In late April 2022, the Indian Computer Emergency Response Team (CERT-In), a state-run cyber security agency, issued a bizarre notification, which many activists believe spells a death knell to user privacy in the country.
The new directives from CERT-in, which are slated to go into effect on June 27, say that all internet companies, intermediaries, data centres, VPNs (Virtual Private Networks) and related service providers in India have to store user log details for five years and are obliged to share them when asked by government agencies.
By definition, a VPN is a private sanctuary for people to explore the online world without worrying about being monitored by government agencies or cyberstalkers. Generally, people use a VPN to watch TV series or movies on OTT (Over-The-Top) apps such as Amazon Prime Video and Netflix or to play games on the web. The content available is restricted to a few countries based on where the person is located, whilst the rest of the world is virtually geo-blocked. A VPN allows a person to get around the geo-blocking.
What many may not know is that cybercriminals use VPN applications to hack the computer systems of corporate companies and the phones of celebrities as it offers them secret pathways to hide their tracks. Bad actors also engage in the trade of illegal items such as drugs, guns and ammunition as well as human trafficking on the area of the web called the darknet. This is primarily why government agencies want VPN service providers to store user data such as email IDs, phone numbers and device IP addresses for five years even if subscribers have stopped their subscriptions.
The CERT-In notification also says that "any service provider, intermediary, data centre, body corporate and government organisation shall mandatorily report cyber incidents as mentioned in Annexure I to CERT-In within six hours of noticing such incidents or being brought to notice about such incidents." If service providers don't comply with the order, they face criminal liability for imprisonment under Section 70B of the Information Technology Act 2000 and other applicable laws.
Some VPN service providers, however, are not buying the Indian government's argument and have strongly reacted to the latest CERT-In notification.
"The new Indian VPN regulations are an assault on privacy and threaten to put citizens under a microscope of surveillance. We remain committed to our no-logs policy," said ProtonVPN, a US-based company.
Senior technology journalist Vivek Umashankar says, "I believe all my data is already online, thanks to prominent social media platforms like Facebook, Twitter and Instagram. I have been using VPN for a long time, and the recent move from the Government of India isn't really concerning me as I mostly use VPN to access some of the blocked content on the internet."
"The latest notification from CERT-In to VPN service providers does sound worrying and definitely goes against the laws of net neutrality," he says. "However, I personally feel that people should not worry or even stop using VPN, until and unless they are using VPN for committing a crime or for breaking the law of the land (Indian Constitution)."
OpenText VP of Strategic Development Anthony Di Bello says, "This announcement (from CERT-In) raises an interesting two-fold challenge that is not immediately clear. One is related to additional costs for VPN providers and one is related to the 20 named vulnerabilities CERT-in will require reporting against." OpenText is a Canada-based enterprise information management company.
"First, in addition to storage costs, VPN providers will have to bear the cost of investments required to accurately detect and report on any of the 20 vulnerabilities," Di Bello says. "Second, a question arising from this is, do VPN providers have the ability to detect any/all of the 20 vulnerabilities articulated, and if not, what technology is required to fill gaps in the VPN providers' detection capabilities?"
For instance, Di Bello notes that there are countless ways in which an attacker can achieve a data breach and it's not clear just by looking at the list. Thus, VPN providers will be required to understand how any of these articulated vulnerabilities could occur, map the causes to existing security stacks and perform a gap analysis to understand what technology and processes will fill the detection gap to flag any of the 20 vulnerabilities.
"The burden this puts on VPN providers is high and will require technologies such as Endpoint Detection and Response, Network Detection and Response in order to accurately detect and report against these new requirements," Di Bello says.
At this juncture, it's essential that the Indian government bring out clearer notifications with respect to how VPN service providers are supposed to get the complete details of a data breach in any government or corporate entity within six hours. It stems from the fact that all VPN companies don't have big budgets to upgrade to the latest technologies in a short time frame. As it stands, it appears impractical to expect every service provider to comply with the government order by the deadline.
Get the latest news on new launches, gadget reviews, apps, cybersecurity, and more on personal technology only on DH Tech.