Last year’s CERT-In directions mandated service providers including those offering virtual private networks (VPN) to maintain customer logs for a period of 5 years
In the latest conflagration between the Indian government and VPN service providers, the Indian Computer Emergency Response team sent notices to such companies inquiring about compliance to the cybersecurity guidelines the government released in April 2022.
The nodal body for cybersecurity under the Ministry of Electronics and Information Technology sent these notices to VPN service providers in February.
“The response received from entities are under examination, hence, at this stage there is no issue regarding blocking on blocking or initiation of any other proceeding as a result of non-compliance,” response to an RTI filed with the Department of Electronics and Information Technology by Internet Freedom Foundation (IFF) showed.
In another RTI, the department clarified the notices it had sent were restricted to VPN service providers and not any other service providers, body corporate, or government organisations.
Howevevr, CERT-In responses to the RTIs did not include any specifics to IFF’s queries on the total number of compliance notices that were issued; the list of entities to whom such notices were served; or the timeframe for compliance and the consequences of non-compliance.
Last year’s CERT-In directions mandated service providers including those offering virtual private networks (VPN) to maintain logs including IP addresses used to register for the VPN, IP addresses used to connect to VPN servers in India, and list of IP addresses issued for each customer for a period of five years.
This requirement earned the ire of VPN companies, who, while vowing non-compliance removed their servers from India in protest. Such companies include Switzerland-based Proton, Netherlands-based Surfshark, Express VPN, and Panama-based NordVPN.
Moneycontrol has reached out to these companies on whether they have received notices from CERT-In regarding compliance with the cybersecurity directions, and the article will be updated when a response is received.
The CERT-In directions are also facing a legal challenge, with Delhi High Court on September 28, 2022 issuing a notice to the Union government in response to a petition that argued that the directions was unconstitutional and it violated privacy of citizens.
– MoneyControl