Explained: CERT-In’s new cybersecurity norms, and why it is likely to issue a clarification about them

The cybersecurity norms announced by the Indian Computer Emergency Response Team (CERT-In) last month requiring virtual private networks (VPNs) to preserve a wide range of data on their customers for five years may not apply to enterprise and corporate VPN providers, The Indian Express has learnt.

CERT-In is learnt to be working on releasing more details of the cybersecurity directive issued in April, which has been opposed by industry stakeholders. According to sources, the agency could clarify that the norms apply only to VPN providers who offer “Internet proxy like services” to “general Internet subscribers”, and not to corporate VPN service providers.

What are these norms that CERT-In is clarifying?

The norms, released on April 28, asked VPN service providers along with data centres and cloud service providers, to store information such as names, email IDs, contact numbers, and IP addresses (among other things) of their customers for a period of five years. Entities are also required to report cybersecurity incidents to CERT-In within six hours of becoming or being made aware of them.

The norms have triggered concerns over privacy, and CERT-In is expected to clarify that private information of individuals will not be affected by the directions.

“These directions do not envisage seeking of information by CERT-In from service providers on a continual basis as a standing arrangement. CERT-In may seek information from service providers in case of cyber security incidents and cyber incidents, on a case-to-case basis, for discharge of its statutory obligations to enhance cyber security in the country,” according to a person aware of the clarifications that CERT-In is in the process of finalising.

The agency is also likely to include in its clarifications that the April 28 directive to store such information and share it with CERT-In will “override” any contractual obligation VPN providers may have with their customers of not disclosing such information.

Queries sent to the IT Ministry and CERT-In Director General Sanjay Bahl were not immediately answered.

But why has CERT-In felt the need to issue a clarification?

Prominent VPN providers, a large part of whose value proposition is ensuring anonymity of their users on the Internet, have questioned the directives, and some providers like NordVPN are even considering pulling their servers from India should the directive be enforced on them.

“At the moment, our team is investigating the new directive recently passed by the Indian government and exploring the best course of action. As there are still at least two months left until the law comes into effect, we are currently operating as usual. We are committed to protecting the privacy of our customers, therefore, we may remove our servers from India if no other options are left,” Laura Tyrylyte, head of public relations at Nord Security, said.

VPN providers like Surfshark have claimed that their technology does not allow the logging of users’ information. “Surfshark has a strict no-logs policy, which means that we don’t collect or share our customer browsing data or any usage information,” Gytis Malinauskas, head of the legal department at Surfshark, said.

Newsletter | Click to get the day’s best explainers in your inbox

“Moreover, we operate only with RAM-only servers, which automatically overwrite user-related data. Thus at this moment, we would not be able to comply with the logging requirements even technically. We are still investigating the new regulations and its implications for us, but the overall aim is to continue providing no-logs services to all of our users,” Malinauskas said.

How has the government responded to these concerns?

Speaking to The Indian Express earlier this month, IT Minister Ashwini Vaishnaw had said there was “nothing to worry about” CERT-In’s norms. “There is no privacy concern. Suppose somebody takes a mask and shoots, wouldn’t you ask them to remove that mask? It is like that,” Vaishnaw had said during an interview.

Explaining the need for the rules, he had said, “Cybersecurity is something which is continuously evolving. So we have issued very comprehensive guidelines from CERT-In. Ultimately, if there is a threat to you, the police and you would both have to work together.”

“The basic concept (of the guidelines) is that the people who are actually running the infrastructure should take all possible steps to make sure that things are in place and if there is any breach, immediately inform us so that we can take action,” Vaishnaw said.

Leave a Comment