SUMMARY
In an affidavit in the Delhi HC, the government said that retaining information such as names and addresses of subscribers would not ‘alter the nature’ of VPN
The Centre said that both state and non-state actors could exploit total anonymity in the cyber space to wreak havoc
The government is embroiled in a legal case with homegrown VPN service provider SnTHostings which has challenged the VPN guidelines issued in April
Virtual private networks (VPNs) are highly prone to misuse, the union government reportedly said in a filing before the Delhi High Court (HC) in a case challenging the VPN-related guidelines issued by the Indian Computer Emergency Response Team (CERT-In).
“[…] the reality is that the VPN Services, which are basically Internet-proxy like services, are highly prone to misuse, since the offenders cannot be traced in a timely manner, if at all,” the government said in an affidavit seen by Moneycontrol.
The HC had sought Centre’s reply on the plea challenging the guidelines.
The government said that disclosing and retaining information such as names and addresses of subscribers would not ‘alter the nature’ of VPN. It also said that anonymity could not be used as a ground for non-compliance with norms and for evading authorities.
The idea behind a VPN is to mask the identity of a user (IP address) by establishing a secure network via encryption over a public network.
Citing that both state and non-state actors could exploit total anonymity in the online arena to wreak havoc, the government said that it was justified in the collection of such identifiable data to analyse and investigate cyberattacks.
Quoting provisions of the IT Rules, 2011, the Centre said that the collected information, including names and addresses, were not ‘sensitive information’. It further added that the new norms did not require the disclosure of sensitive information including passwords, sexual orientation, medical records, among other things.
Describing the rationale behind notifying the VPN guidelines, the affidavit also stated that there was a paucity of such information with service providers, complicating investigation in the event of a cybercrime.
Calling for maintaining a balance between individual and societal interest, the Centre also claimed that the directives were not a form of ‘surveillance’ but involved handing over logs only in instances when a cyberattack was being probed.
Training its guns on the petitioner SnTHostings, the government accused the firm of ‘covertly representing’ the interests of global VPN providers. Noting that the Pune-based firm was already collecting requisite information that the VPN directives mandate, the Centre said that SnTHostings did not even publicise providing VPN services in the first place on its website.
The Contentious Directives
In April, CERT-In issued new guidelines mandating all private VPNs, cloud service providers, and other enterprises to collect user data such as names and addresses for a period of 180 days.
The aftermath saw the exodus of all major global VPN providers from the country, including NordVPN, ExpressVPN, and SurfShark.
The new directives received fierce criticism from digital advocacy groups, internet activists and the aggrieved companies. Many called the new norms detrimental to free speech, while others claimed that the new rules had the potential to enable state-sponsored mass surveillance, commercial profiling and censorship.
In September, SnTHostings, with legal assistance from the Internet Freedom Foundation (IFF), mounted the legal case against the directives citing their detrimental effect on capital inflow into the country and India’s business reputation globally.
It must be noted that there has been a sharp increase in cyberattacks on critical public infrastructure over the past few years. The recent AIIMS ransomware attack and a purported NIC data breach have brought forth attention to the safety of the systems.
