The Economic Times daily newspaper is available online now.

    Follow rules or leave India: MoS Rajeev Chandrasekhar to VPN service providers

    Synopsis

    Chandrasekhar was speaking at the release of the Frequently Answered Questions (FAQs) on the Cert-In guidelines, which were issued on April 28.

    Norms governing semiconductor Design-Linked Incentive to be reviewed: MoS Chandrasekhar
    Rajeev Chandrasekhar, Union minister of state for electronics and IT
    New Delhi: Virtual Private Network (VPN) service providers that do not adhere to the latest cyber-security guidelines issued by the Indian Computer Emergency Response Team (Cert-In) are “free to leave India” if they do not comply with the rules, Minister of State for Electronics and Information Technology Rajeev Chandrasekhar said on Wednesday.

    Chandrasekhar was speaking at the release of the Frequently Answered Questions (FAQs) on the Cert-In guidelines, which were issued on April 28.

    Elevate Your Tech Prowess with High-Value Skill Courses

    Offering CollegeCourseWebsite
    Indian School of BusinessISB Product ManagementVisit
    IIM LucknowIIML Executive Programme in FinTech, Banking & Applied Risk ManagementVisit
    IIM KozhikodeIIMK Advanced Data Science For ManagersVisit
    VPN service providers must follow the law of the land while operating in the country, he said.

    “If you don’t have the logs, start maintaining the logs. If you are a VPN that wants to hide and be anonymous about those who use VPNs to do business in India and do not want to go by these rules, then frankly pull out of India. That is the only opportunity you have,” Chandrasekhar said.

    The set of directives and guidelines apply to all companies and enterprises operating in India. These include prompt reporting of cyber-security breaches and maintaining customer data, among others.

    Apart from enterprises, VPN service providers were asked to maintain a log of their customers, with details such as their names and the purpose for which the VPN service was used.

    Some VPN service providers had said that they would not comply with the directives and would instead choose to stop their services in India if they were forced to follow the directives.

    Chandrasekhar also said that VPN service providers, data centre operators, cloud service providers, and enterprises had an obligation to know who was using their infrastructure so that if there was an incident of a cyber breach from their side, these service providers would be obliged to make available the relevant data to Cert-In.

    “At that point, you cannot say that it is our internal rule that we do not maintain log. If you do not maintain logs, then this is not a good place to do business,” he said.

    In the FAQs released on Wednesday, Cert-In said that depending on the sector in which the organization was functioning, logs of firewall, intrusion prevention system, web, database, proxy servers, critical system event, and others must be maintained.

    ET has reported previously that enterprise and corporate VPN service providers have, however, been exempt from the requirement of maintaining and reporting these logs.

    ET had earlier also reported that the government would, while seeking such data from these service providers follow the right administrative or legal process.

    Though it is not necessary for VPN service providers to store the log data in India, such data must be produced by them if asked by Cert-In, according to the FAQ. The directives will be applicable 60 days from April 28, when they were first put out.
    The Economic Times

    Stories you might be interested in