The government has the right to seek records related to virtual private network (VPN) users in order to combat cybercrimes, said a senior government official.
“Most of the frauds were happening through VPNs,” the official said. “We are just saying you keep the records for five years… we are not saying give it to us. We are saying keep the records – if required, then any law enforcement agency can ask. I think that’s a very fair ask. It’s an evolution. All the countries are moving in that direction… Police have the right to ask the criminal to remove the mask or not – same is the case here.”
India has more than 270 million VPN users, who use them to access company networks securely, remain anonymous, access geo-restricted content, stay safe on public Wi-Fi networks, and get around internet curbs, among other things. The move could render VPN services illegal in India if providers don’t comply.
As per the new rules, which will come into effect within 60 days of being notified, all enterprises will have to report any cyber security incident to CERT-In within six hours and store all data for a stipulated period of time.
Security experts point out that it currently takes days or even months before some enterprises realize that they have been compromised.
n a letter to the cyber security agency, the Information Technology Industry (ITI) Council asked for a delay in implementation and opened the matter up to wider stakeholder consultation.
“The directive has the potential to improve India’s cyber security posture if appropriately developed and implemented,” said Kumar Deep, country manager at the ITI Council. “However certain provisions, including counterproductive incident reporting requirements, may negatively impact Indian and global enterprises and undermine cyber security.”