non-compliance to the law will attract punishment for a term which may extend to one year or with fine which may extend to one lakh rupees or both.
Point of Contact for liaising with CERT-In
“The service providers, intermediaries, data centres and body corporate offering services to the users in the country shall designate a Point of Contact to liaise with CERT-In,” the document said in response to a FAQ on whether service providers without physical presence in India require to designate such persons.
The document also clarifies that the April 28 directions do not just apply to Indian companies, but “to any entity whatsoever, in the matter of cyber incidents and cyber security incidents”.
In regards to keeping logs, the document clarified that a company can continue maintaining the confidentiality of customer data collected by service providers, and also store it in foreign countries. “The requirements on the part of service providers, intermediaries and body corporate in respect of protection of confidentiality of the customer data prior to the issuance of these Cyber Security Directions of 28.04.2022 are in force and does not change,” it read.
Right to Privacy not affected, says CERT
CERT-In dismissed concerns of privacy in the April 28 directions and said that these directions will not empower CERT-In to continuously seek information from service providers.
“CERT-In may seek information from service providers in case of cyber security incidents and cyber incidents, on case to case basis, for discharge of its statutory obligations to enhance cyber security in the country. The service providers are bound to protect the users’ information by following reasonable security practises and procedures,” the document said.
CERT-In also explained that the April 28 directions were brought in after the agency analysed cyber security incidents and observed certain gaps in processes of organisations and service providers.
“Accordingly, consultations with the industry and Government organisations have been held from time to time and based upon the inputs received from the stakeholders, draft directions were framed. Subsequently, CERT-In under the aegis of MeitY held expert consultations with the stakeholders towards finalisation of the directions,” it added.
Can use other time source but…
In regards to the concerns raised on the requirement of companies to synchronise their server clocks to that of National Informatics Centre and National Physical Laboratory, CERT-In said, “Organisations having ICT infrastructures spanning multiple geographies may use accurate and standard time source other than National Physical Laboratory (NPL) and National Informatics Centre (NIC), however, it is to be ensured that their time source shall not deviate from NPL and NIC.”
For Cloud ICT infrastructure, which typically set up their own time servers to ensure conformity across their entire infrastructure, CERT-In had a different clarification.
CERT-In said that customers in cloud environments can use the native time services offered by the Cloud to synchronise their clock or they can also set up their own NTP server within their cloud environment.
“However, if any entity operates their own NTP service (using NTP server or any other device), which synchronises with time sources other than native cloud time services, the same shall be synchronised with the NTP Servers of NIC or NPL,” it added.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
