On April 28, 2022, the Indian Computer Emergency Response Team (CERT-In) issued Directions under Section 70B of the Information Technology Act, 2000 regarding preventing, responding and reporting cyber incidents. These Directions will become effective on June 27, 2022. SnTHosting, a VPN service provider, has addressed legal representation to MeitY seeking recall of the Directions as they compel a range of entities, including SnTHostings, to surveil their users and collect their personal data, and mandate them to make such data available to CERT-In on demand. IFF has provided legal support in drafting the representation.
Why should you care?
VPNs are a privacy-advancing technology that allows users to anonymously conduct their business on the internet without being tracked by internet service providers, government agencies or social media platforms. Mandating all VPN service providers to collect and log personally identifiable data of their users and provide the data collected to CERT-In on demand will seriously impact the user's right to privacy. In fact, as a result of these Directions, several prominent VPN services such as ExpressVPN, NordVPN and Surfshark, have decided to stop doing business in India and ProtonVPN has classified India as a high-risk country. SnTHostings a privacy-first VPN service provider has addressed a representation to MeitY seeking an immediate recall of the Directions which will be effective from Monday, June 27, 2022.
The Directions, amongst other things, mandate service providers such as SnTHostings to -
- Mandatorily enable logs of all ICT systems and maintain them securely for a rolling period of 180 days within the Indian jurisdiction (Direction 4);
- Register and maintain personal information such as validated names of subscribers, period of hire, Internet Protocols allotted to members, email addresses, validated address, contact number, the purpose of hire and ownership pattern of subscribers for a period of 5 years or longer duration as mandated by law after any cancellation or withdrawal of registration (Direction 5);
- Provide the data collected to CERT-In if it demands such data for the purposes of responding to cyber-security incidents (Direction 3).
That’s not all. If a VPN service provider fails (or refuses) to comply with any of these directions, they may be imprisoned for up to one year or be fined up to Rs. 1 Lakh.
Previously, we have explained how these Directions have been issued without any consultation with stakeholders and how they impose excessive data retention requirements, unnecessarily require data localisation, enable mass surveillance and weaken virtual private networks without actually protecting users from data breaches or cyber-attacks.
Legal representation on behalf of SnTHostings
SnTHostings is a sole proprietorship which provides VPN, Remote Desktop Protocol, Virtual Private Server and Dedicated Root Services through its website, www.snthostings.com. SnTHostings has been providing these services for almost 10 years to over 15, 000 customers who use these services to host their business on a dependable platform, securely browse the internet and store sensitive information related to their business. The Directions directly impact SnTHostings by compelling them to collect user data and share it with CERT-In, even though the entire purpose of their services is anonymity.
Considering these concerns, SnTHostings through their Chief Executive Officer, Mr. Harsh Jain, has addressed a representation to MeitY and CERT-In seeking a recall of the Directions. He stated to IFF:
"The Directive announced by the CERT-IN does not only violate the Right to Privacy, but also is impossible to impose on any client due to the very nature of the service. Blanket Monitoring is not a solution. At least not when it is up against the very basic right of the people.”
In the representation, Mr. Jain has, amongst other things, highlighted the following issues with the Directions:
- Change the nature of services provided by VPNs: VPNs enable businesses, government agencies, journalists and other users to securely browse the internet while ensuring that intermediaries such as Internet Service Providers (‘ISPs’) or web-hosting services providers do not monitor their activities. Similarly, VPSs provide the entities mentioned above with a virtual server enabling them to securely conduct their business over the internet. Currently, SnTHostings and other VPN or VPS services providers do not log customer details to the extent required by the Directions or require users to provide such detailed personally identifiable information. If it starts doing so, it would change the basis of VPN or VPS services that SnTHostings and others provide.
- Drives business outside India and disincentivises businesses from entering India: Many businesses that provide VPN or VPS services are attractive to users because they guarantee that they do not maintain logs, or monitor or store the activities of their customers. This guarantee enables users to securely conduct business over the internet. Because of the onerous regime contemplated by the Directions, these service providers do not have any incentive for entering the Indian market or even staying in India any longer as demonstrated by the exit of ExpressVPN, NordVPN and Surfshark.
- Contrary to the law: The Supreme Court of India in Justice K.S. Puttaswamy (Retd.) & Anr v. Union of India & Ors., (2017) 10 SCC 1 has held that the right to privacy is a fundamental right and recognised the right of entities mentioned above to conduct their activities anonymously. The Court also held that any restriction on this right must be lawful, necessary and proportionate. By mandating VPN or VPS service providers to collect personally identifiable information of all their users, the Directions do not distinguish between bona fide users and those who may be using these services for unlawful purposes. Thus, the Directions presume that all users of VPN or VPS services may conduct unlawful activities and as a result, violate the right to privacy of Indian users and effectively make VPN service providers redundant. Moreover, the obligation to store data for such a long duration is disproportionate and violates the right to privacy.
SnTHostings has urged MeitY and CERT-In to seriously consider the issues raised by them in the representation and recall the Directions. Since the Directions go into force on June 27, 2022, we sincerely hope that the authorities consider the representation and at least, provide an explanation for going forward with the Directions despite the adverse impact the Directions have already had on business in India. IFF assisted in the drafting and the dispatch of the legal representation.
- Indian Computer Emergency Response Team's Directions numbered 20(3)/2022-CERT-In and dated April 28, 2022 (link)
- SnTHostings representation dated June 10, 2022 (link)
- Previous post titled ‘CERT-In Directions on Cybersecurity: An Explainer’ (link)