On April 28, the Computer Emergency Response Team (CERT-In), India’s nodal cybersecurity agency issued directions pertaining to cybersecurity, where Virtual Private Network (VPN) providers, data centres, crypto exchanges and others were told to preserve data about their customers for a period of five years. This, it said was to “coordinate response activities as well as emergency measures with respect to cyber security incidents.” The Internet Freedom Foundation said in a statement that the directions are “vague” and undermine user privacy and information security.
These new directions require service providers — data centres, VPNs, Virtual Private Service (VPS) providers have to require and maintain information about their customers for a period of five years or longer. This information includes the validated name of the subscriber or customer, period for which they hired the service including dates, IPs being used by the members or allotted to them, the email address, time stamp and IP address at the time of registration, the purpose for which it was taken out, address and contact numbers, and ownership patterns. It adds that this information must be kept even after customers cancel their accounts.
VPN providers usually have policies where they do not keep logs, and in fact, is the lacunae they filled. According to CNET, services such as ExpressVPN and Surfshark would not be able to monitor URLs as required as the work only with RAM-disk servers and other log-less technology. It is possible that if these rules come into effect, providers may not be able to legally operate in India.
Founder of the Software Freedom Law Centre Mishi Choudhary said that the requirements to register VPN users and linking of identification to IP addresses raise privacy concerns. “CERT-In cannot take away the right to use certain tools in the garb of cyber security.”
IFF added that mandatory collection and perpetual storage of such large amounts of sensitive user data creates cybersecurity risks. “Beyond surveillance, due to technical vulnerabilities such data can and may be exposed. Further, it will reduce innovation and increase cost on digital services,” it said.
As Pranesh Prakash, co-founder of the think tank Centre for Internet and Society told BloombergQuint, said that there is no reason for a VPS provider, for example, to know the purpose for which it is being hired, and the purpose may change from time to time and it does not benefit cybersecurity for a record to be kept. “The CERT-In is not empowered to seek this information as it is not relevant for the purposes of the agency,” he said.
CERT-In’s rules also requires for all cybersecurity incidents to be reported to the agency within six hours of the incident coming to light. The incidents mentioned cover a broad range of items, and 20 of them are listed. These include data breaches and leaks, unauthorised access of IT systems, DoS and DDoS attacks, unauthorised access to social media accounts; identity theft, spoofing and phishing attacks; attacks on server infrastructure and more. Experts have said that this will also increase the burden on companies.
“There is a compressed timeline of 6 hours (irrespective of the size of entity). There is no disclosure for users who are the actual victims or oversight on CERT-In for actions pursuant to a report,” IFF said. It adds that the nature of the incidents is vague, which results in uncertainty and “erodes operational security”.
The rules also tell crypto exchanges and wallets to maintain KYC details and records of financial transactions for five years. Information related to transitions includes the person’s identity, IP addresses and time zones, transaction ID, public keys, addresses or accounts involved, nature and date of the transaction as well as the amount that was transferred.
These rules, issued under Section 70B of the Information Technology Act. Subsection 7 of this Act says that any service provider, intermediaries, data centres, body corporate or person who fails to provide the information can be punished with imprisonment for upto a year. Due to this, Internet Freedom Foundation said, there needs to be greater care on who they apply, what the compliance demands are and their link to cybersecurity.
The rules demand that all entities must maintain logs of their information and communication technologies (ICT) systems for a period of 180 days within India. The direction that requires time servers must align with the National Informatics Centre (NIC) or the National Physical Laboratory has also been criticised.
CERT-In’s rules say that it can demand information for the purposes of cyber incident response, and the service provider/intermediary/data centre/body corporate will be mandated to take action, provide information or provide any other assistance.
The rules go into effect on June 27. Internet Freedom Foundation urged CERT-In to recall the rules, and asked for prior public consultation and transparency.
A post by law firm Trilegal states that the directions widen the compliance net for entities greatly.
“The ambiguity with regard to its scope and applicability, combined with an intention to invoke penal provisions for non-compliance may make requirements such as six hour reporting, localising system logs and syncing all systems to Indian NTP fairly onerous for various entities, such as cloud service/storage providers to operate in a legally compliant manner in India,” it said.
Several provisions of the directions “appear to be in excess of or in deviation from the provisions of the CERT-In Rules and the IT Act itself,” it said, and that the interpretation that courts and regulators will take remains to be seen.