The directions by Cert-In on April 28 presented an existential crisis as they mandated the firm to collect a range of personal data and share it with Cert-In on demand and/or on the occurrence of a cybersecurity incident, the company said in its petition.
The High Court heard detailed submissions from the counsel and directed Cert-In to provide its response within four weeks.
Swachh.City domain allegedly breached by LeakBase
Cert-In’s directions, issued under the Information Technology Act, 2000, require VPN providers and cloud service providers to report cyber incidents within six hours and maintain personally identifiable data of users for five years.
Under the rules, VPN providers will need to store validated customer names, their physical addresses, email ids, phone numbers, and the reason for using the service, along with the dates of use and their ‘ownership pattern’.
Discover the stories of your interest
In addition, Cert-In has also asked VPN providers to keep a record of the IP and email addresses that the customer uses to register the service, along with the timestamp of registration.
VPN providers will also have to store all IP addresses that its customers generally use. This, Cert-In said, would bolster India’s cybersecurity and address gaps in incident analysis.
Now, Proton VPN removes physical servers from India
The companies have, however, argued that keeping such logs would go against user privacy and the very nature of the service they provide.
The Internet Freedom Foundation (IFF), the legal counsel for SnTHostings, told ET that five international VPN providers have left the country due to these fresh mandates.
Tanmay Singh, senior litigation counsel, IFF, who is representing SnTHostings proprietor Harsh Jain, said international VPN service providers like Express VPN, Nord VPN, Proton VPN, Surfshark, and TunnelBear had exited India.
“Proton VPN and TunnelBear
announced their departure around the weekend as Cert-In’s directions had to be followed from September 25 and (they had to) maintain user logs,” Singh said.
Harsh Jain did not respond to calls from ET.
Singh pointed out that as a small business, SnTHostings falls in the micro, small and medium enterprise (MSME) category.
“He (Jain) is not challenging the entirety of Cert-In’s directions, but just direction IV and V which requires all service providers like data centres to maintain user logs for 180 days. This includes user activity, his/her data, which must be stored on the company’s server at his cost for six months or more,” Singh said.
Direction V requires VPN service providers to collect vast amounts of personal data of users which they are not in the business of collecting, he added.
To start collecting details like name, IP address, address, contact information, and the purpose of using VPN, and to keep it for five years even after the user’s relationship with the VPN service provider has ended, has been challenged in court.
“A small business like this based in India can’t pack up and leave the country like the multinational service providers. He has been based here all his life. They must stay here and fight it out,” Singh said.
While multinational companies that do not agree with Cert-In’s directions may choose not to place any physical assets in a certain market, local players do not have that option, he said. “There are enough small-time players who have just a few clients and not a burgeoning business,” he said.
The mandates have completely changed the nature of the VPN services.
“The whole point of VPN is that they provide private and secure networks for you to access the internet. If they start logging user data like internet service providers (ISP), they’re no different from ISPs,” he said.
ISPs facilitate internet navigation and help in transmitting all internet packets. However, VPN providers creates a secure tunnel where data is encrypted during transmission.
Cert-In’s directions have diluted the role of VPNs to the extent that they are no longer VPNs.
“This has a serious adverse impact on user privacy and user security. In India, where we don’t have a data protection law, service providers will have access to virtual storerooms of large amounts of data, which increases vulnerability,” he added.