We have already told you that India is looking to force VPN providers, ISPs and related companies to log and hand over customer data. It wasn’t an empty threat apparently, as the government is now pushing ahead with these rules, suggesting that firms unwilling to comply will have to pull out of the world’s second-largest internet market.
The Indian Computer Emergency Response Team said that “virtual private server (VPS) providers, cloud service providers, VPN service providers, virtual asset service providers, virtual asset exchange providers, custodian wallet providers and government organizations” will have to follow the directive, called Cyber Security Directions, and store customers’ names, email addresses, IP addresses, know your customer (KYC) records, and financial transactions for a period of five years.
The rules will go into effect in late June, but they won’t be applicable to corporate and enterprise VPNs.
Major cloud providers such as Amazon, Microsoft and Google will likely be doing whatever the government asks them to do — the opportunity is too big to miss — but we can’t imagine major VPNs deciding to comply.
In fact, several VPN providers have already reacted, saying the new regulations are “an assault on privacy and threaten to put citizens under a microscope of surveillance.” Nevertheless, they will have to comply or shut down their servers in the country. It is the latter road we’re expecting the VPN giants to take and keep offering their services to Indians through servers in neighboring countries.
In addition, the government in New Delhi is also NOT relaxing a new rule that mandates firms to report incidents of security lapses such as data breaches within six hours of noticing such cases.
According to the junior IT minister of India Rajeev Chandrasekhar, India was being “very generous” in giving firms six hours of time to report security incidents, pointing to countries such as Indonesia and Singapore that he said had stricter requirements.
“If you look at precedence all around the world — and understand that cybersecurity is a very complex issue, where situational awareness of multiple incidents allow us to understand the larger force behind it — reporting accurately, on time, and mandatorily is an absolute essential part of the ability of CERT and the government to ensure that the internet is always safe,” he said.
New Delhi-based digital rights advocacy group Internet Freedom Foundation has already commented on the new directions, saying they were vague and undermine user privacy and information security, which is “contrary to CERT’s mandate.”
On the other hand, there were those justifying the rationale behind some of the changes.
“There has been a lot of pressure on CERT-In with large-scale data breaches being reported across India. Most of the breaches were denied by the companies and despite its mandate, CERT-In never acted on these reports,” said Srinivas Kodali, a researcher.
An example to point out here took place in late 2020, when Tata-owned Indian online grocer BigBasket suffered an alleged data breach that spilled names, addresses and phone numbers of about 20 million users. BigBasket remains tightlipped on the subject and the hope is that the new regulations will help CERT-In promptly react and protect the user data.
As for the VPN users in India, if they are looking for super-fast local connections – they will soon have to go for the servers in Pakistan, Bangladesh and Nepal. There will always be alternatives and that’s a good thing…