Government Orders VPN Providers to Store and Share Data 5w2p18 All You Should Know

Failing to share the information or non-compliance with the order may invite "punitive action" against VPN providers in the country. 4r2j5a

By Jagmeet Singh | Updated: 5 May 2022 19:51 IST

Government Orders VPN Providers to Store and Share Data: All You Should Know

Photo Credit: Unsplash/ Petter Lagson i1730

VPN companies may need to follow the order from as early as June 28

Highlights

VPN providers are ordered to preserve data for at least five years
CERT-In has issued orders to VPN providers and data centres
VPN companies normally promote their no-log practices

ment

Virtual private network (VPN) providers will be required to and preserve information for at least five years, the Ministry of Electronics and Information Technology's Indian Computer Emergency Response Team (CERT-In) has said in an order that will come into force on June 28 — unless the government delays due to slow down in its compliance. The decision is aimed to help "coordinate response activities as well as emergency measures with respect to cybersecurity incidents" in the country. Here's all you need to know about the move.

In an VPN service providers — alongside data centres, virtual private server (VPS) providers, and cloud service providers — will be required to and maintain accurate information of their services for five years or longer "as mandated by the law after any cancellation or the registration as the case may be".

The information includes the valid names of subscribers, period of subscribing to the service, IPs allotted to and being used, email address and IP address as well as accurate time recorded during the registration, purpose of subscribing, validated address and numbers, and ownership pattern of the subscribers g into the service.

In case of any incident, the service providers will be bound to furnish the information as called for by CERT-In.

Failing to give the information or non-compliance with the order may invite "punitive action" under sub-section (7) of the section 70B of the IT Act, 2000 and other laws as applicable, the national agency said.

Although the exact reason for the order has not yet been given, CERT-In claimed that the issued directions would help "address the identified gaps and issues" to provide incident response measures.

The growth of India's Internet base is playing an important role in the expansion of cybersecurity incidents in the country. One of the key reasons for such issues is the lack of awareness among the general public on how they should avoid becoming a prey for cybercriminals. Organisations including government departments are also not active in fixing security loopholes. For this, the ministry's agency is making it mandatory for service providers, intermediaries, data centres, body corporate, and government departments to report vulnerabilities to CERT-In within six hours.

However, directing VPN providers to collect and share information of their subscribers is strange as the prime purpose of getting a VPN service is to avoid leaving any traces behind. Most VPN companies follow no-logs practices and often actively promote that they don't keep s' activity data, though some of them collect anonymised analytics data to troubleshoot and fix connection failures.

In such a scenario, it is unclear how some of the world's popular VPN service providers will be able to comply with the government's order. It is also not clear whether the directions will be applicable to all service providers or the ones who are based in India.

The order will come into effect from late June, though there could be some delay in its implementation as most players are likely to take time in complying with the given directions. The same order also made it mandatory for crypto exchanges in the country to store data for at least five years.

Notably, this is not the first time when we are seeing VPN service providers coming into the limelight in the country. A parliamentary last year urged the government restricting access to certain VPN services and proxy websites in the country in 2019.

Asus India's Arnold Su s this week's Orbital, the Gadgets 360 podcast, to talk about how the PC maker is planning to grow its presence in the country. Orbital is available on Spotify, Gaana, JioSaavn, Google Podcasts, Apple Podcasts, Amazon Music and wherever you get your podcasts.

links may be automatically generated - see our ethics statement for details.

Comments

For the latest reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.