Virtual private network (VPN) providers will be require to register and preserve user information for at least five years, the Ministry of Electronics and Information Technology’s Indian Computer Emergency Response Team (CERT-In) has said in an order that will come into force on 28th June 2022, unless the government delays due to slow down in its compliance.
This decision is aim to help “coordinate response activities as well as emergency measures with respect to cybersecurity incidents” in India.
In an eight-page directive that was issue last week, CERT-In said that the order has taken into consideration under the sub-section (6) of section 70B of the Information Technology Act, 2000.
As it said that VPN service providers with data centres, virtual private server (VPS) providers, and cloud service providers will be require to register and maintain accurate information of their services for five years or longer “as mandated by the law after any cancellation or the registration as the case may be”.
The user information includes the valid names of subscribers, period of subscribing to the service, IPs allot to and being use, email address and IP address as well as accurate time recorded during the registration, purpose of subscribing, validate address and contact numbers, and ownership pattern of the subscribers signing into the service.
The service providers will be bound to furnish the information as call for by CERT-In.
Failing to give the information or non-compliance with the order may invite “punitive action” under sub-section (7) of the section 70B of the IT Act, 2000 and other laws as applicable, the national agency said.
Although the exact reason for the order has not yet given, CERT-In claim that the issue directions would help “address the identified gaps and issues” to provide incident response measures.
The growth of India’s Internet base is playing an important role in the expansion of cybersecurity incidents in the country.
One of the key reasons for such issues is the lack of awareness among the general public on how they should avoid becoming a prey for cybercriminals.
Organisations including government departments are also not active in fixing security loopholes.
For this, the ministry’s agency is making it mandatory for service providers, intermediaries, data centres, body corporate, and government departments to report vulnerabilities to CERT-In within six hours.
So, directing VPN providers to collect and share information of their subscribers is strange as the prime purpose of getting a VPN service is to avoid leaving any traces behind.
Most VPN companies follow no-logs practices and often actively promote that they don’t keep users’ activity data, though some of them collect anonymise analytics data to troubleshoot and fix connection failures.
In such a scenario, it is unclear how some of the world’s popular VPN service providers will be able to comply with the government’s order.
It is also not clear whether the directions will be applicable to all service providers or the ones who are base in India.
The order will come into effect from late June, though there could be some delay in its implementation as most players are likely to take time in complying with the given directions.
The same order also made it mandatory for crypto exchanges in the country to store user data for at least five years.
As this is not the first time when we are seeing VPN service providers coming into the limelight in the country.
A parliamentary panel last year urge the government to permanently block VPNs to restrict cybercrimes.
Telecom operators including Reliance Jio was also seen restricting access to certain VPN services and proxy websites in the country in 2019.
Nord VPN May Quit India after Government Mandates Storing User Data
Nord VPN, one of the leading VPN service providers, has warn that India’s new regulations for virtual private network providers that mandate them to store user data may cause it to shut down its Indian servers.
The Ministry of Electronics and Information Technology pass a regulation that VPN providers, as well as cryptocurrency exchanges, must maintain records of users for five years a move that defies the purpose of using private networks.
Patricija Cerniauskaite, spokesperson for Nord VPN’s parent company, Nord Security Said :
“We are committed to protecting the privacy of our customers therefore, we may remove our servers from India if no other options are left,”.
A virtual private network is use to reroute the internet traffic to pre-allot private servers for many purposes.
For example, your office may use its own private network for internal websites which are not accessible on the public internet.
VPNs are heavily use to access block websites through servers of other countries where those websites are not ban.
Many VPN services, such as Nord VPN, stress privacy of users is paramount, which is why they claim to neither store the IP location of the machine use to access their network nor the customer’s online data except for the account details that you use to sign in to these networks.
These services are mostly available for a fee, which is why those using free VPN services tend to give away their data to the VPN provider.
Nord VPN has a no-log policy, which means it will not maintain a log of anything that its users do on their network, giving them a sense of complete privacy.
Nord’s no-log policy is periodically audit by PriceWaterhouseCoopers, which is a multinational professional services network of firms.
The Indian government’s new regulation demands that Nord VPN breaks its policy for its Indian servers and start maintaining the log of the users that connect to these servers.
Since the rule applies to only Indian servers of Nord VPN, which the company is likely to shut because it cannot comply with the government’s demand, Indian users should still be able to connect to Nord’s servers in other countries.
Nord VPN has 28 servers in India currently, seemingly host at facilities that belong to Edgoo Networks in Mumbai.
Nord also had servers in Chennai but those were close a few months back.
These servers allow both Indian and foreign users to connect to them to access private networks.
If the company decides to shut these servers in Mumbai, too, it will possibly be a wrap-up for one of the leading VPN providers globally.
Patricija Cerniauskaite Said :
“At the moment, our team is investigating the new directive recently passed by the Indian government and exploring the best course of action. As there are still at least two months left until the law comes into effect, we are currently operating as usual,”.
Nord VPN is famous for offering a clutter-free VPN experience that bypasses the geolocation restrictions of most websites.
Its VPNs are also built using high cybersecurity standards, which is why the company claims to offer users protection from pesky advertisements, malware, and online trackers.
