SnTHostings Sues The Indian Government, Questioning The Legality of VPN Rules
- Justice Yashwant Varma directed CERT-In to respond to a plea brought by VPN provider SNTHostings within four weeks.
- The CERT-In regulations mandate data centers, VPNs, VPS providers, and cloud service providers to gather and store data for a period of five years.
- The new rules announced by CERT-In have generated widespread criticism, and several VPN companies have already withdrawn their servers from India.
The Delhi High Court has issued a notice to the government in response to a petition filed by Virtual Private Network (VPN) provider SnTHostings challenging the legitimacy of directions provided by the Indian Computer Emergency Response Team (Cert-In) in April asking users to retain records. Hosting, VPN, and Virtual Private Server (VPS) services are all offered by SnTHostings.
Cert-instructions In’s on April 28 posed an existential crisis since they asked the firm to collect a wide range of personal data and share it with Cert-In on demand and/or in the event of a cybersecurity problem, according to the company’s appeal.
The High Court heard comprehensive submissions from lawyers and ordered Cert-In to respond within four weeks.
Cert-In directives established under the Information Technology Act of 2000 mandate VPN and cloud service providers to report cyber incidents within six hours and to keep customers’ personally identifiable data for five years.
According to the requirements, VPN providers must keep validated client names, physical addresses, email addresses, phone numbers, and the purpose for using the service, as well as the dates of usage and their ‘ownership pattern.’
Furthermore, Cert-In has requested that VPN providers preserve a record of the IP and email addresses used by customers to register for the service, as well as the date of registration.
VPN services would also be required to keep all IP addresses that their clients often use. This, according to Cert-In, will strengthen India’s cybersecurity and solve shortcomings in the incident analysis.
However, the corporations have maintained that storing such data would violate consumer privacy and the very premise of their service.
According to the Internet Freedom Foundation (IFF), the legal counsel for SnTHostings, five foreign VPN providers have left the country as a result of the new demands.
Tanmay Singh, senior litigation counsel at IFF, who represents SnTHostings owner Harsh Jain, stated that worldwide VPN service providers such as Express VPN, Nord VPN, Proton VPN, Surfshark, and TunnelBear had left India.
“Proton VPN and TunnelBear announced their departure over the weekend since Cert-instructions had to be followed beginning September 25 and (they had to) maintain user logs,” Singh said.
Harsh Jain did not respond to ET’s calls.
SnTHostings, being a small business, falls within the micro, small, and medium enterprise (MSME) category, according to Singh.
“He (Jain) is not opposing all of Cert-In’s directions but only IV and V directions, which mandate all service providers, such as data centers, to keep user records for 180 days.” This includes user activity and data, which must be retained on the company’s server at his expense for at least six months,” Singh explained.
Direction V mandates VPN service providers to collect large quantities of customer personal data that they are not in the business of collecting, he noted.
It has been challenged in court to begin collecting details such as name, IP address, address, contact information, and the purpose of using VPN, and to store it for five years even after the user’s relationship with the VPN service provider has ended.
“Like multinational service providers, a small firm like this headquartered in India cannot pack up and leave the country.” He has lived here his entire life. “They must remain here and fight,” Singh said.
While companies who disagree with Cert-In’s directions may choose not to invest any physical assets in a specific area, he claims that local players do not have that option. “There are plenty of small-time players with a few clients but no profitable business,” he added.
The regulations have drastically changed the nature of VPN services.
“The fundamental goal of VPNs is to establish private and secure networks via which you may access the internet.” If companies begin tracking customer data in the same way that internet service providers (ISPs) do, they will be no different,” he stated.
ISP’s aid in internet navigation and the transmission of all internet packets. VPN services, on the other hand, build a secure tunnel via which data is encrypted while being transmitted.
Cert-In’s guidelines have weakened VPNs’ roles to the point where they are no longer VPNs.
“This has a huge negative effect on user privacy and security.” In India, where there is no data protection regulation, service providers would have access to virtual data warehouses, increasing risk,” he added.