The Indian government recently asked VPN service providers to try and record certain information of users for a period of at least 5 years. This new rule, although necessary from a security point of view, violates the fundamentals of a VPN, and has made them pointless for many users.
New VPN rules in India
A new Indian computer directive entitled “Directions under sub-section (6) of section 70B of the Information Technology Act, 2000 relating to information security practices, procedure, prevention, response and reporting of cyber incidents for Safe & Trusted Internet.”. The Emergency Response Unit (CERT-In) at the Ministry of Electronics and Information Technology was unveiled on April 28.
Guidelines relating to information security practices, procedures, prevention, response and reporting of cyber incidents on the Internet for a secure and reliable Internet under sub-section (6) of section 70B of the Information Technology Act, 2000. The new guideline from Indian Computers was released on April 28 by the Emergency Response Team (CERT-In) under the Ministry of Electronics and Information Technology.
According to the government, VPN providers have two months to comply with the law and collect data. The reason given by CERT-in is that it needs the ability to investigate potential cybercrime, but VPN companies disagree, with some saying they will disobey orders.
“The virtual asset service providers, virtual asset exchange providers and custodian wallet providers (as defined by the Ministry of Finance from time to time) shall mandatorily maintain all information obtained as part of Know Your Customer (KYC) and records of financial transactions for a period of five years so as to ensure cyber security in the area of payments and financial markets for citizens while protecting their data, fundamental rights and economic freedom in view of the growth of virtual assets” it added.
“With respect to transaction records, accurate information shall be maintained in such a way that individual transaction can be reconstructed along with the relevant elements comprising of, but not limited to, information relating to the identification of the relevant parties including IP addresses along with timestamps and time zones, transaction ID, the public keys (or equivalent identifiers), addresses or accounts involved (or equivalent identifiers), the nature and date of the transaction, and the amount transferred,” it further adds.
According to a document released by CERT-In, VPN service providers are asked to keep a record of the IP address and email details of users that they share along with the registration time stamp while registering the service. They will need to know the list of all IP addresses assigned to users, as well as the list of IP addresses that users use frequently.
The new rules encourage VPN providers to register and store such information from customers for at least five years:
- Name, email address and phone number
- The client’s goal is to use the VPN service
- The IP addresses assigned to the client and the IP address that the client used to register with the service
- “Ownership model” of the client
One of the main reasons Cert-In provided this information is that it will help to effectively track anti-social elements and cybercriminals who engage in various dishonest acts on the Internet.
According to a report by WIRED, several VPN providers expressed similar concerns about the new guidelines. For example, ExpressVPN’s vice president Harald Lee said the company will never log user information or activity and will change its operations and infrastructure “if and when necessary in order to maintain.”
“CERT-In is committed to responding to any cybersecurity incident,” said Srinivas Kodali, a researcher with the Indian Free Software Movement, which focuses on digitization in India. Although he denies its effectiveness in doing so. Keeping this information at hand should, in theory, allow CERT-In to investigate any event after the fact more quickly. But many believe this is not the whole story.
“CERT-Ins really has no clean record, and they have never protected the privacy of citizens,” says Kodali. “According to the rules, they are only going to demand these magazines when they are really needed for the investigation. But in India, you never know how they will be abused.”
The approach to law enforcement “collecting data first and then asking questions” also worries others. “It’s an easy way to remember all the data and keep track of your users,” said Anupam Chander, a law professor at Georgetown University in Washington, DC.
He added that “so if [India] needs it for law enforcement, intelligence or other purposes, they can get it later.” And capturing VPN data can potentially gather information about the millions of Indians who rely on the technology. According to data collected by the Atlas VPN service provider, one in five Indians used a VPN in 2021, compared to 3 per cent in 2020.
In addition, Surfshark told Wired that the VPN provider can no longer comply with India’s logging rules because it only uses servers with RAM that automatically overwrite user data, while ProtonTheVPN said that Although it was monitoring the instructions, it was bound by them. To protect the no logs policy and the privacy of its users.
Types of cyber security incidents reported to CERT-In:
- 1. Targeted scanning/probing of critical networks/systems
- 2. Compromise of critical systems/information
- 3. Unauthorised access of IT systems/data
- 4. Defacement of website or intrusion into a website and unauthorised changes such as inserting malicious code, links to external websites etc.
- 5. Malicious code attacks such as spreading of virus/worm/Trojan/Bots/Spyware/Ransomware/Cryptominers
- 6. Attack on servers such as Database, Mail and DNS and network devices such as Routers
- 7. Identity Theft, spoofing and phishing attacks
- 8. Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
- 9. Attacks on Critical infrastructure, SCADA and operational technology systems and Wireless networks
- 10. Attacks on Application such as E-Governance, E-Commerce etc.
- 11. Data Breach
- 12. Data Leak
- 13. Attacks on Internet of Things (IoT) devices and associated systems, networks, software, servers
- 14. Attacks or incident affecting Digital Payment systems
- 15. Attacks through Malicious mobile Apps
- 16. Fake mobile Apps
- 17. Unauthorised access to social media accounts
- 18. Attacks or malicious/suspicious activities affecting Cloud computing systems/servers/software/applications
- 19. Attacks or malicious/suspicious activities affecting systems/ servers/networks/ software/ applications related to Big Data, Block chain, virtual assets, virtual asset exchanges, custodian wallets, Robotics, 3D and 4D Printing, additive manufacturing, Drones
- 20. Attacks or malicious/ suspicious activities affecting systems/servers/software/ applications related to Artificial Intelligence and Machine Learning.
Meanwhile, the American technical magazine quotes ProtonVPN: “India’s new requirements for VPN will undermine civil liberties and make it more difficult to protect your data online. Proton is monitoring the situation, but in the end we will never take any action that will weaken our VPN service or threaten the privacy of our users.”
ExpressVPN also said: “We are closely monitoring the situation as it develops, but we want to make it clear that ExpressVPN is fully committed to protecting the privacy of our users, including by never registering user actions, and will adjust our operations and infrastructure to maintain this principle. if and when necessary. As a company focused on protecting privacy and freedom of expression on the Internet, ExpressVPN will continue to strive to ensure that users are connected to the open and free Internet, no matter where they are.”