VPNs Prone To Misuse, Info Sought Under CERT-In Directives Not Sensitive: Centre

VPNs Prone To Misuse, Info Sought Under CERT-In Directives Not Sensitive: Centre

SUMMARY

In an affidavit in the Delhi HC, the government said that retaining information such as names and addresses of subscribers would not ‘alter the nature’ of VPN

The Centre said that both state and non-state actors could exploit total anonymity in the cyber space to wreak havoc

The government is embroiled in a legal case with homegrown VPN service provider SnTHostings which has challenged the VPN guidelines issued in April

Virtual private networks (VPNs) are highly prone to misuse, the union government reportedly said in a filing before the Delhi High Court (HC) in a case challenging the VPN-related guidelines issued by the Indian Computer Emergency Response Team (CERT-In).

“[…] the reality is that the VPN Services, which are basically Internet-proxy like services, are highly prone to misuse, since the offenders cannot be traced in a timely manner, if at all,” the government said in an affidavit seen by Moneycontrol.

The HC had sought Centre’s reply on the plea challenging the guidelines.

The government said that disclosing and retaining information such as names and addresses of subscribers would not ‘alter the nature’ of VPN. It also said that anonymity could not be used as a ground for non-compliance with norms and for evading authorities.

The idea behind a VPN is to mask the identity of a user (IP address) by establishing a secure network via encryption over a public network. 

Citing that both state and non-state actors could exploit total anonymity in the online arena to wreak havoc, the government said that it was justified in the collection of such identifiable data to analyse and investigate cyberattacks. 

Quoting provisions of the IT Rules, 2011, the Centre said that the collected information, including names and addresses, were not ‘sensitive information’. It further added that the new norms did not require the disclosure of sensitive information including passwords, sexual orientation, medical records, among other things.

Describing the rationale behind notifying the VPN guidelines, the affidavit also stated that there was a paucity of such information with service providers, complicating investigation in the event of a cybercrime. 

Calling for maintaining a balance between individual and societal interest, the Centre also claimed that the directives were not a form of ‘surveillance’ but involved handing over logs only in instances when a cyberattack was being probed. 

Training its guns on the petitioner SnTHostings, the government accused the firm of ‘covertly representing’ the interests of global VPN providers. Noting that the Pune-based firm was already collecting requisite information that the VPN directives mandate, the Centre said that SnTHostings did not even publicise providing VPN services in the first place on its website.

The Contentious Directives

In April, CERT-In issued new guidelines mandating all private VPNs, cloud service providers, and other enterprises to collect user data such as names and addresses for a period of 180 days. 

The aftermath saw the exodus of all major global VPN providers from the country, including NordVPN, ExpressVPN, and SurfShark. 

The new directives received fierce criticism from digital advocacy groups, internet activists and the aggrieved companies. Many called the new norms detrimental to free speech, while others claimed that the new rules had the potential to enable state-sponsored mass surveillance, commercial profiling and censorship. 

In September, SnTHostings, with legal assistance from the Internet Freedom Foundation (IFF), mounted the legal case against the directives citing their detrimental effect on capital inflow into the country and India’s business reputation globally. 

It must be noted that there has been a sharp increase in cyberattacks on critical public infrastructure over the past few years. The recent AIIMS ransomware attack and a purported NIC data breach have brought forth attention to the safety of the systems. 

Note: We at Inc42 take our ethics very seriously. More information about it can be found here.

You have reached your limit of free stories
Become An Inc42 Plus Member

Become a Startup Insider in 2024 with Inc42 Plus. Join our exclusive community of 10,000+ founders, investors & operators and stay ahead in India’s startup & business economy.

2 YEAR PLAN
₹19999
₹7999
₹333/Month
UNLOCK 60% OFF
Cancel Anytime
1 YEAR PLAN
₹9999
₹4999
₹416/Month
UNLOCK 50% OFF
Cancel Anytime
Already A Member?
Discover Startups & Business Models

Unleash your potential by exploring unlimited articles, trackers, and playbooks. Identify the hottest startup deals, supercharge your innovation projects, and stay updated with expert curation.

VPNs Prone To Misuse, Info Sought Under CERT-In Directives Not Sensitive: Centre-Inc42 Media
How-To’s on Starting & Scaling Up

Empower yourself with comprehensive playbooks, expert analysis, and invaluable insights. Learn to validate ideas, acquire customers, secure funding, and navigate the journey to startup success.

VPNs Prone To Misuse, Info Sought Under CERT-In Directives Not Sensitive: Centre-Inc42 Media
Identify Trends & New Markets

Access 75+ in-depth reports on frontier industries. Gain exclusive market intelligence, understand market landscapes, and decode emerging trends to make informed decisions.

VPNs Prone To Misuse, Info Sought Under CERT-In Directives Not Sensitive: Centre-Inc42 Media
Track & Decode the Investment Landscape

Stay ahead with startup and funding trackers. Analyse investment strategies, profile successful investors, and keep track of upcoming funds, accelerators, and more.

VPNs Prone To Misuse, Info Sought Under CERT-In Directives Not Sensitive: Centre-Inc42 Media
VPNs Prone To Misuse, Info Sought Under CERT-In Directives Not Sensitive: Centre-Inc42 Media
You’re in Good company