CERT-In mandate not for surveillance: govt sources

New Delhi: The centre will only use proper legal and administrative channels to seek or access any information from companies under the new cyber security mandate from India’s Computer Emergency Response Team (CERT-In), a senior government official told ET. The Ministry of Electronics and Information Technology (Meity) will seek a court order or invoke its emergency powers under section 69 of the Information Technology Act, if required, the person added.

“We do not intend to use CERT-In’s mandate to do any sort of surveillance,” said officials noting that “we have just asked virtual private network (VPN) companies to keep a record of their logs for five years, so that, if needed by law enforcement agencies, it can be accessed after following the due procedure.”

The IT ministry is likely to come out with detailed clarifications on the CERT-In mandate in the coming days, sources said, in the wake of concerns raised by
industry and privacy experts over the new guidelines.

ET had reported last week that an official document is being prepared to allay the widespread misgivings.

Also Read |
ETtech Explainer: What India’s new VPN rules mean for your privacy

Several VPN service providers, including Surfshark and NordVPN, had hit back at the government stating that adhering to CERT-In guidelines would go against the nature of their services, which are designed to protect user privacy. Some providers said that they don’t even have the technical means to comply with the order and will have to quit India if “left with no other option”.

Discover the stories of your interest



In the list of clarifications to its April 28 mandate, CERT-In is likely to say that the directive to store customer information applies only to those VPNs that offer services to general internet subscribers, as reported by ET, last week .

Cost Burden

Meanwhile, policy experts point to apprehension amongst startups and small and medium enterprises that the government’s mandate to keep logs of users and verify the details, will significantly add to their costs.

“While data collection, validation, and KYC process have privacy concerns, it would also result in an operational cost for service providers, predominantly for start-ups, as they have to retain and store data for five years,” Kazim Rizvi, founder of tech policy group The Dialogue said.

Sources in the know said that in the coming days Meity is also likely to clarify that the recent mandate directing virtual private networks (VPNs) offering internet access to register and maintain logs of their customers may not apply to enterprise or corporate VPNs.

In a set of fresh directives issued earlier, CERT-In had asked VPN service providers to maintain all customer data for five years, including the purpose for which the customer had availed the VPN service.

Ratan Shrivastava, Managing Director, India at BowerGroupAsia, a public policy strategy advisory firm said that corporates, financial service providers and allied global business service providers, who at times own their VPNs do maintain their records and logs but even for them storage for five years will entail an additional capacity.

“An amendment may be required to the notification (rather) than a FAQ, to help classify the VPN categories, the service providers such as NordVPN and internet security service providers as Kaspersky/ Norton, which offer masking as a part of their endpoint cybersecurity solutions.” he said.

The requests as required by the notification will be hard to implement by professional VPN Service providers, as the humongous data required to be stored for five years is an additional cost and will require creation of data storage infrastructure and difficult to pass on to the end customers, Shrivastava added.

“A 60-day compliance time to set up an online validation facility is a challenging task and will require significant engineering and architecting for a seamless onboarding experience. Similarly, validation of subscribers’ names, addresses, and contact numbers mandated through CERT-In directions would also increase operating costs, as the service providers will set up processes for the first time,” Rizvi added.

Stay on top of technology and startup news that matters. Subscribe to our daily newsletter for the latest and must-read tech news, delivered straight to your inbox.

For all the latest Technology News Click Here 

Read original article here

Denial of responsibility! TechAI is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.