New Delhi: CERT-In or Computer Emergency Response Team, India's nodal agency that deals with cyber security threats, hacking and phishing has recently asked virtual network providers (VPN) service providers in India to collect and store extensive user data for at least five years, citing objectives like fighting cybercrime and invoking the country's integrity and sovereignty.
The mandate for VPN companies includes maintaining all consumer's details, the purpose behind using the VPN services and the faux and original IP addresses and the decision is likely to hurt VPN companies as maintaining privacy is the key USP. The new CERT-In rules come into effect next month. Even as the government-appointed nodal agency's directive is aimed at strengthening the country's cyber security it raises a pertinent question of privacy as VPN companies cater to users who want to conceal their identity. How badly the move will hurt VPN services providers and will they remove their servers from India?
ABP Live spoke to NordVPN, a leading VPN service provider operating in India and several information security and cybersecurity companies to understand what they thought about the new directive from CERT-In.
"While our team is still investigating the new directive and exploring possible courses of action, the impact will probably depend on the policies and stance of each company. It is very likely that privacy-oriented VPN services may decide to leave India if left with no other options to preserve the privacy of their customers," Laura Tyrylyte, Head of Public Relations at Nord Security, told ABP Live.
NordVPN believes the directive will hurt VPN service providers in the country to some extent. "First of all, companies that will decide to remove their servers, will have to look for other means to meet the requirements of customers who used those servers. But even more importantly, the fact that such a law came into effect in the first place, is alarming," Tyrylyte explained.
CERT-In's mandate to also pinch ISPs and data centres
"The regulations will affect not only VPN services but also other internet infrastructure providers as well. ISPs and data centres will have to look for means to store huge amounts of data in order to comply with the directive, which will add operational overhead and may increase the cost of their services. On NordVPN’s end, we will do everything in our power to minimise any negative effects," Tyrylyte informed.
NordVPN intends to have a dialogue with govt for a middle ground
"We are strong proponents of the dialogue. The agenda of the Indian government is not exactly clear and we are still familiarising ourselves with the law, but from what it seems, the aim of the regulation is to improve the state of cybersecurity. If that is the case, the discussion on how the state and VPN companies can cooperate without compromising people’s privacy could be a good first step," Tyrylyte said.
Cybersecurity and IT security companies welcome the move
Even as CERT-In's directive can affect users' privacy and VPN firms operating in India, the cybersecurity companies have welcomed the decision. "Cybercriminals make regular use of VPNs to avoid law enforcement interception. Software piracy, ransomware infections, online fraud and many such activities are carried out online. While carrying out these operations at the backend, use of VPN is common among cybercriminals. The new mandate will help law enforcement guys to crack cybercrime cases to some extent," Sanjay Katkar, Chief Technology Officer, Quick Heal Technologies Ltd., told ABP Live.
"VPN has some great advantages and helps millions of organisations to use the internet securely for the very protected and secured data of the organisations. With the renewed focus on working from home having a proper VPN is a must. With the new government decision, nothing is going to stop these usages but there will be some apprehension about where it can finally end up. There is no denying the fact that there are not so many right causes VPNs are used and it is definitively bringing more control for those usages. This will definitely discourage users who use it for such activities," said Sandeep Lodha, Co-Founder of Netweb Technologies.
"The new provision is likely to impact both VPN users and VPN companies. VPN companies have to keep a record of the personally identifiable information of users such as the name of the customers, their IP addresses, and usage patterns among others," said Kunal Bajaj, CBO, eSec Forte Technologies.