SUMMARY
Chandrasekhar's comments came in response to a few VPN service providers criticising the latest directions issued by CERT-In
Under the new directions, VPS and VPN service providers will be required to maintain logs, including names of customers, their IP addresses, among other things, for a period of five years
A large number of experts have also raised questions around the legality of the new rules in the absence of a robust data protection law in India
Minister of State for Electronics and IT Rajeev Chandrasekhar on Wednesday asked virtual private network (VPN) service providers to follow the latest directions issued by the Indian Computer Emergency Response Team (CERT-In) or terminate their business in India.
Addressing a press conference on the clarifications issued by CERT-In on its directions, Chandrasekhar said that VPN providers will have to follow the new rules. His comments came in the wake of a few VPN service providers criticising the new directions.
“If you don’t have the logs, start maintaining the logs. If you’re a VPN that wants to hide and be anonymous about those who use VPNs and you don’t want to go by these rules, then if you want to pull out (from the country), frankly, that is the only opportunity you will have. You will have to pull out,” Money Control quoted the minister as saying.
According to the new directions issued on April 28, data centres, VPN, Virtual Private Server (VPS) and cloud service providers will have to collect and hold data pertaining to validated names of customers hiring the services, period of hire including dates, IPs allotted to/being used by the members, email addresses, IP addresses and time-stamps used at the time of registration/on-boarding, among other things, for a period of five years.
Following this, a few VPN service providers said that they would exit India rather than following such a mandate that threatens the basic foundation of VPN. NordVPN has already said that it would exit India if no other options are available.
Surfshark, ExpressVPN, PureVPN, CyberGhost and IPVanish are among the other VPN service providers in India.
Many experts have also raised questions around the legality of the new rules in the absence of a robust data protection law in the country. They pointed out that many journalists, activists, and whistleblowers also use VPNs for their work.
The government issued the new directions relating to information security practices, procedures, prevention, response and reporting of cyber incidents under the provisions of the Information Technology Act, 2000. These directives will be effective from June 27, 2022.
CERT-In has also asked companies to synchronise their servers’ clocks to the servers of the National Informatics Centre or the National Physical Laboratory.
However, the rules of maintaining customer logs will not apply to enterprise and corporate virtual private networks. The term “VPN service providers” will just apply to entities that provide “internet proxy like services through the use of VPN technologies, standard or proprietary, to general Internet subscribers”, it said.
India is one of the largest VPN markets in the world. In the past few years, the VPN usage has grown significantly in the country. VPN installs increased to a staggering 348.7 Mn in H1 2021, representing a growth of 671% compared to 2020, as per an Atlas VPN report.
The report said that the increase can be attributed to the rapidly evolving digital ecosystem in the country, as India’s internet user base grew at a rate of 24% each year on average from 2015 through 2020.
