Government Orders VPN Providers to Store and Share User Data: All You Should Know

Failing to share the information or non-compliance with the order may invite "punitive action" against VPN providers in the country.

Government Orders VPN Providers to Store and Share User Data: All You Should Know

Photo Credit: Unsplash/ Petter Lagson

VPN companies may need to follow the order from as early as June 28

Highlights
  • VPN providers are ordered to preserve user data for at least five years
  • CERT-In has issued orders to VPN providers and data centres
  • VPN companies normally promote their no-log practices
Advertisement

Virtual private network (VPN) providers will be required to register and preserve user information for at least five years, the Ministry of Electronics and Information Technology's Indian Computer Emergency Response Team (CERT-In) has said in an order that will come into force on June 28 — unless the government delays due to slow down in its compliance. The decision is aimed to help "coordinate response activities as well as emergency measures with respect to cybersecurity incidents" in the country. Here's all you need to know about the move.

In an eight-page directive that was issued last week, CERT-In said that the order has been taken into consideration under the sub-section (6) of section 70B of the Information Technology Act, 2000. It said that VPN service providers — alongside data centres, virtual private server (VPS) providers, and cloud service providers — will be required to register and maintain accurate information of their services for five years or longer "as mandated by the law after any cancellation or the registration as the case may be".

The user information includes the valid names of subscribers, period of subscribing to the service, IPs allotted to and being used, email address and IP address as well as accurate time recorded during the registration, purpose of subscribing, validated address and contact numbers, and ownership pattern of the subscribers signing into the service.

In case of any incident, the service providers will be bound to furnish the information as called for by CERT-In.

Failing to give the information or non-compliance with the order may invite "punitive action" under sub-section (7) of the section 70B of the IT Act, 2000 and other laws as applicable, the national agency said.

Although the exact reason for the order has not yet been given, CERT-In claimed that the issued directions would help "address the identified gaps and issues" to provide incident response measures.

The growth of India's Internet base is playing an important role in the expansion of cybersecurity incidents in the country. One of the key reasons for such issues is the lack of awareness among the general public on how they should avoid becoming a prey for cybercriminals. Organisations including government departments are also not active in fixing security loopholes. For this, the ministry's agency is making it mandatory for service providers, intermediaries, data centres, body corporate, and government departments to report vulnerabilities to CERT-In within six hours.

However, directing VPN providers to collect and share information of their subscribers is strange as the prime purpose of getting a VPN service is to avoid leaving any traces behind. Most VPN companies follow no-logs practices and often actively promote that they don't keep users' activity data, though some of them collect anonymised analytics data to troubleshoot and fix connection failures.

In such a scenario, it is unclear how some of the world's popular VPN service providers will be able to comply with the government's order. It is also not clear whether the directions will be applicable to all service providers or the ones who are based in India.

The order will come into effect from late June, though there could be some delay in its implementation as most players are likely to take time in complying with the given directions. The same order also made it mandatory for crypto exchanges in the country to store user data for at least five years.

Notably, this is not the first time when we are seeing VPN service providers coming into the limelight in the country. A parliamentary panel last year urged the government to permanently block VPNs to restrict cybercrimes. Telecom operators including Reliance Jio was also seen restricting access to certain VPN services and proxy websites in the country in 2019.


Asus India's Arnold Su joins this week's Orbital, the Gadgets 360 podcast, to talk about how the PC maker is planning to grow its presence in the country. Orbital is available on Spotify, Gaana, JioSaavn, Google Podcasts, Apple Podcasts, Amazon Music and wherever you get your podcasts.
Affiliate links may be automatically generated - see our ethics statement for details.
Comments

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Further reading: VPN, virtual private network, CERT In
Apple, Google, Microsoft Bringing FIDO's New Passwordless Sign-Ins Capabilities to Their Platforms
Share on Facebook Gadgets360 Twitter Share Tweet Snapchat Share Reddit Comment google-newsGoogle News
 
 

Advertisement

Follow Us

Advertisement

© Copyright Red Pixels Ventures Limited 2024. All rights reserved.
Trending Products »
Latest Tech News »