CIO Insider

CIOInsider India Magazine

Separator

Government will Access Information using Legal, Administrative Channels

CIO Insider Team | Tuesday, 17 May, 2022
Separator

Companies under the new cybersecurity mandate from India’s Computer Emergency Response Team, (CERT-In), will be open to information access through proper legal and administrative channels used by the center.

If needed, the Ministry of Electronics and Information Technology (Meity) will seek court order or invoke its emergency powers under section 69 of the Information Technology Act.

The center says that it will not carry out any sort of surveillance using CERT-In’s mandate.Instead, it has asked Virtual Private Network (VPN) companies to keep track of their record logs for five years to enable law enforcement agencies to access it when required.

More detailed clarifications about the CERT-In mandate will be let out by the IT ministry in the coming days, whose guidelines are feared by the industry and privacy experts.

Since VPN service providers, such as Surfshark and NordVPN, predict that following CERT-In guidelines could go against the nature of their services which are designed to protect user privacy. Some providers have voiced out saying they lack the technical means to comply with the order and will have to quit India if left with no choices.

“While data collection, validation, and KYC process have privacy concerns, it would also result in an operational cost for service providers, predominantly for start-ups, as they have to retain and store data for five years”, says Kazim Rizvi, founder, The Dialogue

Policy experts say that the government’s mandates towards storing logs of users and verifying the details could cost significantly to startups and small and medium enterprises.

Also, Meity’s clarification towards the recent mandate directing virtual private networks offering internet access to register and maintain logs of their customers may neither apply to enterprise nor corporate VPNs.

In the latest set of directives issued earlier, CERT-In asked VPN service providers to maintain customer data for five years including the purpose of why customers availed the VPN service.

Ratan Shrivastava, Managing Director, India at BowerGroupAsia, a public policy strategy advisory firm said that corporates, financial service providers and allied global business service providers, who at times own their VPNs do maintain their records and logs but even for them storage for five years will entail an additional capacity.

“An amendment may be required to the notification (rather) than a FAQ, to help classify the VPN categories, the service providers such as NordVPN and internet security service providers as Kaspersky/ Norton, which offer masking as a part of their endpoint cybersecurity solutions”. he adds.

However, it is said that string data for five years could mean additional cost, the need to create data storage infrastructure and the difficulty in passing to the end customers for professional VPN service providers.

“While data collection, validation, and KYC process have privacy concerns, it would also result in an operational cost for service providers, predominantly for start-ups, as they have to retain and store data for five years”, says Kazim Rizvi, founder, The Dialogue.

Current Issue
VKRAFT Software Services: Pioneering Innovation In Integration & Beyond