Centre warns VPNs over sites leaking Indians's personal data
What's the story
The Ministry of Electronics and Information Technology (MeitY) has issued a warning to virtual private network (VPN) service providers and online intermediaries. The advisory cautioned against allowing access to websites that leak personal information of Indian citizens without their consent. The move comes after MeitY flagged sites like proxyearth.org and leakdata.org for allegedly exposing sensitive details such as names, addresses, phone numbers, and email IDs through just an Indian mobile number search.
Advisory details
MeitY emphasizes user safety and privacy
MeitY's advisory stressed the serious risks these websites pose to user safety and privacy. The ministry said that such platforms are operating against Indian law, as they allow public access to personal information without authorization. It also noted that these sites can be accessed through VPN services, making it imperative for their providers to take action.
Compliance reminder
Intermediaries reminded of their obligations under IT Act
The advisory also reminded intermediaries of their obligations under the Information Technology Act, 2000 and the IT Rules, 2021. These rules prohibit hosting or transmitting information belonging to another person without rights, invading someone's privacy, or threatening public order. The ministry emphasized that intermediaries and VPN service providers must take immediate action to ensure no user is allowed to host/display/publish/transmit/store/update/share any information that belongs to another person and violates privacy laws.
Data retention
VPNs face scrutiny over data retention policies
In 2022, the Indian Computer Emergency Response Team issued directions mandating VPNs, cloud service providers, and VPS operators to collect and store verified customer information for five years. This was even after a service was discontinued. Major VPN companies like Proton VPN, ExpressVPN, NordVPN, and Surfshark had to remove their physical servers from India to avoid this data-retention mandate.
Legal implications
Non-compliance could lead to legal action
The ministry's latest directive highlights the serious nature of the situation and reiterates that VPN services and intermediaries must make reasonable efforts not to permit access to such websites. It also warns that failure to comply could cost companies their safe-harbor protections under Section 79 of the Act, leading to action under it.