News

MeitY To Meet Industry Stakeholders To Discuss CERT-In Guidelines On VPNs

MeitY to meet with VPN companies to discuss CERT-In guidelines
SUMMARY

The meeting will have industry stakeholders including VPN companies, legal experts, cybersecurity experts and tech policy groups

The meeting comes as the government’s guidelines will come into force on June 27

CERT-In’s directives on VPNs mandate maintaining user activity logs, along with storing sensitive information such as IP addresses and phone numbers

Inc42 Daily Brief

Stay Ahead With Daily News & Analysis on India’s Tech & Startup Economy

The Ministry of Electronics and Information Technology (MeitY) will hold a meeting on Friday (June 10) to discuss the latest guidelines from the Indian Computer Emergency Response Team (CERT-In) on cybersecurity.

The meeting will have industry stakeholders including virtual private network (VPN) companies, legal and cybersecurity experts and tech policy groups, according to sources cited by ET. 

MeitY is holding the meeting in response to a joint letter sent by tech policy groups such as The Dialogue, AccessNow, Internet Freedom Foundation, SFLC.in, BSA India and others.

A source told ET, “It is a high-level meeting in which policy heads from various companies will also be present. There will be discussions primarily on the CERT-In directives which were issued on April 28, and whether it has had an adverse impact on the startup ecosystem yet. We also expect senior officials from other ministries to be present.”

The meeting comes as the government’s guidelines will come into force on June 27, and days after two VPN companies, Surfshark and ExpressVPN logged out of India after the government’s directive for VPNs to store user activity logs.

CERT-In issued directives relating to information security practices, procedures, prevention, response and reporting of cyber incidents under the provisions of sub-section (6) of section 70B of the Information Technology Act, 2000, on April 28.

These directives have made sure that VPNs are reduced beyond their core concept of user anonymity and privacy. The government ordered VPN companies to keep user activity logs for as long as five years. Further, VPN companies can’t delete user data even after the user has deleted their account for the stipulated period.

The details that VPNs have to store include sensitive information including email address and IP address and time stamp used at the time, and validated addresses and contact numbers, among other data points.

While the government has excluded corporate VPNs from the directives, it still means that individual users are still vulnerable to government surveillance.

Incredibly, when faced with pushback from VPN companies over the directives that deny the core of their existence, the MoS for Information Technology Rajeev Chandrasekhar told them to pull out of the country if they don’t want to maintain logs.

“If you don’t have the logs, start maintaining the logs. If you’re a VPN that wants to hide and be anonymous about those who use VPNs and you don’t want to go by these rules, then if you want to pull out (from the country), frankly, that is the only opportunity you will have. You will have to pull out,” he said.

India is one of the largest VPN markets in the world, with VPN installs reaching 348.7 Mn in H1 2021, representing a growth of 671% compared to 2020, per an Atlas VPN report.

India’s move on VPNs has not gone unnoticed around the world, either. US Chamber of Commerce, the US-India Business Council, the US-India Strategic Partnership Forum and techUK, among others, have written to the CERT-In director general Sanjay Bahl, expressing concern over the same.

The letter read, “The technical requirements put forward in the directive will make cybersecurity worse, not better. The sheer volume of information required, wasted resources and fragmented approach will damage the global cybersecurity ecosystem and make us all less safe.”

This points to the counterproductive nature of the CERT-In directives.

If more data is being stored, there is a higher risk of that data being leaked. The fact that the directives ask VPNs to store highly sensitive information such as physical addresses and phone numbers just makes the situation worse.

Not to mention the resources that a VPN company would have to invest to continue serving India, and many of these companies will just take the highway, as ExpressVPN and Surfshark have already done.

Note: We at Inc42 take our ethics very seriously. More information about it can be found here.

Inc42 Daily Brief

Stay Ahead With Daily News & Analysis on India’s Tech & Startup Economy

Recommended Stories for You