Govt Orders VPN Companies To Collect Data Of All Indian Users, And Hand Over The Data
As per a new national directive from the country’s Computer Emergency Response Team, known as CERT-in, virtual private network companies will be required to collect extensive customer data and maintain it for five years or more in India.
New Policy For VPN Companies
The policy seems to make life more difficult for both VPN companies and VPN users in the country.
On Thursday, the body, under the country’s Ministry of Electronics and IT, announced that VPNs in the country will have to keep customer names, validated physical and IP addresses, usage patterns and other forms of personally identifiable information.
As per the ministry’s full directive, VPN companies will be required to collect and report the following information:
- They have to validate customer names, physical address, email address and phone numbers.
- Also provide the reason each customer is using the service, the dates they use it and their “ownership pattern.”
- They will have to provide the IP address and email address used by a customer to register for the service, along with a registration time-stamp.
- Also provide all IP addresses issued to a customer by the VPN, and a list of IP addresses being used by its customer base generally.
Data Centers And Cloud Service Providers Inclusion
In case of noncompliance, they could potentially face up to a year in prison under the governing law cited in the new directive.
Moreover, this directive is not limited to VPN providers.
It is also applicable to data centers and cloud service providers, as both listed under the same provision.
Not only that, the service providers will have to keep customer information even after the customer has canceled their subscription or account.
Further, in all cases, CERT-in will require the companies to report on their users’ “unauthorized access to social media accounts.”
Conflict Of Policy
So far, most of the VPNs offer a no-logging policy.
Which is a public promise against logging, collecting or sharing customer usage and browsing data.
Making it further complicated, the leading services like ExpressVPN and Surfshark operate only with RAM-disk servers.
While, other log-less technology, meaning the VPNs would be theoretically incapable of monitoring for URLs listed in the directive.
If VPNs plan to follow through this new directive then many could potentially run afoul of the law simply by continuing to operate.
Close Watch On Online Activities
It seems that the center is keeping a close watch on online activity as India banned 22 YouTube channels in April.
Earlier, India banned over 200 Chinese apps, including TikTok, and ultimately banned 9,849 social media URLs in 2020.
Last month government-imposed internet shutdowns and disruptions in India accounted for 106 of a global total of 182 such government actions, or nearly 60%, according to the digital rights advocacy group Access.
Basically, the new directive is intended to help it deal with “certain gaps” that hinder it from responding to unspecified “cyber incidents and interactions with the constituency,” said the Ministry of Electronics and IT in a release Saturday.
From June 27, the ministry’s full directive is slated to take effect.
But, there are chances that the government may delay implementation to allow time for wider compliance.