Your browser is currently blocking notification.
Please follow this instruction to subscribe:
Notifications are already enabled.

Corporate, Enterprise VPNs Will Not Need To Maintain Customer Logs: CERT-In

Corporate, Enterprise VPNs Will Not Need To Maintain Customer Logs: CERT-In

CERT-In released a clarification document on the new cyber security directions issued by it

Despite the concerns around new rules, the government doesn’t seem to be in the mood to make any changes

The government also made it clear that the “right to informational privacy of individuals is not affected” by the new directions

The Indian Computer Emergency Response Team (CERT-In) released the much-awaited clarifications on its new cyber security directions, issued on April 28, in FAQ format. The nodal cyber security agency said that the rule to maintain customer logs would not be applicable to enterprise and corporate virtual private networks (VPN).

It clarified that the term VPN service providers refers to an entity that provides “Internet proxy like services” through the use of VPN technologies, standard or proprietary, to general Internet subscribers/users. 

The issuance of clarification also signals that despite the criticism that the new rules have received, the government is in no mood to rethink it.

The new rules mandate VPN providers, Virtual Private Server (VPS) providers and cloud service providers to collect and store their customer data for five years or more.

“Any service provider offering services to the users in the country needs to enable and maintain logs and records of financial transactions in Indian jurisdiction,” the clarification document said. 

There are answers to 44 questions in the document along with an explanation for the types of cybersecurity incidents to be reported to CERT-In.

Is Right To Privacy Lost? 

According to the government, the new directions are intended to ensure timely reporting of cyber incidents to CERT-In, supplemented by necessary information required for analysis of such incidents, which will ultimately enhance cyber security situational awareness, mitigate cyber security incidents/attacks and more, ensuring data protection and availability of services to citizens. 

“These efforts will enhance overall cyber security posture and ensure Open, Safe & Trusted and Accountable Internet in the country,” the document said.

However, many experts have questioned the new rules in the absence of a data protection law in the country.

Talking to Inc42, Anupam Shukla, Partner at Pioneer Legal, had said that the government should have ensured the enactment of a privacy law before coming up with a regulation requiring private entities like the VPN service providers to store data belonging to private individuals.

Referring to the right to privacy, Shukla also said that there needs to be a fairly high threshold of necessity where the government can invade the privacy of an individual. This has to be an exception and not a rule.

In the latest document, the government clearly said, “The right to informational privacy of individuals is not affected.”

“These directions do not envisage seeking of information by CERT-In from the service providers on continuation basis as a standing arrangement. CERT-In may seek information from service providers in case of cyber security incidents and cyber incidents, on case to case basis, for discharge of its statutory obligations to enhance cyber security in the country,” it added. 

On storage of logs, CERT-In said that the logs may be stored outside the country as well, as long as the “obligation to produce logs” to it is adhered to by the entities in a reasonable time.

Maintaining And Providing Data

An officer of CERT-In, not below the rank of Deputy Secretary to the Government of India, would have the authority to seek information in respect of the logs.

On the types of logs that need to be maintained by the service providers, the document said, “The logs that should be maintained would depend on the sector that the organisation is in, such as Firewall logs, Intrusion Prevention Systems logs, SIEM logs, web/ database/mail /FTP/ Proxy server logs, Event logs of critical systems, Application logs, ATM switch logs, SSH logs, VPN logs, etc.”

The government has also asked the organisations to use accurate and standard time sources. The current directive requires uniform time synchronisation across all information communication technology (ICT) systems irrespective of time zone. “The time zone information shall also be recorded along-with time to facilitate accurate conversion at the time of need,” the document says.

Cost Of Non-Compliance

The new directions will become effective after 60 days from the date of issuance, that is April 28.

Virtual asset service providers, virtual asset exchange providers, custodian wallet providers and the government organisations would also be covered under the rules. 

The document also mentioned the consequence of non-compliance with the new directions. “The act of non-compliance of Cyber Security Directions of 28.04.2022 issued under sub-section (6) of section 70B of the Information Technology Act, 2000 may attract the penal provisions of sub-section (7) of section 70B of the Act.”

Section 70 B (7) of the IT Act, 2020 states that non-compliance to the direction under sub-section (6) will attract punishment for a term, which may extend to one year, or with fine, which may extend to one lakh rupees or both.

The rules have received criticism from several international VPN service providers who also talked about the possibility of exiting India to stick to their no-log policy. It remains to be seen how they react to the clarification issued by the agency.

Gytis Malinauskas, head of legal department at Surfshark, had earlier said that the company was trying to understand the new regulations and their implications, but the overall aim was to continue providing no-logs services to all of its users.

On the other hand, Laura Tyrylyte, head of public relations at Nord Security, said that the company was looking into the new law to better understand what’s required, but from what it seemed, the company would be required to make fundamental changes within its infrastructure, its policies and values, and it was “difficult to see such a scenario coming to life”.

Note: We at Inc42 take our ethics very seriously. More information about it can be found here.