VPN service providers to be held liable if violated CERT-In directives: Official

Companies offering virtual private network (VPN) or cloud services in India will be held liable if they do not comply with the government’s cybersecurity policy, which mandates them to collect as well as maintain extensive and “accurate” data of their consumers for five years, an official familiar with the matter said.

“While there is no mandatory need for these companies to inform the Union ministry of electronics and information technology (MeitY) about complying with the directives, they may face charges if failed to provide information regarding a particular case if sought by the Centre,” the government official told HT requesting anonymity.

Earlier this month, Union minister of state for electronics and information technology Rajeev Chandrasekhar said that the companies must comply with the laws of the land or they can exit the Indian market. Defending the rules, the government said the information will only be sought on a case-to-case basis, therefore not violating citizens’ right to privacy.

ExpressVPN, one of the leading cloud service providers, has already announced that it is shutting its servers in India, becoming one of the first companies to pare back operations in the country after the Indian Computer Emergency Response Team (CERT-In) on April 28 issued directives that require additional compliances.

Several tech companies and experts have claimed that the directives, which came into effect on June 26, open avenues for misuse by mandating VPN service providers to maintain detailed logs of their customers.

ExpressVPN also cited similar reasons for folding its servers in the country. “India has ordered all VPN providers in the country to start logging user activity and storing it for five years. This is incompatible with our commitment to user privacy, so we have made the straightforward decision to stop operating VPN servers within India,” Harold Li, vice president of ExpressVPN, told HT in an email on June 2.

The new directives from CERT-in — the government’s nodal agency for detecting and responding to cyber incidents — may have far-reaching ramifications on how VPN services are offered and used in the country. The directives state that all cloud service providers and VPN providers will be required to maintain a series of extensive customer information for at least five years, even after “any cancellation or withdrawal of the registration” by a customer. The information includes validated names, address and contact number of customers, period of subscription, email address and IPs being used and purpose for using services, among others.

The norms will also apply to data centres and virtual private server (VPS) providers.

“With respect to transaction records, accurate information shall be maintained in such a way that individual transaction can be reconstructed along with the relevant elements comprising of, but not limited to, information relating to the identification of the relevant parties including IP addresses along with timestamps and time zones, transaction ID, the public keys (or equivalent identifiers), addresses or accounts involved (or equivalent identifiers), the nature and date of the transaction, and the amount transferred,” the norms stated. “The failure to furnish the information or non-compliance with the ... directions, may invite punitive action.”