“Cyberspace is rife with dangers to one’s liberty, reputation, property and dignity. […] The total anonymity of state and non-state actors and rogue elements to operate on internet or in cyberspace may cause havoc with their nefarious activities. Further, the identification and apprehension of offenders indulging in crimes committed by using computer resources are also next to impossible if suitable and proportionate safeguards are not put in place in this regard. […] Only the unscrupulous elements may be wary or wavering in providing the basic identity information,” the Indian government said in a counter-affidavit filed in Delhi High Court dated December 8. The IT Ministry, through the Indian Computer Emergency Response Team (CERT-In), was responding to a legal challenge filed by VPN service provider SnTHostings in September.
SnTHostings had alleged that the cybersecurity directions issued by CERT-In in April are unconstitutional. In its petition, the company argued that the directions are in violation of the right to privacy and the right to do business, and are beyond the scope of the powers conferred to CERT-In. The lawsuit specifically challenged direction 4, which requires all companies to maintain logs of their computer systems for 180 days and direction 5, which requires data Centres, Virtual Private Server (VPS) providers, cloud service providers, and VPN providers to store information about their customers and subscribers such as names, email address, period of use, address and contact, etc. for a period of at least 5 years after they stop using the service.
SnTHostings will file a response to the government’s counter-affidavit in four weeks, the Internet Freedom Foundation (IFF), which is assisting the company in the case, said.
Why does this matter? The CERT-In directions, which went into effect on June 28 for larger entities and on September 26 for Micro, Small and Medium Enterprises (MSMEs), have been criticised by multiple industry bodies, tech companies and cybersecurity experts, and have even resulted in some VPN providers announcing their exit from the country, but SnTHostings was the first to mount a legal challenge against the directions. The government’s response affirms that it does not intend to back down or make any changes to the directions.
FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.
What are the top arguments put forth by the government?
- VPNs are highly prone to misuse: “The reality is that the VPN Services, which are basically Internet-proxy like services, are highly prone to misuse since the offenders cannot be traced in a timely manner, if at all,” the affidavit claims.
- VPNs are really not that safe: “VPN Services do not assure or provide infallible or impregnable safety to data fiduciaries. If an ISP can see the activities of the user, then the VPN service provider may also see on their peril. There are reports that VPN Services have also been found to be indulging in the collection of a variety of logs. Some VPN Service Providers even monetise on the users’ browsing data very similar to what they claim to protect,” the affidavit alleges.
- Use of VPN is highly regulated in other countries: “There are reports providing that the use of VPN services is not uniformly acceptable across all the nations in the world. The use of VPN services is illegal in certain countries like Iraq etc.; and is highly regulated/restricted in countries like UAE, Russia etc., whereby it is mandatory for VPN providers to keep all connection logs,” the affidavit states.
- Directions don’t require VPN providers to monitor the activities of users or collect sensitive data: The government argues that it only wants security-related logs and basic information and that these do not affect the privacy of the users. “The nature of information required to be collected by service providers includes basic identity-related information like name, addresses etc., which is not sensitive in nature,” the affidavit claims, referring to the definition of “sensitive personal data” in the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
- Right to do business is not absolute, subject to the interests of the general public: Arguing against the petitioner’s claim that the directions affect the right to do business as guaranteed by Article 19(1)(g), the government submitted that this right is not absolute and is subject to the interest of the general public. “It is incontrovertible that enhancement of cyber security, in order to make the internet a safe, secure and trusted space for the public clearly falls within the ambit of ‘public interest’.” Additionally, “these impugned directions are neither prohibitive in nature, nor limiting the business activity of the Petitioner in any manner with regard to access, size, quantum etc,” the affidavit states.
- The right to privacy is not absolute: Referring to the Puttaswamy judgements I and II, the affidavit points out that “even the right to privacy is not absolute and is subject to reasonable restrictions and that provisos to various fundamental rights are an obvious restriction to the right to privacy. It is further submitted that under no circumstances anonymity can be a ground for evasion from lawful authorities or for non-compliance with the law.”
- Directions satisfy the four-prong test laid down by Puttaswamy: The government argues that the directions meet the four tests laid down as per the Puttaswamy judgement for the following reasons:
- The directions have a “legitimate, precise, compelling goal of the analysis of cyber incidents or cyber security incidents such as ransomware; data breaches,” etc.
- The fact that VPN service providers collect this data and not the State itself “is a suitable means of furthering this goal.”
- The Petitioner itself has not suggested any other equally effective alternative.
- The goal of “preventing cyber incidents and thereby promoting cyber security cannot be relegated to suit the commercial interests of entities like the Petitioner herein.”
- Shreya Singhal judgement won’t apply here: The petitioner had argued that “the impugned directions are vague and need to be struck down” as held in the Shreya Singhal judgement which “declared Section 66A of the IT Act vague, for it created an offence without clearly defining the standards of guilt while creating the said offence.” But here, since “it is no one’s case that the impugned directions are creating or defining an offence,” the same argument would not apply as “the impugned directions are just a methodology to prevent offences and aid in the analysis of cyber incidents or cyber security incidents.
- Case-by-case collection of data will defeat the purpose: “The Petitioner’s suggestion that in order to respond to cyber security incidents, data can be collected by seeking data regarding specific individuals with prior permission from courts akin to a warrant is highly impractical, and would defeat the whole purpose of the timely mitigation of cyber security threats,” the affidavit submits. “The Petitioner’s contention that the impugned directions should be to maintain logs of a specific user on a case-by-case basis, based on a reasonable suspicion recorded in writing that the said user may be using VPN services to threaten cyber security is highly implausible and frivolous,” the affidavit adds.
- Directions don’t suffer from any excessive delegated legislation: Refuting the argument that the directions go beyond the power conferred upon CERT-In, the affidavit states that “the directions have been issued by a statutory authority established under Section 70B of the Information Technology Act, 2000 […] and do not suffer from any excessive delegated legislation.” Additionally, the affidavit states that CERT-In, when addressing cybersecurity incidents, has observed “that the requisite information is either not readily available with service providers/data centres/body corporate or not available at all” and the same is essential for it to effectively carry out its functions.
- It is necessary to store data for a particular period of time to tackle cybercrimes: Cybersecurity incidents “are scattered over a long period of time; and may be done in a staggered manner, in order to avoid any detection, which is why retention of data for a particular duration of time, as mandated by the impugned directions is necessary,” the affidavit argues. CERT-In has “envisaged the requirement of 180 days for maintenance of logs, which has been optimally derived at, on the basis of prevalent practices in the ICT Industry, experience in conducting incident response and analysis of cyber security incidents. The industry best practice is to maintain logs for one year.”
Government questions the intentions and integrity of the petitioner
- Petitioner is not even a VPN company, this is a proxy complaint: “The Petitioner, who is not even a user of VPN services, but a company claiming to be providing said VPN services to users, under the guise of taking up cudgels for said VPN users have made the unwarranted allegation that the impugned directions have been done as a surveillance measure,” the affidavit alleges, submitting screenshots from the website of the petitioner and app stores to back its claim. “The present petition appears to be nothing but a proxy litigation initiated at the behest of certain interests to scuttle these directions for vexatious purposes,” the affidavit adds.
- Companies like NordVPN, Surfshark, and ExpressVPN have no right to seek constitutional remedies: The government claims “that the Petitioner has espoused the cause of certain entities such as Express VPN, NORDVPN and Surfshark, stating that these entities have been provided an unfair and unconstitutional choice,” but that “these entities are not entitled to invoke the constitutional legal remedies” as these are “not available to non-citizens of this country.”
- Petitioner is steered by multinational companies who have different agendas and goals: “It is further submitted that Petitioner has averred that several major VPN service providers such as Express VPN, Surfshark, and NordVPN decided to leave India due to impugned directions, which again depicts that the Petitioner is furthering the cause of those entities before this Hon’ble Court, which they are otherwise not entitled to; and its commitment with our national interest and larger public good of sovereign country is not in sync. The decision of the sovereign countries cannot be allowed to be steered by these multinational companies who have different agendas and goals,” the affidavit adds.
- Intriguing that the Petitioner is promoting services of its competitors: “It is intriguing that the Petitioner’s website contains an article titled ‘NEED BEST VPN? TOP 5 VPN PROVIDERS.’ The said article promotes NordVPN, PIA, Express VPN, Cyber Ghost and Proton VPNs. It is interesting to note that despite the Petitioner claiming to be a VPN Service Provider himself is promoting services of its own competitors,” the affidavit points out.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
- Why An Indian VPN Provider Is Suing The Government Over The New Cybersecurity Rules
- Surfshark Shuts Down Its Indian VPN Servers After ExpressVPN. Who’s Next?
- How India Can Improve Its Cybersecurity Directions #NAMA
- “You Don’t Need To Have A Blanket Law That Treats Everyone As A Criminal”, Says Dr. Joe Hall Of Internet Society On India’s Cybersecurity Directions
- Here Are Some Specs Of The Time Servers The Indian Government Wants Companies To Sync Their Clocks To: RTI