CERT-In extends new privacy rules for VPN providers to September 25
The Indian Computer Emergency Response Team (CERT-In) has given Virtual Private Network (VPN) providers and cloud service operators an extension of three months to comply with its newly drafted VPN rules. This comes as VPN providers such as SurfShark, NordVPN, and ExpressVPN removed their India servers citing a threat to the anonymity and privacy of users.
However, the deadline now has been extended to September 25, the Minry of Electronics & IT (MeitY) said in a press statement.
On April 26, CERT-In had asked VPN service providers to maintain for five years or longer details such as the validated names of their customers, the period for which they hired the service, the IP addresses allotted to these users, the email addresses, the IP addresses and the time stamps used at the time of regration of the customers. It also wants VPN service providers to maintain data such as the purpose for which the customers used their services, their validated addresses and contact numbers, and the ownership pattern of the customers.
The minry’s cyber-arm in an order stated that it is extending the timeline for implementation of these Cyber Security Directions upon several requests of micro, small and medium enterprises (MSMEs). It also received multiple requests from VPN, Data Centres, Virtual Private Server (VPS) providers, and Cloud Service providers.
Meanwhile, the government is fixed on its stance on the new VPN rules. CERT-In has in its April 26 directive also said that these details are necessary to prevent incitement or commission of any “cognisable offence using computer resources or for the handling of any cyber incident” which may lead to any durbance in the “sovereignty or integrity of India, defence of India, security of the state, friendly relations with foreign states or public order”.
Earlier last month, Miner of State for Electronics and Information and Technology Rajeev Chandrashekhar warned VPN companies that if they do not adhere to the norms, they are free to exit the country. “If you’re a VPN that wants to hide and be anonymous about those who use VPNs and you don’t want to go these rules, then if you want to pull out (from the country), frankly, that is the only opportunity you will have. You will have to pull out,” he said.
