Under a new national directive from the country’s Computer Emergency Response Team, known as CERT-in, virtual private network companies in India will be required to collect extensive customer data and keep it for at least five years. It’s a policy that will almost certainly make life more difficult for both VPN providers and VPN users in the country.
The body, which is part of the country’s Ministry of Electronics and Information Technology, announced Thursday that VPNs in the country will be required to keep customer names, validated physical and IP addresses, usage patterns, and other forms of personally identifiable information. According to the governing law cited in the new directive, those who do not comply could face up to a year in prison, as first reported by Entrackr.
The directive does not apply only to VPN providers. Both data centres and cloud service providers are covered by the same provision. Companies will be required to retain customer information even after the customer cancels their subscription or account. In all cases, CERT-in will require companies to report “unauthorised access to social media accounts” by their users.
Most VPNs have a no-logging policy, which is a public promise not to log, collect, or share customer usage and browsing data. Leading VPN services, such as ExpressVPN and Surfshark, only use RAM-disk servers and other log-free technology, which means the VPNs are theoretically incapable of monitoring for URLs listed in the directive. If VPNs in India are required to keep customer registration data or to monitor and report social media usage under the new directive, many could potentially violate the law simply by continuing to operate.
India has a history of policing online activity harshly.
India banned 22 YouTube channels in April. Facebook, Google, and Twitter ended a tense standoff with the Indian government in 2021 when they largely agreed to the government’s expanded control over social media content in the country. In 2020, the country outlawed over 200 Chinese apps, including TikTok, and eventually outlawed 9,849 social media URLs.
According to the digital rights advocacy group Access Now, government-imposed internet shutdowns and disruptions in India accounted for 106 of a total of 182 such government actions, or nearly 60% of the total. The directive also coincides with significant increases in VPN demand in India, where independent research firm Top10VPN estimates that the shutdowns will affect 59.1 million users in 2021.
In a statement issued Saturday, the Ministry of Electronics and IT stated that the new directive is intended to assist it in dealing with “certain gaps” that prevent it from responding to unspecified “cyber incidents and interactions with the constituency.”
Under the ministry’s full directive, VPN companies will be required to collect and report the following information:
- Validated customer names, physical address, email address and phone numbers.
- The reason each customer is using the service, the dates they use it and their “ownership pattern.”
- The IP address and email address used by a customer to register for the service, along with a registration time-stamp.
- All IP addresses issued to a customer by the VPN, and a list of IP address being used by its customer base generally.
credit – Cnet