CERT-in, the country’s Computer Emergency Response Team, has issued a new directive that requires virtual private network companies to collect extensive customer data and maintain it for five years or more in India.
New Policy For VPN Companies
According to this policy, both VPN companies and VPN users have more trouble gaining access to VPN services in the country.
On Thursday, the body, under the country’s Ministry of Electronics and IT, announced that VPNs in the country will have to keep customer names, validated physical and IP addresses, usage patterns and other forms of personally identifiable information.
As per the ministry’s full directive, VPN companies will be required to collect and report the following information:
- They have to validate customer names, physical address, email address and phone numbers.
- Also provide the reason each customer is using the service, the dates they use it and their “ownership pattern.”
- They will have to provide the IP address and email address used by a customer to register for the service, along with a registration time-stamp.
- Also provide all IP addresses issued to a customer by the VPN, and a list of IP addresses being used by its customer base generally.
Data Centers And Cloud Service Providers Inclusion
If they fail to comply, they may face up to a year in prison under the governing law cited in the new directive.
VPN providers are not the only ones subject to this directive.
Likewise, cloud service providers and data centers are included under the same provision.
Not only that, the service providers will have to keep customer information even after the customer has canceled their subscription or account.
Further, in all cases, CERT-in will require the companies to report on their users’ “unauthorized access to social media accounts.”
Conflict Of Policy
The majority of VPNs offer no-logging policies.
It’s a public promise against logging, collecting, or sharing customer browsing and usage data.
To make matters even more complicated, the leading VPN services such as ExpressVPN and Surfshark operate only with RAM-disk servers.
While, other log-less technology, meaning the VPNs would be theoretically incapable of monitoring for URLs listed in the directive.
If VPNs plan to follow through this new directive then many could potentially run afoul of the law simply by continuing to operate.
Close Watch On Online Activities
In April, 22 YouTube channels were banned in India, showing that the center is watching online activity closely.
Google, Facebook, and Twitter came to terms with the Indian government’s increased control over social media content in 2021, ending a tense stand-off between the companies.
Earlier, India banned over 200 Chinese apps, including TikTok, and ultimately banned 9,849 social media URLs in 2020.
Government-imposed internet shutdowns and disruptions accounted for 106 of 182 such action taken globally last month, or nearly 60%, according to digital rights advocacy group Access.
Basically, the new directive is intended to help it deal with “certain gaps” that hinder it from responding to unspecified “cyber incidents and interactions with the constituency,” said the Ministry of Electronics and IT in a release Saturday.
The ministry’s full directive will take effect on June 27.
However, there is a possibility that the government may delay the implementation in order to improve compliance.