“We do not intend to use CERT-In’s mandate to do any sort of surveillance,” said officials noting that “we have just asked virtual private network (VPN) companies to keep a record of their logs for five years, so that, if needed by law enforcement agencies, it can be accessed after following the due procedure.”
The IT ministry is likely to come out with detailed clarifications on the CERT-In mandate in the coming days, sources said, in the wake of concerns raised by
industry and privacy experts over the new guidelines.
ET had reported last week that an official document is being prepared to allay the widespread misgivings.
Several VPN service providers, including Surfshark and NordVPN, had hit back at the government stating that adhering to CERT-In guidelines would go against the nature of their services, which are designed to protect user privacy. Some providers said that they don’t even have the technical means to comply with the order and will have to quit India if “left with no other option”.
Discover the stories of your interest
In the list of clarifications to its April 28 mandate, CERT-In is likely to say that the directive to store customer information applies only to those VPNs that offer services to general internet subscribers, as reported by ET, last week .
Meanwhile, policy experts point to apprehension amongst startups and small and medium enterprises that the government’s mandate to keep logs of users and verify the details, will significantly add to their costs.
“While data collection, validation, and KYC process have privacy concerns, it would also result in an operational cost for service providers, predominantly for start-ups, as they have to retain and store data for five years,” Kazim Rizvi, founder of tech policy group The Dialogue said.
Sources in the know said that in the coming days Meity is also likely to clarify that the recent mandate directing virtual private networks (VPNs) offering internet access to register and maintain logs of their customers may not apply to enterprise or corporate VPNs.
In a set of fresh directives issued earlier, CERT-In had asked VPN service providers to maintain all customer data for five years, including the purpose for which the customer had availed the VPN service.
Ratan Shrivastava, Managing Director, India at BowerGroupAsia, a public policy strategy advisory firm said that corporates, financial service providers and allied global business service providers, who at times own their VPNs do maintain their records and logs but even for them storage for five years will entail an additional capacity.
“An amendment may be required to the notification (rather) than a FAQ, to help classify the VPN categories, the service providers such as NordVPN and internet security service providers as Kaspersky/ Norton, which offer masking as a part of their endpoint cybersecurity solutions.” he said.
The requests as required by the notification will be hard to implement by professional VPN Service providers, as the humongous data required to be stored for five years is an additional cost and will require creation of data storage infrastructure and difficult to pass on to the end customers, Shrivastava added.
“A 60-day compliance time to set up an online validation facility is a challenging task and will require significant engineering and architecting for a seamless onboarding experience. Similarly, validation of subscribers’ names, addresses, and contact numbers mandated through CERT-In directions would also increase operating costs, as the service providers will set up processes for the first time,” Rizvi added.