Cert-In extends deadline for VPN cybersecurity norms till Sept 25

Context

The Indian Computer Emergency Response Team (CERT-In) has given a breather to the providers of virtual private network (VPN) service in the country. The cyber agency has granted them another three months to comply with its new rules.

What is in the new rules?

The new cybersecurity norms have asked VPN service providers along with data centres and cloud service providers to store information such as names, email IDs, contact numbers, and IP addresses (among other things) of their customers for five years.

The extension

• The rules, issued on April 28, were slated to kick into effect on June 26, sixty days after they were issued. 
• In an order issued on June 27, CERT noted that MSME sought “reasonable time for generating capacity building required for implementation of these Directions”.
• Also, additional time has been sought as well for implementation of mechanism for validation of subscribers/customers by Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (VPN Service) providers.

What is a VPN? 

• A VPN is a service that protects users online by preventing their IP address from being tracked by websites, law enforcement agencies, cybercriminals and others. 
• Corporate employees are the most frequent VPN users, mainly for securely accessing company networks. 
  
  

Note: The new rules do not make using VPNs illegal in India. There is no ban on them.

Which countries have banned VPNs?

• Currently, a handful of governments either regulate or outright ban VPNs. 
• These include China, Belarus, Iraq, North Korea, Oman, Russia, and the UAE. 
• Other countries have internet censorship laws, which make using a VPN risky.