Comply with rules or exit from India: MoS IT to VPNs
Minister of State for Electronics and IT Rajeev Chandrashekhar on Wednesday warned virtual private network (VPN) service providers that if they don’t adhere to the latest cybersecurity rules released by the Indian Computer Emergency Response Team (CERT-In), they will have to terminate their operations in India.
While launching clarifications on CERT-In’s cybersecurity norms, he said, “ If you’re a VPN that wants to hide and be anonymous about those who use VPNs and you don’t want to go by these rules, then if you want to pull out (from the country), frankly, that is the only opportunity you will have. You will have to pull out.”
The comments come at a time when many VPN providers, a large part of whose value proposition is ensuring anonymity of users on the Internet, have questioned the directives for potentially violating user privacy, with some providers like NordVPN saying they are considering pulling their servers from India should the rules be enforced on them.
When asked about concerns raised by certain VPN providers like NordVPN, SurfShark and Proton VPN who claim to not maintain logs of how their customers use their service — something the rules mandate them to do — Chandrashekhar said, “There is no opportunity for somebody to say we will not follow the laws and rules of India. If you don’t have the logs, start maintaining the logs”.
CERT-In’s cybersecurity norms, released on April 28, asked VPN service providers along with data centres and cloud service providers, to store information such as names, email IDs, contact numbers, and IP addresses (among other things) of their customers for a period of five years.
“If you are a VPN provider, if you are a data centre operator, if you are a cloud provider, and if you’re an enterprise, you have an obligation to know who’s using your VPN infrastructure; who’s using the cloud; who’s using the data centre? Why? If there is a detected cyber incident or cyber breach — from one of the people using your VPN or your cloud or your data centre, it is your obligation to produce the data,” the minister said. “Now at that point, you can’t say ‘No it’s our rule that we will not maintain logs’. If you don’t maintain roll logs, this is not a good place to do business”.
The rules also require entities to report cybersecurity incidents to CERT-In within six hours of becoming or being made aware of them. Responding to the industry’s concerns that six hours was too short a time to report such incidents, Sanjay Bahl, Director General of CERT-In, said that reporting requirements were in line with global standards. “France, in the financial sector, requires entities to report cybersecurity-related incidents within four hours; in Indonesia, within one hour; Italy requires disclosures within three hours; Japan requires entities to report immediately; in Singapore it is within one hour,” Bahl said.
Chandrashekhar said that timely reporting of such incidents is crucial to ensure that the Internet remains “safe and trusted”. “Cybersecurity is a very complex issue where situational awareness of multiple incidents allows us to understand the conspiracy behind it, or if there is a larger force behind it. So reporting accurately and on time is an absolutely essential part of the ability of CERT-In to ensure that the internet is always safe and trusted,” he said.