Virtual private network (VPN) service providers are up in arms against a new directive of The Indian Computer Emergency Response Team or Cert-In, a wing of the Ministry of Electronics and Information Technology, that mandates they must maintain all customer data for five years. VPN service providers have said the new directive would mean a total loss of privacy for the users–one of the most important unique selling points of such services.
Citing objectives such as fighting cybercrime and invoking India’s sovereignty, integrity and public order, an April 26 directive from Cert-In, a wing of the Ministry of Electronics and Information Technology, mandated that virtual private network (VPN) providers should keep for five years data including users’ contact details, original and faux IP addresses, and their purpose behind using the services.
One of the main reasons that Cert-In provided for seeking these details is that it will help to effectively trace anti-social elements and cybercriminals indulging in various nefarious activities online.
Any and all devices connected to the internet are a part of a large network of computers, servers and other devices spread across the world. To identify each device connected to the internet, service providers globally assign a unique address to each such device called the internet protocol address or IP address. It is this IP address that helps websites, law enforcement agencies and even companies track down individual users and their accurate location.
A virtual private network, when switched on, essentially creates a safe network within the larger global network of the internet and masks the IP address of the user by rerouting the data. Acting as a tunnel, a VPN takes data originating from one server and masks it in a different identity before delivering it to the destination server. In essence, a VPN creates several proxy identities for your data and delivers it safely without disturbing the content of the data.
Why is anonymity or privacy so important for VPN providers and users?
The main reason why privacy or anonymity is important for both VPN service providers and users is that it helps to avoid being tracked, mostly by websites and cybercriminals. Since VPN masks the location of a device from everyone, it also prevents government and law enforcement agencies from accurately identifying the location.
What is also worrisome is the increasingly unilateral nature of directives curtailing digital rights of Indians, mostly issued without public consultations. CERT-In had claimed that the directive came after it “identified certain gaps causing hindrance in incident analysis”. India has largely maintained complete opacity in making incident analysis public, including those of alleged breaches in nuclear and other critical infrastructure and across government institutions. Using incident analysis as a reason to curtail the fundamental right to privacy may be an overreach. For most VPN companies not maintaining customer data is a key part of their selling proposition. Their software and hardware is not designed to collect and save such data either.
This once again brings into focus the lack of an encoded digital rights framework in India. Civil liberties organization Internet Freedom Foundation (IFF) says that the “provisions of these directions cause more harm than good, especially in the absence of a data-protection law”.
Source: The Economic Times, Indian Express