Industry experts believe that companies and enterprises getting impacted by The Ministry of Electronics and Information Technology’s (MeitY) new directions to virtual private network (VPN) service providers to store data of Indian users for up to five years may move to oppose the policy.
VPN is used to hide location as well as encrypt information being transferred between the sender to receiver. This can be the data of an enterprise sent over cloud network and storage, or two individuals exchanging files.
“We’re quite astonished at this policy move by the world’s largest democracy, which is on the brink of becoming the world’s largest police state. We are reaching out to Indian authorities and reviewing the policy guidelines to assess what it means for foreign companies serving users in India. PureVPN is a no-log VPN; user anonymity and security is a central priority, but if that is compromised by this policy, then we will have to consider our position in India,” Uzair Gadit, Co-Founder & CEO, PureVPN, which has over 3 million users worldwide, told BusinessLine.
He added: “The policy suggests that details, including user name, email address, phone numbers and IP addresses among other data, need to be stored for at least five years. However, PureVPN stores no identifiable information, nor does it record or store user activity, so this presents a significant risk for our users. More widely, this will impact the wider VPN industry.”
Cyber security vulnerabilities
Data centre companies and cryptocurrency exchanges, too, were asked to collect and store user data by The Indian Computer Emergency Response Team (CERT-In), which works under MeitY. Additionally, VPN companies will have to regularly report the cases around the 20 cyber security vulnerabilities listed by CERT-In in its previous directions.
According to Amitabh Singhal, Director, Telxess Consulting Services, and former President of Internet Service Providers Association of India; “The enterprises and service providers will certainly have a problem with such ‘omnibus directions’ (as opposed to specific event/s specific lawful interception actions by LEAs), which force them to keep and share users and usage related data/information about each other with the government agencies. Generally, VPN services are not expected to keep such data. At the same time govt provides no corresponding guarantees and reliable processes of how it’ll keep and use the information.”
He added: “Businesses, specially those conducting transnational business with and within India, will likely have serious doubts about the safety of their data and this could go against the very spirit of Ease of Doing Business. I won’t be surprised if multinationals decide to take their outsourced business in India, elsewhere with more business friendly territories.”
Kills anonymity online
Srinivas Kodali, independent researcher and privacy rights activist, believes that CERT-In asking records on case-to-case basis from companies is important, but it doesn’t need to gather every information of the user.
“CERT-In’s mandate is to help cyber security, but it has no history of doing so. We have seen so many breaches and incidents in India and we have rarely seen CERT-In doing anything significant. Now, suddenly they want to do something about it and by trying to start monitoring everything that happens on the Internet. So that when something happens, they can catch the culprit easily. But what is trying to do will pretty much kill anonymity on the Internet by tracking every IP address on the Internet,” he told BusinessLine.
“While CERT-In is claiming that this data will be used only when there’s a breach, by collecting and maintaining these logs of such data, an attacker too could always use it. And this attacker could be the government itself. The issue is that whatever information CERT-In will ask, will always be secretive. However, these rules are not really implementable, a lot of companies especially global giants with Indian offices will oppose this,” Kodali added.
Singhal said: “These directions really hit at the core reasons why VPN is used in the first place, privacy, trust and security of sensitive information. These directions also pretty much resemble the Chinese methods of state interventions in the way one can do business there, ie of an over whelming use of state power and authority.”