Centre orders VPN companies to collect and store user data
The Indian government has asked VPN companies to collect user data and store it for at least five years. The directive from the CERT-in or Computer Emergency Response Team under the Ministry of Electronics and IT will require companies to maintain sensitive data, including the IP address assigned and personal details of the customer. The policy will likely come into force in late June.
- The directive from the government to collect and store data comes amid allegations of India's overarching approach to online activities. The order will make VPNs logically ineffective as they either have a 'no-logs policy' or they store data temporarily.
- However, with the increase in cyber security issues that threaten personal and national security, governments are within their rights in coming up with such policies.
Centre's new directive asks VPN companies to collect and store user data for at least five years. Companies are required to keep the information even after the user cancels their subscription. Data centers, ISPs, cloud service providers, and crypto exchanges are also covered under the order. Failure to comply will invite imprisonment for up to a year under Section 70B(7) of the IT Act.
Under the directive, VPN companies and others are required to store the user's name, phone number, email address along with physical and assigned IP address, the purpose of using the VPN, and the customer's "ownership pattern."
The government order is aimed at equipping CERT-in with more powers to deal with cyber security incidents in the country. As per the order, companies will be required to report 20 types of vulnerabilities to the agency. "During the course of handling cyber incidents and interactions with the constituency, CERT-In has identified certain gaps causing hindrance in incident analysis," said the government.
Once the order comes into force, VPN companies will have to switch to storage servers instead of RAM-disk servers and other log-less technology. This will lead to an increase in maintenance costs and will make them ineffective. For customers, the change will mean higher subscription costs and lesser privacy. Sensitive information such as browsing and download history will become trackable.