BAKER ID: 70988b Aug. 6, 2022, 8:41 a.m. No.17079567   🗄️.is đź”—kun

https://www.techradar.com/features/this-is-how-new-indian-privacy-law-will-have-negative-impact-on-peoples-privacy

 

This is how new Indian privacy law will have 'negative impact on people's privacy'

 

In April, the Indian government dropped a hard pill to swallow for VPN services and their users.

 

According to India's new data retention law,security software firms will be forced to keep users' data for up to five years. What's more, providers will need to be ready to hand over this information to authorities upon request, too.

 

The news sparked a chasm of discontent across the VPN industry, privacy advocates groups and internet users.

 

"One way or another, it will have a negative impact on people’s privacy and digital security," Laura Tyrell, Head of PR at Nord Security - the company behind the popular NordVPN - told us.

 

While, in a tweet (opens in new tab), digital rights NGO Access Now wrote: "VPNs are necessary in a country with rampant shutdowns and surveillance, and no data protection law. Authorities must stop what they’re doing, and consult with security researchers, civil society, and cybersecurity experts on what to do instead."

 

So, what's at stake for Indian internet users' privacy?

 

VPNs forced to keep users logs

On April 28, the Indian Computer Emergency Response Team (CERT-In) announced that - among other directives, like the obligation to report a cyber attack within six hours - virtual private network (VPN) providers will soon be required to retain users' logs for at least five years. Companies will be also forced to hand over this data to authorities upon request.

 

And it's not just VPNs that are the subject of the new data retention law (opens in new tab) which will come into effect from late June.Virtual private servers (VPS), cloud service providers, data centers and crypto exchanges all will have to follow the new directive.

 

Specifically, the pieces of information that will need to be collected and stored are:

 

Validated names of subscribers/customers hiring the services

Period of hire including dates

IPs allotted to/being used by the members

Email address and IP address and time stamp used at the time of registration/on-boarding

Purpose for hiring services

Validated address and contact numbers

Ownership pattern of the subscribers/customers hiring services

Statement: We call on @IndianCERT to recall Directions on Information Security Practices issued on April 28 that go into effect on June 27. These directions are vague. They undermine user privacy and information security, contrary to CERT's mandate. 1/n pic.twitter.com/okzMhgIG0yMay 4, 2022

 

While cybersecurity experts are lamenting its vagueness, lack of feasibility and worrying privacy implications, the CERT-in justifies the decision as needed to better police cybercrime.

 

With a total of 86.63 million data breaches in 2021, Surfshark found India to be the third most affected nation worldwide (opens in new tab). "Most of the frauds were happening through VPNs," an Indian government official said to The Economic Times (opens in new tab).

 

At the same time,India also gained the gold medal for the number of internet shutdowns executed. Digital rights campaigner group Access Now found the country to be responsible for 106 out of the 182 incidents documented in 2021 (opens in new tab). Not to mention the allegations thatthe Indian government used Pegasus technology to spy on activists, politicians and lawyers.

 

With such a track record, it's no great surprise that many are worried that authorities might abuse this data grab to implement mass surveillance.

pt 1