Government Orders VPN Providers to Store and Share User Data: Everything You Need to Know

Virtual private network (VPN) providers will be required to record and retain user information for at least five years, the Ministry of Environment’s Computer Emergency Response Team India (CERT-In) has said. Electronics and Information Technology in an order that will come into effect on June 28 – unless the government delays due to a slowdown in its compliance. The decision aims to help “coordinate response activities as well as emergency measures regarding cybersecurity incidents” in the country. Here’s everything you need to know about moving.

In an eight-page directive issued last week, CERT-In said the order had been considered under subsection (6) of section 70B of the Information Technology Act 2000. ‘information. He said VPN service providers – alongside data centers, virtual private server (VPS) providers and cloud service providers – will be required to record and maintain accurate information about their services for five years. or more “as required by law after any cancellation or registration, as the case may be”.

User information includes valid names of subscribers, service subscription period, assigned and used IP addresses, email address and IP address as well as the exact time recorded during registration, the purpose of subscription, address and verified contact numbers, and ownership model of subscribers connecting to the service.

In the event of an incident, service providers will be required to provide the information requested by CERT-In.

Failure to provide the information or to comply with the order may result in “punitive action” under subsection (7) of section 70B of the Computers Act 2000 and other applicable laws, the national agency said.

Although the exact reason for the order has not yet been given, CERT-In claimed that the instructions issued would help “address identified deficiencies and issues” to provide incident response measures.

The growth of India’s Internet base plays a significant role in the expansion of cybersecurity incidents in the country. One of the main reasons for these problems is the lack of awareness among the general public on how to avoid falling prey to cybercriminals. Organizations, including government departments, are also not active in fixing security vulnerabilities. For this, the ministry agency obliges service providers, intermediaries, data centers, legal entities and government departments to report vulnerabilities to CERT-In within six hours.

However, ordering VPN providers to collect and share information about their subscribers is strange, since the primary purpose of getting VPN service is to avoid leaving traces. Most VPN companies follow no-logs practices and often actively promote that they do not log user activity data, although some do collect anonymized analytics data to troubleshoot and fix failures connection.

In such a scenario, it is unclear how some of the world’s most popular VPN service providers will be able to comply with the government order. It is also unclear whether the instructions will be applicable to all service providers or those based in India.

The order will come into effect from the end of June, although there may be some delay in its implementation as most players are likely to take time to comply with the instructions given. The same order also made it mandatory for crypto exchanges in the country to store user data for at least five years.

Notably, this isn’t the first time we’ve seen VPN service providers enter the scene in the country. Last year, a parliamentary panel urged the government to permanently block VPNs to curb cybercrime. Telecom operators including Reliance Jio were also seen restricting access to some VPN services and proxy websites in the country in 2019.


Not all news on the site expresses the point of view of the site, but we transmit this news automatically and translate it through programmatic technology on the site and not from a human editor.
Back to top button