Virtual Private Network (VPN) providers will be required to register and keep user information for at least five years, the Ministry of Electronics and Information Technology’s Computer Emergency Response Team of India (CERT-In) said in an order. June 28 – unless the government delays due to a slowdown in compliance. The decision is intended to help the country “coordinate response activities and emergency measures to respond to cybersecurity incidents.” Here’s everything you need to know about relocation.
In an eight-page directive issued last week, CERT-In said it had considered the order under section 70B(6) of the Information Technology Act 2000. It said VPN service providers — along with data centres, virtual private server (VPS) providers and cloud service providers — would be required to register and maintain accurate information about their services for five years or more “under the law, After cancellation or registration as the case may be”.
User information includes the valid name of the subscriber, the term of the subscription service, the IP address assigned and used, the email address and IP address and the exact time recorded at the time of registration, the purpose of the subscription, verification address and contact number, and the subscriber of the subscription service ownership model.
In the event of any incident, the service provider will be obliged to provide information as requested by CERT-In.
The state agency said failure to provide information or to comply with an order could trigger “punitive action” under section 70B(7) of the IT Act 2000 and other applicable laws.
While the exact reason for the order has not been given, CERT-In claims the issued instructions will help “address identified gaps and issues” to provide incident response measures.
The growth of India’s internet base has played a major role in the expansion of cybersecurity incidents in the country. One of the main reasons for such problems is the lack of public awareness on how to avoid falling prey to cybercriminals. Organizations, including government departments, are also not actively patching security holes. To this end, the ministry’s agency mandates that service providers, intermediaries, data centers, corporate bodies and government departments report vulnerabilities to CERT-In within six hours.
However, it is odd to instruct a VPN provider to collect and share information about its subscribers, since the main purpose of getting a VPN service is to avoid leaving any trace. Most VPN companies follow a no-logs practice and often aggressively advertise that they don’t keep user activity data, although some of them collect anonymous analytics data to troubleshoot and fix connection failures.
In this case, it is unclear how some of the world’s popular VPN service providers will be able to comply with government orders. It is unclear if these instructions apply to all service providers or those located in India.
The order will go into effect in late June, but its implementation may be delayed as most participants may need time to comply with the given instructions. The same order also forces cryptocurrency exchanges in the country to store user data for at least five years.
It’s worth noting that this isn’t the first time we’ve seen VPN service providers come into the limelight in the country. Last year, a parliamentary group urged the government to permanently block VPNs to limit cybercrime. Telecom operators including Reliance Jio also restricted access to certain VPN services and proxy websites in the country in 2019.