MeitY, CERT-In order VPNs, crypto exchanges, others to store user data for 5 years

The Ministry of Electronics and Information Technology (MeitY), along with the Computer Emergency Response Team India (CERT-In) have asked data centres, VPS and VPN service provides, intermediaries and crypto exchanges to store user data for at least a period of five years in order to “coordinate response activities as well as emergency measures with respect to cyber security incidents”. Additionally, even in case a user cancels their subscription to a service, the companies are needed to track and maintain their records for the same period of time.

“Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (VPN Service) providers, shall be required to register the following accurate information which must be maintained by them for a period of 5 years or longer duration as mandated by the law after any cancellation or withdrawal of the registration as the case may be”, reads a release published by MeitY on Thursday.

“The directions cover aspects relating to synchronisation of ICT system clocks; mandatory reporting of cyber incidents to CERT-In; maintenance of logs of ICT systems; subscriber/customer registrations details by Data centres, Virtual Private Server (VPS) providers, VPN Service providers, Cloud service providers; KYC norms and practices by virtual asset service providers, virtual asset exchange providers and custodian wallet providers. These directions shall enhance overall cyber security posture and ensure safe & trusted Internet in the country,” as per a CERT-In release posted on Thursday.

“…various instances of cyber incidents and cyber security incidents have been and continue to be reported from time to time and in order to coordinate response activities as well as emergency measures with respect to cyber security incidents, the requisite information is either sometime not found available or readily not available with service providers/data centres/body corporate and the said primary information is essential to carry out the analysis, investigation and coordination as per the process of law”, MeitY says.

As per the new law, all service providers, intermediaries, data centres, body corporate and Government organisations will also need to designate a Point of Contact to interface with CERT-In.

In case of non-compliance to the law, companies could face “punitive action under sub- section (7) of the section 70B of the IT Act, 2000 and other laws as applicable”.

“This direction will become effective after 60 days from the date on which it is issued”, which means the new rule will come in to effect by July 27, 2022.

Why is this relevant to you?
Many users rely on VPN services to avoid being tracked by websites, bypassing mandatory login policies on some websites, etc. Essentially, the proxy network maintains a shield of privacy. Until now, that is.

With the new MeitY rule, VPN companies will be forced to switch to storage servers, so that they can track and maintain user data. This will, one, defeat the entire purpose of VPNs, two, increase the cost of services provided by these companies. Basically, for the end user, this means lower privacy, higher price.

Nature of user data that will be tracked and stored

• Validated names of subscribers/customers hiring the services
• Period of hire including dates
• IPs allotted to / being used by the members
• Email address and IP address and time stamp used at the time of registration / on-boarding
• Purpose for hiring services
• Validated address and contact numbers
• Ownership pattern of the subscribers / customers hiring services

In case of crypto exchanges, the data stored will also include:

• Transaction ID
• Public keys (or equivalent identifiers)
• Addresses or accounts involved (or equivalent identifiers)
• The nature and date of the transaction
• Amount transferred

Types of cyber security incidents companies have to mandatorily report

• Targeted scanning/probing of critical networks/systems
• Compromise of critical systems/information
• Unauthorised access of IT systems/data
• Defacement of website or intrusion into a website and unauthorised changes such as inserting malicious code, links to external websites etc.
• Malicious code attacks such as spreading of virus/worm/Trojan/Bots/Spyware/Ransomware/Cryptominers
• Attack on servers such as Database, Mail and DNS and network devices such as Routers
• Identity Theft, spoofing and phishing attacks
• Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
• Attacks on Critical infrastructure, SCADA and operational technology systems and Wireless networks
• Attacks on Application such as E-Governance, E-Commerce etc
• Data Breach
• Data Leak
• Attacks on Internet of Things (IoT) devices and associated systems, networks, software, servers
• Attacks or incident affecting Digital Payment systems
• Attacks through Malicious mobile Apps
• Fake mobile Apps
• Unauthorised access to social media accounts
• Attacks or malicious/ suspicious activities affecting Cloud computing systems/servers/software/applications
• Attacks or malicious/suspicious activities affecting systems/ servers/ networks/ software/ applications related to Big Data, Block chain, virtual assets, virtual asset exchanges, custodian wallets, Robotics, 3D and 4D Printing, additive manufacturing, Drones
• Attacks or malicious/ suspicious activities affecting systems/ servers/software/ applications related to Artificial Intelligence and Machine Learning.

News9live