A new directive by the Indian Computer Emergency Response Team (CERT-In) has directed digital service providers to record and keep users’ logs for 180 days, and store customer data such as their validated names, allotted IP addresses, email addresses, and the purpose of hiring these services among other details for five years. The directive is applicable for individual users of data centres, virtual private servers (VPS), clouds, and virtual private networks (VPN), and not enterprise users.
Industry players explain that the directive is against the core business of these players as they have a “no logs” policy. Plus, storing data for five years involves a lot of additional costs which would require investments. In that context, and even before the directive is implemented, two global players—ExpressVPN and Surfshark—have announced plans to shut down their servers in India, with others likely to follow soon. Following the announcement, Surfshark, in a blog post, said that Indian users who do not use Indian servers will not notice any difference; they will still be able to connect to servers outside the country.
A senior government official BT spoke to said that the idea behind the new requirement is that, in case of a major cyber incident where law enforcement agencies need data to identify bad actors, they should be able to access it without hassles. The motive is to identify people who are cyber criminals, or individuals who are misusing social media outside the law.
But industry experts explain that bad actors would not use an Indian VPN to mount an attack, since it can easily be located. And, if somebody has to mount an attack from outside India, they will do so either directly from their IP address, or use a cluster of VPNs, making it difficult to find their trail.
Even with the implementation of the new rules, most VPN players will continue to offer services in India through their overseas servers, which nearly defeats the rules’ purpose. Experts say that the government should use machine learning and big data analytics over internet traffic patterns to identify individuals who are misusing VPN services and breaking the law, rather than go after VPN providers.
Amit Jaju, Senior Managing Director at Ankura Consulting Group, says, “The objective behind asking companies to retain logs seems to originate from a law enforcement perspective. The objective should be to identify users who are hiding behind a VPN, or hackers who might hide behind compromised networks. Threat actors can buy access to a breached server on the dark web, and then launch attacks from these servers while masking their own origin.”
While the intention behind the government’s directive for digital service providers might be good, it possibly fails to hit the intended mark. Will the move help identify bad actors? It’s hard to tell.