Following the publication of the cybersecurity directive by the Indian government last month, numerous media outlets and conversations on Twitter have alleged that virtual private network (VPN) providers must store users’ web activity logs to comply. to the guideline. This goes against the very principle of why customers use VPNs: privacy. But the directive does not explicitly contain such a requirement. So why is this concern floating around?
There is no clear answer to the question of whether VPN providers should keep a log of websites visited by a user, and the FAQs recently released by the Ministry of Electronics and Information Technology (MeitY) also don’t clarify this question. But, here are the two sides of the debate.
No, web activity does not need to be logged
The provision of the directive that specifically applies to VPN, cloud service and data center providers is the requirement to record the following exact customer information for a period of 5 years or more after any cancellation or withdrawal of recording:
- Validated names of subscribers or customers hiring the services
- Rental period including dates
- IP assigned or used by members
- Email address and IP address and timestamp used at the time of registration
- The purpose of hiring services
- Validated address and contact numbers
- Model of ownership of subscribers or customers hiring services
There is no mention or reference to web activity in this list of items, which is why it seems like there is some over-reading/misreading to conclude that VPN providers should store logs of user web activity.
Yes, web activity may also need to be logged
But, there is another provision in the directive that applies to all businesses, including VPN providers, that introduces confusion: all entities must have logs enabled for all their systems and kept securely. for a continuous period of 180 days. Now, since there is no list of logs to keep, one would expect these logs to also contain VPN users’ web activity logs.
Adding to the uncertainty, the government in its FAQ document provided the following answer to the question of which logs should be stored:
“The logs that should be kept depend on the industry in which the organization is locatedsuch as firewall logs, intrusion prevention system logs, SIEM logs, Web server/database/mail/FTP/proxy logs, Critical System Event Logs, Application Logs, ATM Switch Logs, SSH Logs, VPN Logs, etc. It should be noted that this list of logs is not exhaustive but has been mentioned to give an idea of the logs to be maintained by the teams concerned. From an incident response and analytics perspective, both successful and unsuccessful events should be recorded. (emphasis ours)
As noted in the underlined parts of the answer, VPN providers will need to keep industry-specific logs and this could include web activity logs, which are also mentioned as an example in the answer.
Unless the government updates its FAQ document to clearly specify whether web activity logs should be retained or not, this ambiguity will continue to exist. The VPN providers, however, made it clear that they would not change their no-logs policy and either legally challenge the directive or leave the country.
What is the new cybersecurity directive?
The new Cybersecurity Directive was released by the Computer Emergency Response Team (CERT-In) of the Government of India on April 28 and covers aspects related to cybersecurity incident notification timeframe, clock synchronization system, log maintenance, KYC maintenance and transaction information for crypto exchanges and detailed customer information maintenance for VPN, cloud service and data center providers. Cybersecurity experts, VPN providers, and tech companies have all criticized the directive for a long list of reasons.
Read also :
Do you have something to add ? Post your comment and give someone a MediaNama subscription.