• February 1, 2023

Fed Raises Rates Another 25 Basis Points—Signals More Hikes Still To Come

Topline The Federal Reserve slowed the pace of its interest rate hikes on Wednesday, but signaled additional rate increases this year will likely be necessary in order to cool inflation that …

New 2023 IRS Standard Mileage Rates

The Internal Revenue Service (IRS) has issued new standard mileage rates for operating an automobile for business, charitable, medical or moving purposes in 2023. New IRS Mileage Rates The new IRS …

Cut Price David Jones And Plunging Sales Spook Australian Retailers

It might be the summer season Down Under, but storm clouds are gathering for Australia’s retail sector, as the cost of living squeeze takes hold. An industry already rocked by the …

India has delayed plans to force VPN providers and cloud service operators to hold user data and share it with the government.

The Indian Computer Emergency Response Team (CERT-In) now says it plans to give firms an additional three months to comply with the rules – or pull out of the country altogether.

The move comes following strong pushback, not only from the VPN providers and cloud service operators themselves, but also from cybersecurity experts and privacy advocates.

In a letter to CERT-IN and the Ministry of Electronics and IT yesterday, more than 20 people called for the introduction of the requirement to be delayed.

“We are deeply concerned by the Directions issued by CERT-In on April 28, 2022, and urge you to please defer their implementation, and initiate a process of in-depth public consultation aimed at modifying the Directions with inputs from all stakeholders and experts,” they write.

Advertisement

“It is crucial that CERT-In and MeitY ensure that the regulations advance systemic and user-centric approaches to cybersecurity, focusing on effective cyber incident response — which is also the specific, limited rulemaking power given to CERT-In by the Indian Parliament in this section of the Information Technology Act.”

The rules require providers to collect and store names, email addresses and phone numbers, along with the customer’s IP address. They will also have to record the period of hire – using the timestamp used at registration – the customer’s reason for using the service, and their ‘ownership pattern.

The potential penalties rise to imprisonment or a fine of Rs100,000 ($1,300).

“The Directions, as they stand, will have the unintended consequence of weakening cyber security, and its crucial component, online privacy,” say the experts.

“We are cognisant of the need for a framework to govern cyber incident reporting, but the reporting timelines and excessive data retention mandates prescribed in the Directions, will have negative implications in practice and impede effectiveness, while endangering online privacy and security.”

A number of VPN providers have already pulled out of the country. ExpressVPN, for example, has shut down its two physical servers in India, although it continues to operate its two Indian virtual server locations. Proton and Surfshark, however, have been monitoring the situation while carrying on as normal.

The decision, however, is only a temporary reprieve, with the new rules scheduled to come into effect on September 25.

Advertisement

Leave a Reply

Your email address will not be published.