The Indian Computer Emergency Response Team (CERT-In), has issued a clarification that its new guidelines mandating the storing of user data for five years of virtual private network (VPN) users, apply to enterprises and corporates, as well as individuals.
“We came across some media reports with misleading information that corporate VPNs are exempted from the new rules,” CERT-In said.
It added: “Exemption is only for those corporates using in-house VPNs, as they use them for their own employees and do not require billing or registration… The exemption does not extend to those using third party or enterprise VPNs”.
The CERT-In is likely to share a fresh FAQ (frequently asked questions) addressing the doubts and issues shortly before the rules are set to go into effect by June end.
In April CERT-In, which is a wing of the Indian Ministry of Electronics and Information Technology (MeitY), mandated that VPN service providers should keep user data, including contact details, original and faux IP addresses and their purpose behind using the services, for five years.
The rules are expected to come into effect by the end of June and would affect India’s estimated 270 million VPN users.
This has prompted protests from several international VPN service providers like NordVPN and ProtonVPN, who provide service with a “no-log of activity” assurance and they have threatened to quit the market.
“We are committed to protecting the privacy of our customers; therefore, we may remove our servers from India if no other options are left,” NordVPN said in a statement.
“The new Indian VPN regulations are an assault on privacy and threaten to put citizens under a microscope of surveillance. We remain committed to our no-logs policy…” tweeted the Swiss-based VPN service provider ProtonVPN.
According to an explanation given by Cert-In, the reason for seeking these details is that “it will help to effectively trace anti-social elements and cybercriminals indulging in various nefarious activities online”.
India has recently implemented new policies to fight cybercrime and under this policy, the data stored by the VPN providers should be shared with the authorities to map out cybercrime activities.
A CERT-In official has clarified that the government wants user info of any given VPN IP at a given point of time and not the complete traffic history of the user.
“Our focus is to help law enforcement in fighting cybercrime… The government wants registration info like email address, billing info or other identifiers of the suspect or accused from VPN companies for that purpose,” the official said.
Technivorus’ co-founder and director, Sunny Nehra, said the new rules are “an important decision by the government and they need well-defined goals”.
“The policy will not have much impact in solving mainstream or high-level technical cybercrimes in banking and cyber-terrorisms.
“Cybercriminals use Socks5 proxies, proxy chain tools, Tor browser and many more options. Another problem is what if some VPN accepts crypto as payment and the user uses some anonymous mails?” he said.
Technivorus is a security firm that delivers customised cybersecurity, digital marketing, web and application development, among other services, to customers.
Nehra also raised a concern that VPN applications are the soft targets while bigger threats like proxies are not addressed.
Though the government has not asked for traffic logs of users here, Nehra suggested that it was good to have one.
He shared the example of Citizen Lab which used a VPN application (encrypted with a logging server) to monitor the traffic of suspected targets of Pegasus.
“Traffic logs helped them find unusual traffic leading to the identification of iMessage flaws, domains used to infect the targets,” he said.
So even if the government would someday force them to keep traffic logs, it would be for their betterment, Nehra said.
“Privacy and security are always arguable and in most cases, security matters more”, he added.
Nehra added, “India may probably shut down no-log VPN servers if they do not comply with the rules”.