MeitY to discuss new cybersecurity rules with VPN firms on Friday

The Ministry of Electronics and Information Technology (MeitY) has invited stakeholders including virtual private network (VPN) companies, tech policy groups, legal experts, and other cybersecurity experts for a consultation on Friday to discuss various aspects of the Indian Computer Emergency Response Team’s (Cert-In) latest guidelines on cybersecurity, sources told ET.

The consultation is likely to be chaired by Minister of State for Electronics and Information Technology Rajeev Chandrasekhar. It has been planned by the IT ministry in response to a joint letter sent by tech policy groups such as The Dialogue, AccessNow, Internet Freedom Foundation, SFLC.in, BSA India and others.

The meeting comes just days after two VPN companies, Surfshark and
ExpressVPN, decided to stop their services in India after the government asked them to store the logs of clients, along with details such as name, address and the purpose for which the VPN service was used.

“It is a high-level meeting in which policy heads from various companies will also be present. There will be discussions primarily on the Cert-In directives which were issued on April 28, and whether it has had an adverse impact on the startup ecosystem yet. We also expect senior officials from other ministries to be present,” a source said.

Surfshark had said that it “proudly operates” under a strict ‘no logs’ policy and that since the Cert-In’s directions “go against the core ethos of the company”, it would shut down its physical servers in India before the new law comes into effect.

Apart from VPN companies, tech policy groups and cybersecurity, as well as legal experts, have also pushed back against the new directives.

In various letters to the IT ministry as well as to Cert-In director general Sanjay Bahl, tech policy groups and cybersecurity experts have said that reporting a cybersecurity incident within six hours from being aware of it and a lack of clarity on what constitutes a severe or a large-scale incident could potentially “undermine incident investigation and response, including the deployment of defensive measures”.

Business advocacy groups such as the US-India Business Council, the Cybersecurity Coalition, US Chamber of Commerce, and the Bank Policy Institute have also written to the IT ministry claiming that rules such as retaining customer details for five years by VPN providers would “put people’s privacy at risk”.

The government has so far, despite the pushback from the industry and the two VPN companies logging out of India, remained firm on its stance. Chandrasekhar had, while releasing a set of frequently asked questions on the new guidelines, said that companies which did not wish to adhere to the Cert In guidelines, were free to leave India.

Stay on top of technology and startup news that matters. Subscribe to our daily newsletter for the latest and must-read tech news, delivered straight to your inbox.