Scroll Top

THE NEW CERT-IN RULES REGARDING VPNs AND PRIVACY

 

“Without privacy, there is no point in being an individual”

– Johnathon Franzen

INTRODUCTION

In the digital world we live in, privacy holds a crucial position and is given the utmost importance. There are laws to protect the said privacy and, in an age, where data is a treasure, we need to guard this tressure to the best of our abilities so that our data is not left in unguarded hands for everyone to spy. Hence, we see that in this age specifically how important data and privacy have become. Certain agencies are working worldwide focussed solely on the aspect of protecting anonymity and privacy of the individuals and they thrive because of the need for such services. In this article, we will discuss the recent guidelines given by CERT-In regarding the functioning of Virtual Private Networks in the nation and try to critically analyse the disastrous effect it will have on the question of individual privacy. Before we dive into the intricacies of this important topic, we need to accustom ourselves to what exactly is “CERT-In.”

ABOUT CERT-IN

The Indian Computer Emergency Response Team is an agency under the ambit of the Department of Information and Communications. Under Section 70B of the IT Act, 2000, it is the nodal agency of the nation to deal with cyber threats and cybercrimes which include but are not restricted to hacking and phishing. It has been in function since 2004. Following are the functions of CERT-In:

  • CERT-In works in cyber security to collect, analyse, and share information about cyber occurrences.
  • Predicting and warning of cyber security incidents
  • Guidelines for dealing with cyber security emergencies
  • Organization of efforts in response to cyber-attacks
  • Information safety strategies, methods, disaster avoidance, mitigation, and disclosure of recommendations, warnings, susceptibility notes, and whitepapers have been developed.
  • Other duties linked to cybersecurity may be necessary.

Now that we have a preliminary knowledge about the kind of work CERT-In do we need to get our heads around the technologies and systems behind the functioning of VPNs or Virtual Private Networks in order to anonymize the identities of the customers?

VPNS AND HOW TO THEY WORK

In layman’s terms, a VPN gives a very private server to the client and masks the IP address of the client in order to protect the identity from snoopers like big corporations or even governments. A VPN in essentiality allows users to mask their digital identities and even virtually relocate themselves and access the internet from anywhere in the world as these VPN companies have servers all around the world. It prevents us from the prying eyes of the internet service providers as they can also snoop on our browsing styles and sell that info to make money. Hence, these services are immensely helpful during data breaches as even if someone gets access to the data of the client, the data will be encrypted and inaccessible to the attackers. Since 2003, Edward Snowden has been critical about how the companies like Verizon and others were selling user data to the NSA of the United States of America and recently the Defence Intelligence Agency bypassed a law which requires the law agencies to have a warrant before asking for the details of the users. Hence this software comes in handy during these times.

THE ISSUE IN QUESTION

In the late of April 2022, CERT-In released a striking notification which is being viewed as an obvious death knell to the business of these Virtual Private Networks. According to those guidelines the companies, intermediaries, data centres, Virtual Private Networks and related services must store user data for up to five years and are obliged to share them with the government when they are asked to. This demand is in clear violation of what the VPN companies advertise to their users that their privacy will be of utmost importance and that no data regarding their internet activities shall be stored and shared. The notification also lays down that any such company shall act within six hours if they notice any of the listed 20 vulnerabilities and if they fail to do so they shall be liable for imprisonment under Section 70B of the IT ACT, 2000. IT minister Ashwini Vaishnav commenting on the said guidelines said that “There is no privacy concern. Suppose somebody takes a mask and shoots, wouldn’t you ask them to remove that mask? It is like that.” He went on to say that the guidelines were not intrusive but protective in nature and were made keeping in the mind the extent of cybercrime happening. The records that the government seeks to recover include:

  • Identities of customers or consumers who have hired the products that have been verified.
  • Hired for a specific period of time, specifying dates.
  • IP addresses assigned to/used by members.
  • At the moment of enrolment, the e – mail address, IP address, and time and date were utilised.
  • Hire services for a specific reason.
  • Addresses and phone numbers that have been verified.
  • Subscribers/customers who hire services have a certain ownership structure.

CONTENTIONS TO THE POTENTIAL BREACH OF PRIVACY

The contentions being raised by the VPN companies are also well-founded. SurfShark a major VPN company commented that their technology does not allow logging in the details of the customers and hence they shall not be able to comply with the guidelines. They also said that they use the RAM-based model which is non-capturable and hence they cannot produce the details of the users. NordVPN, another behemoth in the industry came forward to say that the privacy of the users was their prime responsibility and they would not compromise on that and that they were also thinking of pulling up their servers from India. It is indeed a direct attack on the privacy of innocent individuals.

PRIVACY AND THE INDIAN ANGLE

An honourable mention here will be discussing the Personal Data Protection Bill which was introduced in the Lok Sabha on December 11, 2019. The bill envisages creating a data protection authority for the protection of individual data. The bill envisaged certain steps that the data fiduciaries had to take to safeguard privacy. Now when we see the government doing the counter of what they aimed to it raises some questions. Is there no way to shun these crimes happening over the internet without compromising the security of a million Indians? In the KS Puttaswamy vs Union of India it has been decided that the Right to Privacy is a fundamental right, so is the government not playing with the fundamental rights of the people when they release directives like these?

CONCLUSION

We need to pay special attention when such direct attacks happen in the privacy of the people because this is a generation where the data, we own is more valuable than most probably any other thing. As said by a lot of data analysts “data is king” hence the onus is on the government and the private sector to protect the data of the individuals to the best of their abilities. We also need to understand that the stance of the government is not without a concrete reason. At times crimes happen and the perpetrator is not able to be caught because of anonymized identity which is a result of using a VPN. Hence, we need to figure out a middle ground in which the identity of the users does not get compromised and the crimes are also able to be traced which is a humongous task in itself, but due to the extent of technology we have, it urges be attempted.

Author(s) Name: Ayush Tripathi (Maharashtra National Law University, Nagpur)