This article was first published on 5 May 2022
Update 20 May 2022
The Indian government has moved on it’s hard line approach to incident report reporting, and some of the other provisions in their new cyber security laws – except the rules on VPNs!
India slightly softens infosec incident reporting rules • The Register
India’s government FAQ about the new cyber security rules(regmedia.co.uk)
Update 6 May 2022
Here is another position the Indian Government takes on privacy. They want organisations to report on data breaches and cyber attacks within six hours. Sounds good, organisations will not be able to cover-up when they have allowed user information to leak out. However the investigations for even a simple breach or attack can take many hours, no matter how big the team. It sounds good but lacks application – privacy theatre!
Industry resists India’s data breach reporting requirements • The Register
Original blog post
There are two interesting stories about privacy in India doing the rounds at the moment.
The first is an examination of the app, Tata Neu. This is what is being called a “super app”, an app that can supply a wide range of services under one umbrella app. However it appears the app’s owner, the conglomerate Tata (probably best known in the UK for making cars), is happy to share personal information across and between other apps it owns. Without the explicit permission of the user.
Tata Neu, India’s New Super App, Has a Privacy Problem | WIRED UK
Clearly under the UK’s Data Protection Act rules this would not be allowed here, and it seems that users in India are upset by this action as well.
The second Indian privacy article is more worrying. The Tata Neu data sharing can be sorted, don’t use their apps, however the Indian government wants to break VPN privacy, which is much more difficult to cope with.
TechRadar is reporting that the Indian Government wants VPN companies to record and share user information – making the privacy services no longer private.
Indian government wants VPNs to store and share user data | TechRadar
The directive from two Indian government agencies will come into effect on 27 July 2022, and impacts a wide range of organisations that operate on the web and have sensitive user information, such as cryptocurrency exchanges and data centres. The gathered personal information would need to be retained for 5 years – read in here, the gathered information would need to be retained “securely” for 5 years, as this alone is a honeypot no hacker could resist.
This is being done in the name of catching cyber-criminals, as removing this layer of privacy from all citizens (law breakers and law abiding) will make it easier for law enforcement to do their job. I have discussed this before on this blog.
Why child safety can lead to a limit on your freedom of speech… – Smart Thinking Solutions
The Indian Ministry of Electronics and Information Technology (MeitY) and the Indian Computer Emergency Response Team (CERT-in) will have a lot to answer for in lowering the privacy of their own citizens to catch criminals that are probably operating outside of the authority of the Indian government. International co-operation catches cyber criminals.
Update 6 May 2022
As expected there are reactions to the announcement about reducing VPN anonymity.
VPN Providers Threaten to Quit India Over New Data Law | WIRED UK
Clive Catton MSc (Cyber Security) – by-line and other articles