Following the issuance of the cybersecurity directive by the Indian government last month, there have been multiple media reports and Twitter conversations alleging that Virtual Private Network (VPN) providers have to store web activity logs of users to comply with the directive. This goes against the very premise of why customers use VPNs: privacy. But the directive does not explicitly have any such requirement. So, why is this concern floating around?
There’s no clear answer to whether VPN providers have to maintain a log of websites visited by a user, and the recently released FAQs by the Ministry of Electronics and Information Technology (MeitY) also do not clear the air on this issue. But, here are the two sides of the debate.
No, web activity does not have to be logged
The provision in the directive that specifically applies to VPN, cloud service, and data centre providers is the requirement to register the following accurate information about customers for a period of 5 years or longer duration after any cancellation or withdrawal of the registration:
- Validated names of subscribers or customers hiring the services
- Period of hire including dates
- IPs allotted to or being used by the members
- Email address and IP address and time stamp used at the time of registration
- The purpose of hiring services
- Validated address and contact numbers
- Ownership pattern of the subscribers or customers hiring services
There is no mention of or reference to web activity in this list of items, which is why it seems like an overreading/misreading to make the conclusion that VPN providers must store logs of users’ web activity.
Yes, web activity might have to be logged as well
But, there is another provision in the directive that applies to all companies, including VPN providers, that introduces the confusion: All entities must mandatorily enable logs of all their systems and maintain them securely for a rolling period of 180 days. Now, since there is no list of what logs should be maintained, these logs could be expected to also contain web activity logs of VPN users.
Adding to the uncertainty, the government in its FAQs document provided the following response to the question of what logs need to be stored:
“The logs that should be maintained depend on the sector that the organisation is in, such as Firewall logs, Intrusion Prevention Systems logs, SIEM logs, web/database/mail/ FTP/Proxy server logs, Event logs of critical systems, Application logs, ATM switch logs, SSH logs, VPN logs etc. It may be noted that this list of logs is not exhaustive but has been mentioned to provide flavour of logs to be maintained by the relevant teams. From the incident response and analysis perspective both successful as well as unsuccessful events shall be recorded.” (emphasis ours)
As noted in the emphasised portions of the response, VPN providers will have to maintain logs specific to their sector and that might include web activity logs, which is also mentioned as an example in the response.
Unless the government updates its FAQs document to clearly specify whether or not web activity logs must be maintained, this ambiguity will continue to exist. VPN providers have, however, clearly stated that they will not change their no-logs policy and will either legally challenge the directive or leave the country.
What is the new cybersecurity directive?
The new cybersecurity directive was issued by the Indian government’s Computer Emergency Response Team (CERT-In) on April 28 and covers aspects related to the timeframe for reporting cybersecurity incidents, synchronisation of system clocks, maintenance of logs, maintenance of KYC and transaction information for crypto exchanges, and maintenance of detailed customer information for VPN, cloud service, data centre providers. Cybersecurity experts, VPN providers, and tech companies have all criticised the directive for a long list of reasons.
- Corporate VPNs Not Subject To Cybersecurity Directive, Govt Clarifies
- Why India Should Not (Yet) Mandate Companies To Adopt A Specific Time Source
- VPN Providers Call India’s New Rules Worse Than China, Russia
- Why India’s New Cybersecurity Directive Is A Bad Joke
Have something to add? Post your comment and gift someone a MediaNama subscription.