India’s new cyber rules stoke privacy, security fears

Tech companies — including several global VPN providers — and privacy advocates are bristling at new cyber requirements they say could jeopardize the security of Indian citizens.

India enacted new cybersecurity incident reporting guidelines on Sept. 25 that have tech companies and privacy watchdogs alike concerned about potential abuse.

The Indian Computer Emergency Response Team (CERT-In) requirements compel data centers, virtual private servers, cloud services and VPN providers to collect troves of personal information about their customers from the moment they start using their products. This includes “validated names of subscribers/customers hiring the services,” “validated address and contact numbers,” the “purpose for hiring services” and other information. That data must be maintained for at least five years.

This means companies are going to have to manage a massive amount of data — which could make them an even more appealing target for attackers looking to gather information about Indian citizens, experts told README.

VPN providers retreat — or resist

An Indian company, SnTHostings, is suing the government over the new rules. But these regulations have triggered a mass exodus by foreign VPN providers that would rather leave India than compromise on their no-logging policies. Nord, McAfee, TunnelBear and Norton have all removed their servers from the country as part of their efforts to leave the market completely.

“We are committed to protecting the privacy of our customers,” Nord Security head of global public relations Laura Tyrylyte told README. “We cannot support the decision made by CERT.”

Tyrylyte added that “from what it seems, the amount of stored private information will be drastically increased throughout hundreds or maybe thousands of different companies.

“It is hard to imagine that all [companies], especially small and medium enterprises, will have the proper means to ensure the security of such data,” she said.

Other VPN providers have shut down local servers but will continue to support users in India by circumventing these mandatory data collection directives. Surfshark and ExpressVPN, for example, offer virtual servers with Indian IPs based in Singapore or Europe. Proton has also shut down its physical servers in India and said that it will route users wanting an Indian IP through Singapore.

Proton CEO Andy Yen said in a statement that the company “has no intention of ever complying with this or any other mass surveillance law” even though India is one of its largest markets. “We also have the added benefit of Swiss law,” Samuele Kaplun, the CTO of Proton VPN, told README, “which helps protect us from invasive government demands.”

Privacy and compliance concerns

CERT-In has said these requirements are intended to support a “Safe & Trusted Internet,” but critics say the policies could actually endanger the privacy of people using these services and dissuade foreign companies from rolling out new products within India.

“Excessive data retention can also infringe individual fundamental rights,” Internet Freedom Foundation associate policy counsel Tejasi Panjiar told README, “in particular the right to privacy.” (Which the Supreme Court of India upheld as a fundamental right in an August 2017 judgment.)

David Davies / Flickr

Some of those infringements could be intentional. Privacy advocates have warned that these regulations could enable mass surveillance if they lack sufficient oversight and a data protection framework, for example. Yet the Indian government actually withdrew a proposal for such protections, the Private Data Information Bill, a mere month before CERT-In’s new guidelines went into effect.

The accidental exposure of private information — or the theft of such data — is also cause for concern. “The scale of data breaches that the country has been witnessing [in this] existing legal vacuum may very well lead to infringement of our fundamental right to privacy,” Panjiar said. She added that “no provision exists to provide citizens who have been impacted by data breaches with adequate compensation.”

There are practical issues, too. Panjiar noted that guidelines require cyber incidents to be reported “within six hours of noticing such incidents or being brought to notice about such incidents,” without taking into account the kind of incident, its impact and the size of the affected company. (She also pointed out that CERT-In fails to define “data breach,” “service providers,” “intermediaries” and other terms.)

“An additional cause for concern, which has been noted by several tech companies, is that non-compliance has severe penal provisions,” Panjiar said. This means companies without the capacity to report such incidents within the six-hour timeframe face a disproportionate risk of penalties.

That risk, combined with data localization requirements, as well as the costs incurred by attempting to comply with these new policies, could disincentivize foreign companies from bringing services and products to India. (Or, as many VPN providers have demonstrated, to pull their existing offerings.)

A broader issue

Concerns about these new requirements are compounded by India’s growing surveillance efforts as well as clampdowns on press freedom and personal liberties. Regulations like this have previously been introduced by authoritarian governments to gain more control over their citizens, Tyrylyte told README.

“If democracies follow the same path, it has the potential to affect people’s privacy as well as their freedom of speech,” she said. “One way or another, this law will likely have a negative impact on people’s privacy and digital security.”