Some VPNs leave India
India has begun to impose legislation that VPN providers must keep a log of connections for a minimum of 180 days and to collect and store various customer data for a full 5 years.If you know Virtual Private Network services, you will know that the best providers apply a so-called "no-log policy", that is the commitment not to store any information that can be traced back to a specific user, including of course the browsing history and the log of connections.
So, with this move, probably aimed at countering the spread of VPNs in its territory, India requires VPN services to violate its policy.
The same reaction comes from Surfshark, which has decided to shut down its Indian servers in response to this new regulation. Even in the case of this company, the provision only concerns physical servers, while virtual ones will always be available and also located in the United Kingdom and Singapore.
Through his blog, Surfshark commented on the issue: “Taking such radical and highly impacting action on the privacy of millions of people in India will most likely be detrimental and severely damage the growth of the industry in the country. Ultimately, the collection of an excessive amount of data within the Indian territory without adequate protection mechanisms could lead to an increase in computer violations throughout the national territory ".
As VPN firms start to leave India, government to hold a joint meeting
India's Ministry of Electronics and Information Technology (MeitY) is expected to meet VPN players along with tech policy groups, cyber security experts and legal experts, on Friday to review an earlier directive that requires VPN companies to store customer data for five years, and mandated companies in India to report a security breach within six hours.
According to the Economic Times, which broke the story, the meeting could be chaired by Minister of State for Electronics and Information Technology Rajeev Chandrasekhar. As of early Friday evening, government officials had not confirmed whether the meeting had taken place.
Technology policy groups including The Dialogue, AccessNow, Internet Freedom Foundation, Software Freedom Law Center, India, and BSA India had earlier written to the minister about the directive, which is likely to make it difficult for VPN firms to operate in India but also create higher compliance pressure on enterprises in India.
While an FAQ document issued alongside the directive, posted on the website of the Indian Computer Emergency Response Team (Cert-In), clarifies that the new rules would not have an impact on enterprise VPN services, there is no such mention in the actual directive itself.
'The FAQs document is not legally binding. The FAQs also state that it is an 'evolving document'. The fact that the document is not legally binding means neither BSA members nor any other organization can effectively rely on the FAQs to ensure compliance with the Directions. This could hurt their commercial operations, investments, and R&D activities,' the BSA said in a letter dated May 30 titled 'BSA concerns on the CERT-In Directions on Information Security Practices'.
BSA India is also seeking clarity on what specific security incidents are required to be reported within six hours and has requested the government to extend the reporting time to 72 hours after discovery.
'Based on our experience and research, the initial 24-72 hours after a potential incident is discovered involves uncertainty and fast-paced investigative, containment, and remediation work. This is a critical period, since there is a consistent need to react in unexpected ways to new information as it is discovered,' the letter said.
At least two VPN players, including SurfShark and ExpressVPN, have already announced they'd be removing their servers from India in response to the directive issued on April 28, effective toward the end of this month. NordVPN has also warned that it will be removing physical servers if the directives are not reversed.
'It's puzzling that a Govt that claims to be a cheerleader of the tech ecosystem regularly comes up with policies that are reminiscent of the license raj. Nowhere in the world CERTs behave like rule making bodies to rob citizens of their privacy and drive businesses out. A time limit of 6hours and expectations of KYC mechanisms does how control at any cost is the north star here,' said Mishi Choudhary, technology lawyer and online civil liberties activist. Choudhary was also the founder of the Software Freedom Law Center, India, which has been petitioning against the new rules.
The directive is expected to impact both consumers as well as enterprises. While privacy advocates fear that the new directive could be an attack on privacy by forcing VPN companies to store information such as customers' names, email addresses, IP addresses, know-your-customer records, and financial transactions for a period of five years, the rules could also add to compliance pressures on enterprises who will now be required to report any cyber security breach to Cert-In within six hours.
Copyright © 2022 IDG Communications, Inc.