India is pushing ahead with its new cybersecurity rules that will require cloud service providers and VPN operators to keep their customers’ names and IP addresses, despite many companies threatening to leave the world’s second-largest internet market due to new guidelines.
The Computer Emergency Response Team of India clarified (PDF) on Wednesday that “Virtual Private Server (VPS) Providers, Cloud Service Providers, VPN Service Providers, Virtual Asset Service Providers, Exchange Providers of virtual assets, escrow wallet providers and government organizations” must follow the directive, called the Cybersecurity Instructions, which requires them to store customer names, email addresses, IP addresses, know their customer records, financial transactions for a period of five years.
The new rules, which were revealed late last month and take effect at the end of June, will not apply to corporate and enterprise VPNs, the government agency clarified.
New Delhi is also not relaxing a new rule that requires companies to report incidents of security lapses, such as data breaches, within six hours of reporting such cases.
Rajeev Chandrasekhar, India’s junior IT minister, told reporters on Wednesday that India was being “very generous” in giving companies six hours to report security incidents, pointing to nations like Indonesia and Singapore that he said had had stricter requirements.
“If you look at precedence around the world – and understand that cybersecurity is a very complex issue, where situational awareness of multiple incidents allows us to understand the force majeure behind it – reporting accurately, timely and mandatory is a part absolutely essential to the ability of CERT and the government to ensure that the internet is always secure,” he said.
Several VPN providers have expressed concern about India’s new cybersecurity rules. NordVPN, one of the most popular VPN operators, has previously said that it may remove its services from India if “there are no other options left”.
Other service providers, including ExpressVPN and ProtonVPN, also shared their concerns. “The new Indian VPN regulations are an attack on privacy and threaten to put citizens under a surveillance microscope. We remain committed to our no-logs policy,” said ProtonVPN.
Earlier this month, the New Delhi-based digital rights advocacy group Internet Freedom Foundation said the new directions were vague and undermined user privacy and information security, “contrary to CERT’s mandate.”
On the other hand, many welcomed some changes. “There was a lot of pressure on CERT-In with large scale data breaches being reported across India. Most of the breaches were denied by the companies, and despite its mandate, CERT-In never acted on these reports,” said Srinivas Kodali, researcher.