India's cybersecurity agency sent notices to VPN providers regarding compliance with the 2022 cybersecurity directions, Right to Information (RTI) responses received by the Internet Freedom Foundation (IFF) in April reveal. IFF had filed two RTI requests with the Indian Computer Emergency Response Team (CERT-In) in March asking: 1. Compliance with directions issued to VPN providers on collecting customer information: Has the agency sent any notices to service providers seeking compliance under the direction (v) of the cybersecurity directions, which requires VPN providers, cloud service providers, and data centers to collect information about their customers including validated names, address, contact, IPs allotted, the purpose of hiring service, ownership structure, etc? IFF asked for details on the number of notices sent to VPN providers, the timeframe from responding to the notice, what's the consequence if service providers are not in compliance, and names of any service providers who have been blocked or against whom action has been initiated as a result of non-compliance. Notices sent, responses "under examination": The cybersecurity agency responded that it sent notices to some VPN providers in February 2023 about compliance with direction (v), but it did not share any other details such as the number of notices or names of entities. The agency, however, added that the "response received from the entities are under examination, hence, at this stage, there is no issue regarding information on blocking or initiation of any other proceeding as a result of non-compliance." 2. Compliance with direction (iii): Has the agency sent…
