India’s Government Tells VPNs, Cloud Services They Can Get Screwed Or Get Out
from the get-busy-retaining-or-get-busy-dying dept
“You can remember it for us wholesale.” – the government of India, probably.
The Indian government has been working for years to ensure it has complete control of constituents’ use of the internet. It has been steadily increasing its stake in internet use for years, ensuring its interests (especially those of Narendra Modi, who has served as its Prime Minister since 2014) are shielded from the criticism of the governed.
Things have escalated in recent months. The Indian government has declared the state of the country to be Blackwatch Plaid, which means getting all up in everyone’s internet business for the alleged interests of the nation’s security.
India’s government is already home to one of the most comprehensive biometric databases in the world. It has managed to collect at least some physical data points from nearly every one of of its 1.2 billion citizens. Now, it wants to be able to tie these immutable physical characteristics to internet users, starting with entities that might be able to distance users from their online activities.
Earlier this month, the Indian government made it clear (via its cybersecurity force) that no entity was exempted from data collection and retention demands. India’s cybersecurity agency, the Computer Emergency Response Team (CERT-In), was given the power to demand information (on a historical and ongoing basis) from these entities providing services to India residents.
India’s nodal cybersecurity agency, Computer Emergency Response Team (CERT-In), has directed all service providers, intermediaries, data center providers, corporates, and government organizations to report cyber incidents within six hours of their detection.
Companies providing cloud, virtual private network (VPN) will also have to register validated names, emails, and IP addresses of subscribers.
The six hour time limit is not essential to the Indian government’s national security pretense. This time limit exists solely to allow the government to punish companies moderating content generated by a country of 1.2 billion people, converting the impossibility of the job into fines, fees, self-serving public statements, and criminal actions in local courts.
The tech companies being subjected to these demands recognize the impossibility of the ask. The Indian government doesn’t care. Do or do not. There is no try. Otherwise, GTFO.
The government had its say, as The Indian Express reports:
The Indian Computer Emergency Response Team issued a directive in April asking tech companies to report data breaches within six hours of “noticing such incidents” and to maintain IT and communications logs for six months.
They also mandated cloud service providers such as Amazon and virtual private network (VPN) companies to retain names of their customers and IP addresses for at least five years, even after they stop using the company’s services.
The measures have raised concerns within the industry about a growing compliance burden and higher costs.
Those complaining about the impossibility of the task are being handed the same answer many Indian immigrants received when complaining about bigotry/bullshit in the United States after arriving in the “Land of Opportunity:” if you don’t like it, go back to where you came from.
“If you don’t want to go by these rules, and if you want to pull out, then frankly … you have to pull out,” [India junior IT minister Rajeev] Chandrasekhar told reporters.
Fuck everyone but the government, I guess. Millions of users may rely on these services, but if they can’t perform six-hour takedowns of stuff hosted at cloud services or served up via VPNs, screw the services and the users. Whatever it takes to ensure the government remains free of criticism and everyone else — whether its someone sitting at the lower end of the caste system or a billion-dollar multinational company — subservient to an ever-changing list of acceptable conditions.
India has some serious national security issues it needs to forcefully address. But those problems would be best handled by military force and diplomatic efforts. The security of the country does not flow through various internet services and certainly does not require punishing people for criticizing their government. If that’s what India wants to do, it really shouldn’t expend any more effort (physically) fighting off Chinese incursions. It should just accept who it wants to be and allow the world’s largest dictatorship to show it how oppression is really done.