The government on Wednesday warned virtual private network (VPN) service providers that if they don’t adhere to the latest cyber security rules released by the Indian Computer Emergency Response Team (CERT-In), they will have to shut shop in India.
Here are the key takeaways from Minister of State for Electronics and IT Rajeev Chandrashekhar’s briefing:
1. Chandrashekhar said: “"There is no opportunity for somebody to say we will not follow the rules and laws of India. If you don't have the logs, start maintaining the logs. If you are a VPN that wants to hide and be anonymous about those who use its VPN and you don't want to go by these rules, if you want to pull out, then frankly you have no other opportunity but to pull out.”
2. As per CERT-In’s norms, released last month, VPN service providers, data centres and cloud service providers must store information such as names, email IDs, contact numbers and IP addresses of their customers for a period of five years. The rules also require entities to report cyber security incidents to CERT-In within six hours of becoming or being made aware of them.
3. The minister said India was being “very generous” in giving firms six hours to report security incidents, adding Indonesia and Singapore had stricter requirements.
4. However, the new rules, which come into effect late June, won’t be applicable to corporate and enterprise VPNs. The term “VPN service providers” refers to an entity that provides “internet proxy like services” through the use of VPN technologies, standard or proprietary, to general internet subscribers/users.
5. VPN software protect information by masking a device’s IP address, encrypting data and routing it through secure global networks to servers in other countries. In effect, VPN allows users to surf the internet in an anonymous manner.
6. Since the objective of the directions is to ensure timely reporting of cyber incidents to CERT-In, the FAQs clarify that the directions will be applicable to both companies located within and outside India. This seems to be in line with the provisions of the Information Technology Act, 2000 which applies to offences committed outside India so long as the offence involves a computer system or network located in India.
