Why an Indian VPN provider is suing the government over the new cybersecurity rules

With inputs from Aarathi Ganesan

Pune-based VPN service provider SnTHostings in September filed a legal challenge against the Indian government alleging that the cybersecurity directions issued by the Indian Computer Emergency Response Team (CERT-In) in April are unconstitutional. In its petition, the company argued that the directions are in violation of the right to privacy and the right to do business, and are beyond the scope of the powers conferred to CERT-In.

After hearing the arguments, the Delhi High Court on September 28 issued a notice directing CERT-In to provide a response within four weeks, stating that the issue requires consideration, Internet Freedom Foundation reported. The next hearing on the matter is scheduled for December 9, 2022.

Why does this matter? The CERT-In directions, which went into effect on June 28 for larger entities and on September 26 for Micro, Small and Medium Enterprises (MSMEs), have been criticised by multiple industry bodies, tech companies and cybersecurity experts, and have even resulted in some VPN providers announcing their exit from the country, but this is the first legal challenge mounted against the directions. 

FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.

Which parts of the CERT-In directions are being challenged?

Tanmay Singh, one of the advocates for the petitioner, told MediaNama that SnTHostings is challenging the following two directions issued by CERT-In:

1. Maintenance of logs (direction 4): All entities (service providers, intermediaries, body corporates, etc) must mandatorily enable logs of all their information and communications technology systems and maintain them securely for a rolling period of 180 days and the same should be maintained within the Indian jurisdiction. These should be provided to CERT-In along with reporting of any incident or when ordered by CERT-In.
2. Collection of customer information by VPN providers (direction 5): Data Centres, Virtual Private Server (VPS) providers, cloud service providers, and VPN providers are required to register the following accurate information about customers and subscribers for a period of 5 years or longer duration after any cancellation or withdrawal of the registration:
   • Validated names of subscribers or customers hiring the services
   • Period of hire including dates
   • IPs allotted to or being used by the members
   • Email address and IP address and time stamp used at the time of registration
   • The purpose of hiring services
   • Validated address and contact numbers
   • Ownership pattern of the subscribers or customers hiring services

Entities found to be in non-compliance with these directions face imprisonment of up to a year and/or a fine.

On what grounds is SnTHostings challenging these directions?

Violation of the right to privacy

SnTHostings argued in its petition that the directions violate the right to privacy for the following reasons:

• Violation of Puttaswamy test of proportionality: “The directions are in violation of the right of privacy as recognized under Puttaswamy 1 and 2,” Advocate Samar Bansal, who represented SnTHostings at the hearing, told MediaNama. The judgement held that any restriction on the right to privacy must pass the test of proportionality, which the SnTHostings claims the directions do not. “Things like informational privacy, the principle of storage limitation, the principle of purpose limitation, the principle of data minimisation, these are all principles recognized internationally in European Union and by our Supreme Court in Puttaswamy and our contention is that the directions don’t adhere to these principles,” Bansal explained.
• Does not comply with the principle of purpose limitation: “Purpose limitation requires that personal data collected and processed by data controllers should be relevant to the purpose for which it is processed” but the directions require the VPN providers to “collect logs of every user, including those without any connection with cyber-security incidents. Moreover, the nature of logs directed to be collected is not limited to those that may assist the Respondent in investigating cyber-security incidents,” SnTHostings argued.
• Does not comply with the principle of storage limitation: “The principle of storage limitation requires personal data to be kept only as long as it is necessary” but the directions require companies “to retain personal data for an arbitrary period in excess of five years.” Similarly, the directions require companies “to retain the logs of the activities of its customers for an arbitrary period of 180 days and provide them to the Respondent on demand. […] In both cases, if the Respondent obtains data from Petitioner and other similar entities, it could retain it for an indefinite period, even after data has served the purpose for which it was taken. This is in complete disregard of the principle of storage limitation and disproportionately violates the right to privacy,” SnTHostings claimed.
  • Aadhaar storage judgement: “In the Aadhaar case, more than five years of retention of archival data is something the Supreme Court felt was too long a period and said that it should not be five years,” Bansal gave as an example. “The Supreme Court ruled that the regulation in question ‘severely affected’ the citizen’s right to the erasure of data and thus, should not be retained for more than six months,” SnTHostings stated in its petition.
• Government cannot be given carte blanche: “The Constitution gives the government the right to impose reasonable restrictions to citizens’ rights under 19(2) of the Constitution, but the thorny question always is whether the restriction put by the state is reasonable or not. Considering the breadth of data that is asked to be retained, the excessive timelines, and the personally identifiable information, which in many cases is sensitive personal information, that has to be retained by VPN providers, we think the restrictions are not reasonable,” Bansal argued. “Government cannot have a free pass. It cannot have a carte blanche.”
• Creates a treasure bag of data with a dollar sign on it: “You are forcing somebody to collect, store, and maintain data, that they may or may not have otherwise been doing. And for all of this data, the responsibility for storing and keeping it secure will fall upon the subject of these directions. Not on CERT-In. So that, a) seriously undermines user privacy and b) it also seriously undermines cybersecurity because you are basically now creating treasure bags with dollar signs on it, which will become an attractive prospect for bad actors,” Tanmay Singh remarked.
• Cannot target every citizen as a suspicious person: The Supreme Court has noted with approval one of the rulings by the Court of Justice of the European Union, in which it “struck down a provision which required providers of electronic communication services to retain the name, address, telephone number and IP address of their subscribers for the purpose of fighting crime.” CJEU held that legislation did not comply with purpose limitation as it collected data of all persons, even when they were not connected to any criminal proceedings. Additionally, the Supreme Court “in Puttaswamy II struck down a provision which mandated the linkage of bank accounts with Aadhaar cards while stating that ‘under the garb of prevention of money-laundering or black money, there cannot be such a sweeping provision which targets every resident of the country as a suspicious person.'” The CERT-In directions “similarly carry a presumption of criminality as they require the Petitioner and other entities to collect data of every customer,” SnTHostinsgs argued.

Violation of the right to business

SnTHostings has argued that the direction violates the right to carry on any trade or business guaranteed under Article 19(1)(g) of the Constitution for the following reasons:

• Forces a change in the fundamental nature of VPN services: “It also fundamentally changes the nature of services that the VPN provider offers to its customers. The whole reason that VPNs exist is so that users of VPN can access the internet and its services securely and privately without allowing their Internet service provider to gather a treasure chest of data that it otherwise can and in many cases does gather. What you’re essentially doing is forcing the VPN provider to change the nature of its business, to change the nature of its activities, such that it is no longer a VPN provider,” Tanmay Singh said.
• VPNs are an essential public function: SnTHostings submitted that it performs an essential public function of providing VPN services. “These services are essential as they protect the right to privacy of individuals, businesses and a range of other entities by enabling them to access the internet privately.”
• Will drive the company out of business: The direction “requires Petitioner to maintain a log of every activity of its customers, including the name of the websites they visit and even the date, time and duration of such visits. The Petitioner submits that such invasive tracking is completely antithetical to the notion of VPN services and the Impugned Directions ensure that customers will choose not to avail of the Petitioner’s services which entail being monitored on the internet, ultimately driving the Petitioner completely out of business,” SnTHostings stated in its petition.
• Imposes onerous obligations on VPN providers: The directions “impose onerous obligations on the Petitioner, which involve such significant expenditure rendering the Petitioner’s business commercially unviable. […] Complying with these obligations will require the Petitioner to incur significant expenditure in hiring personnel, buying server space, securing personal data from cyber-security threats and obtaining technical know-how. Incurring such expenditure only to comply with regulations will require the Petitioner to wind up its business,” the company argued.
• Not a reasonable restriction: The directions cannot be saved by Article 19(6) of the Constitution because they “impose restrictions which effectively amount to a prohibition. It is a settled position of law that any restriction if amounting to prohibition must satisfy the test that a lesser alternative would be inadequate. The Respondent has to satisfy this Hon’ble Court on why mandating the Petitioner to collect and store data of its customers is necessary to respond to cyber-security incidents, and why the same end could not be achieved by seeking data regarding specific individuals with prior permission from courts akin to a warrant,” SnTHostings submitted.

Over-broad and beyond the scope of the IT Act

SnTHostings claimed that the directions are ultra vires the Section 70B of the IT Act, 2000, under which CERT-In issued these directions:

• The parent statute does not authorise many aspects of the directions: “The directions are actually ultra vires the parent statute (IT Act, 2000). In layman’s language, it is that the statute authorizes a certain thing to be done, but here what has been done is beyond the four corners of what the statute had authorized,” Bansal argued. While the Act provision empowers CERT-In to “call of information and give directions” to service providers for carrying out functions provided in Section 70B(4), the directions mandate companies “to collect and maintain data that it would not have collected otherwise,” SnTHostings stated. The Act only permits the government “to direct companies to provide the information they maintain in the usual course of business,” it added.
• Policies should be made by elected officials, not bureaucrats: “There is another principle of law which is known as the ‘vice of excessive delegation of legislative parts,’ which, once again, in layman’s terms really means that policy settings should be done by our elected officials, not by bureaucrats, not by subordinate officials under them,” Bansal explained. “Therefore, how long data should be retained and what categories of data are to be maintained are all according to us policy questions which cannot be left up to officers and bureaucrats. Their duty is to implement a policy framed and decided by our elected representatives. So according to us, the delegation of this power down to a secretary level or director level officer is something which is an excessive delegation of a legislative function.”
• Extremely vague: “One of the grounds is that fundamentally these clauses are extremely vague and over-broad. It’s a well-established principle of analyzing legislation and its validity to see whether it is vague and overbroad. The reason is that any legislation, particularly one that can have penal consequences, must be clear enough for the citizen to understand its precise scope and breadth. Because if it is left vague, then the citizen will be frankly clueless as to whether what he is doing violates the law or not,” Samar Bansal pointed out. As examples of vagueness, Bansal pointed toward the contradiction in the FAQs issued by the government and the actual directions themselves: While the directions state that logs must be stored in India, the FAQs state that they can be stored outside as long as the entity can provide it to CERT-In when asked for. “We told the court that the FAQs are actually contradicting or changing the scope of these particular directions. Now, in that scenario, should an Indian VPN provider follow the binding directions which are vague and which don’t give a sufficient direction of compliance? Or should he follow the FAQs which in many cases contradict the directions?”

Indian VPN companies don’t have the luxury of leaving the country

“Because of the directions, five of the biggest VPN providers have publicly stated their exit from India: NordVPN, ExpressVPN, ProtonVPN, TunnelBear, and Surfshark,” Tanmay Singh remarked.  “The petitioner in the matter is a small Indian service provider. His whole life is here, his entire business, his family, everything is here. Where will he go? So he has no option but to fight it out.”

Foreign VPN providers have the option of not providing Indian clients. But Indian VPN providers have only one option, which is to shut down their business as the law mandates to log everything of every client regardless of their origin,  SnTHostings CEO Harsh Jain told MediaNama. “We are registered in India. We provide a legal service to clients all over the world. Shifting abroad is so expensive,” Jain added.

Despite the above statements made by the petitioner, it is not entirely accurate that foreign VPN providers have left the country. While many of these providers removed their India-based servers, they continue to serve Indian users and also offer virtual Indian servers as options to these users. It is, however, not clear how the government will go after them for non-compliance since these companies do not have a physical presence in the country.

Harms small businesses in India

“Effective compliance with these regulations really would manyfold increase the operational cost of any service provider, including a VPN, because the sheer amount of data that you’re now being asked to maintain and retain for extremely long periods does not come free. The sheer amount of data retention that has to be done now will require the purchase of additional servers, hiring of additional employees, and a great deal of cost, which, really speaking, favours the larger providers over the smaller provider,” Bansal opined.

“To keep track of that much data is very cost intensive. I won’t be able to go into much detail on this, but I can confirm that the cost to keep that much data could be 10x the amount of the service itself,” Harsh Jain said when asked how much additional resources would be required to comply with these directions. All major players have left the country and others will be forced to call quits on Indian clients altogether, Jain added.

“If we want to encourage our Indian SMEs to start these businesses, if we want to encourage our Indian SMEs to perhaps be the next NordVPN or ExpressVPN, we’re effectively killing them off at the source. And we are only permitting the big guys to operate. I hope the government will at some stage consider that perhaps in their existing form, you’re not really encouraging Indian SMEs to come into this space,” Bansal remarked.

What are VPNs used for and why is it important to protect their function?

• VPNs are not inherently bad: “Contrary to what a lot of people wrongly think, VPNs are not an inherently bad thing. BSNL and MTNL run VPNs as well. Of course, it’s very easy to point out things like crime and pornography, and those are genuine problems which need to be addressed. But they have good usages as well. You may, for legitimate reason, want to have anonymity on the Internet: you may have a medical issue, you may want anonymity for a financial transaction,” Bansal remarked.
• VPNs ensure that data does not fall into the wrong hands: “When users access the internet without VPNs, they constantly, unknowingly, and often involuntarily, share personal data with other entities on the web, which may include malicious actors and hackers. The personal data accessible to these entities may include a user’s name, address, Internet Protocol Address, contact information, and other deeply invasive personal information about sexual orientation, political affiliation and financial information such as bank account or credit card or debit card details. This data is used to create profiles of users, which are sold to advertisers or data brokers. This data, if it falls into the wrong hands, could also be used for malicious purposes such as hacking or identity theft. VPNs create a ‘secure tunnel’ between a user’s device and the internet through a series of virtual connections routed online. These virtual connections encrypt data as it travels between one computer and another. As a result, VPN services ensure that the IP addresses of users remain secure and third parties cannot identify a user behind the VPN,” SnTHostings explained in its petition.
• Use cases of VPNs: SnTHostings outlined the following use cases for VPNs:
  • Protecting sensitive data
  • Engaging in financial transactions
  • Security on public networks
  • Data privacy from services on the internet

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Also Read

• Surfshark Shuts Down Its Indian VPN Servers After ExpressVPN. Who’s Next?
• How India Can Improve Its Cybersecurity Directions #NAMA
• “You Don’t Need To Have A Blanket Law That Treats Everyone As A Criminal”, Says Dr. Joe Hall Of Internet Society On India’s Cybersecurity Directions
• Deep Dive: The Legality Of India’s New Cybersecurity Directive
• VPN Providers Undeterred By Minister’s Ultimatum To Comply Or Leave India