India to Collect User Data from VPNs, Data Centers, and Cloud Service Providers

The Indian government recently passed a new law that mandates all internet service providers to collect and store user data for the past five years.

As per the press release of the Indian Computer Emergency Response Team (CERT-In, under the Information Technology Act 2000 provisions of sub-section (6) of section 70B, the agency will collect information from service providers including VPNs, data centers, intermediaries, and body corporate. 

All VPN service providers, VPS (virtual private server) providers, cloud service providers, Know Your Customer (KYC) norms, and practices used by virtual asset service providers, custodian wallet service providers, and virtual asset exchange providers will have to follow the new directives that come into effect on June 27th, 2022.

The new law, according to the press release, aims to fill the gaps that cause hindrance in incident analysis and ensure “safe & trusted Internet in the country.”

What Information Will be Collected?

The new directions cover various aspects of synchronizing ICT system clocks, maintaining ICT system logs, mandatory reporting of cyber incidents within six hours, and providing subscriber/customer registration details.

Furthermore, the agency noted that service providers would collect records of financial transactions for a period of 5 years to offer optimum security in payments and financial markets.

A look at directions released by the Ministry of Electronics and Information Technology (MeitY) Indian and CERT-In, Data Centers, VPS and VPN service providers, and Cloud service providers will have to collect and store the following data for at least five years or longer.

1. Date and period of hire
2. Purpose of subscribing to services
3. Verified contact numbers and address
4. Ownership patterns of customers/subscribers using their services
5. Authenticated names of customers and subscribers using their services
6. IPs allotted to the customers/subscribers or being used by the members
7. IP address, email address, and time stamp used when registering or on-boarding

VPN Providers Refuse to Oblige

The new directives risk compromising user privacy and undermine the unique selling point of VPNs, which is safeguarding users’ digital footprint. CERT-IN requires government organizations, all service providers, data centers, and body corporate to enable logs of their ICT systems and securely maintain them for 180 days.

However, some reports suggest that three mainstream VPN service providers may not follow the new policy. According to Surfshark, which observes a no-logs policy, the company is currently investigating the implications of the new regulations and aims to continue its no-logs policy.

ProtonVPN stated that the new VPN requirements would erode civil liberties, and they will never take measures that weaken or threaten users’ privacy. ExpressVPN also clarified that they are “fully committed to protecting users’ privacy and would never log user activity.

A full transcript of the law can be accessed here .

More VPN News on Hackread.com

1. PureVPN Aided FBI to Track CyberStalker by Providing His Logs
2. VPN company that claims zero logs policy leaks 20 million user logs
3. Israeli firm Kape Technologies buys ExpressVPN raising privacy concerns
4. HotSpot Shield, PureVPN & ZenMate found leaking users real IP addresses
5. Israeli firm buys Private Internet Access (PIA) VPN raising privacy concerns