MeitY To Meet Industry Stakeholders To Discuss CERT-In Guidelines On VPNs

MeitY To Meet Industry Stakeholders To Discuss CERT-In Guidelines On VPNs

SUMMARY

The meeting will have industry stakeholders including VPN companies, legal experts, cybersecurity experts and tech policy groups

The meeting comes as the government’s guidelines will come into force on June 27

CERT-In’s directives on VPNs mandate maintaining user activity logs, along with storing sensitive information such as IP addresses and phone numbers

The Ministry of Electronics and Information Technology (MeitY) will hold a meeting on Friday (June 10) to discuss the latest guidelines from the Indian Computer Emergency Response Team (CERT-In) on cybersecurity.

The meeting will have industry stakeholders including virtual private network (VPN) companies, legal and cybersecurity experts and tech policy groups, according to sources cited by ET. 

MeitY is holding the meeting in response to a joint letter sent by tech policy groups such as The Dialogue, AccessNow, Internet Freedom Foundation, SFLC.in, BSA India and others.

A source told ET, “It is a high-level meeting in which policy heads from various companies will also be present. There will be discussions primarily on the CERT-In directives which were issued on April 28, and whether it has had an adverse impact on the startup ecosystem yet. We also expect senior officials from other ministries to be present.”

The meeting comes as the government’s guidelines will come into force on June 27, and days after two VPN companies, Surfshark and ExpressVPN logged out of India after the government’s directive for VPNs to store user activity logs.

CERT-In issued directives relating to information security practices, procedures, prevention, response and reporting of cyber incidents under the provisions of sub-section (6) of section 70B of the Information Technology Act, 2000, on April 28.

These directives have made sure that VPNs are reduced beyond their core concept of user anonymity and privacy. The government ordered VPN companies to keep user activity logs for as long as five years. Further, VPN companies can’t delete user data even after the user has deleted their account for the stipulated period.

The details that VPNs have to store include sensitive information including email address and IP address and time stamp used at the time, and validated addresses and contact numbers, among other data points.

While the government has excluded corporate VPNs from the directives, it still means that individual users are still vulnerable to government surveillance.

Incredibly, when faced with pushback from VPN companies over the directives that deny the core of their existence, the MoS for Information Technology Rajeev Chandrasekhar told them to pull out of the country if they don’t want to maintain logs.

“If you don’t have the logs, start maintaining the logs. If you’re a VPN that wants to hide and be anonymous about those who use VPNs and you don’t want to go by these rules, then if you want to pull out (from the country), frankly, that is the only opportunity you will have. You will have to pull out,” he said.

India is one of the largest VPN markets in the world, with VPN installs reaching 348.7 Mn in H1 2021, representing a growth of 671% compared to 2020, per an Atlas VPN report.

India’s move on VPNs has not gone unnoticed around the world, either. US Chamber of Commerce, the US-India Business Council, the US-India Strategic Partnership Forum and techUK, among others, have written to the CERT-In director general Sanjay Bahl, expressing concern over the same.

The letter read, “The technical requirements put forward in the directive will make cybersecurity worse, not better. The sheer volume of information required, wasted resources and fragmented approach will damage the global cybersecurity ecosystem and make us all less safe.”

This points to the counterproductive nature of the CERT-In directives.

If more data is being stored, there is a higher risk of that data being leaked. The fact that the directives ask VPNs to store highly sensitive information such as physical addresses and phone numbers just makes the situation worse.

Not to mention the resources that a VPN company would have to invest to continue serving India, and many of these companies will just take the highway, as ExpressVPN and Surfshark have already done.

Note: We at Inc42 take our ethics very seriously. More information about it can be found here.

You have reached your limit of free stories
Become An Inc42 Plus Member

Become a Startup Insider in 2024 with Inc42 Plus. Join our exclusive community of 10,000+ founders, investors & operators and stay ahead in India’s startup & business economy.

2 YEAR PLAN
₹19999
₹7999
₹333/Month
UNLOCK 60% OFF
Cancel Anytime
1 YEAR PLAN
₹9999
₹4999
₹416/Month
UNLOCK 50% OFF
Cancel Anytime
Already A Member?
Discover Startups & Business Models

Unleash your potential by exploring unlimited articles, trackers, and playbooks. Identify the hottest startup deals, supercharge your innovation projects, and stay updated with expert curation.

MeitY To Meet Industry Stakeholders To Discuss CERT-In Guidelines On VPNs-Inc42 Media
How-To’s on Starting & Scaling Up

Empower yourself with comprehensive playbooks, expert analysis, and invaluable insights. Learn to validate ideas, acquire customers, secure funding, and navigate the journey to startup success.

MeitY To Meet Industry Stakeholders To Discuss CERT-In Guidelines On VPNs-Inc42 Media
Identify Trends & New Markets

Access 75+ in-depth reports on frontier industries. Gain exclusive market intelligence, understand market landscapes, and decode emerging trends to make informed decisions.

MeitY To Meet Industry Stakeholders To Discuss CERT-In Guidelines On VPNs-Inc42 Media
Track & Decode the Investment Landscape

Stay ahead with startup and funding trackers. Analyse investment strategies, profile successful investors, and keep track of upcoming funds, accelerators, and more.

MeitY To Meet Industry Stakeholders To Discuss CERT-In Guidelines On VPNs-Inc42 Media
MeitY To Meet Industry Stakeholders To Discuss CERT-In Guidelines On VPNs-Inc42 Media
You’re in Good company