October 3, 2022

Virtual private network (VPN) providers will be required to register and preserve user information for at least five years, the Ministry of Electronics and Information Technology’s Indian Computer Emergency Response Team (CERT-In) has said in an order that will come into force on June 28 — unless the government delays due to slow down in its compliance. The decision is aimed to help “coordinate response activities as well as emergency measures with respect to cybersecurity incidents” in the country. Here’s all you need to know about the move.

In an eight-page directive that was issued last week, CERT-In said that the order has been taken into consideration under the sub-section (6) of section 70B of the Information Technology Act, 2000. It said that VPN service providers — alongside data centres, virtual private server (VPS) providers, and cloud service providers — will be required to register and maintain accurate information of their services for five years or longer “as mandated by the law after any cancellation or the registration as the case may be”.

The user information includes the valid names of subscribers, period of subscribing to the service, IPs allotted to and being used, email address and IP address as well as accurate time recorded during the registration, purpose of subscribing, validated address and contact numbers, and ownership pattern of the subscribers signing into the service.

In case of any incident, the service providers will be bound to furnish the information as called for by CERT-In.

Failing to give the information or non-compliance with the order may invite “punitive action” under sub-section (7) of the section 70B of the IT Act, 2000 and other laws as applicable, the national agency said.

Although the exact reason for the order has not yet been given, CERT-In claimed that the issued directions would help “address the identified gaps and issues” to provide incident response measures.

The growth of India’s Internet base is playing an important role in the expansion of cybersecurity incidents in the country. One of the key reasons for such issues is the lack of awareness among the general public on how they should avoid becoming a prey for cybercriminals. Organisations including government departments are also not active in fixing security loopholes. For this, the ministry’s agency is making it mandatory for service providers, intermediaries, data centres, body corporate, and government departments to report vulnerabilities to CERT-In within six hours.

However, directing VPN providers to collect and share information of their subscribers is strange as the prime purpose of getting a VPN service is to avoid leaving any traces behind. Most VPN companies follow no-logs practices and often actively promote that they don’t keep users’ activity data, though some of them collect anonymised analytics data to troubleshoot and fix connection failures.

In such a scenario, it is unclear how some of the world’s popular VPN service providers will be able to comply with the government’s order. It is also not clear whether the directions will be applicable to all service providers or the ones who are based in India.

The order will come into effect from late June, though there could be some delay in its implementation as most players are likely to take time in complying with the given directions. The same order also made it mandatory for crypto exchanges in the country to store user data for at least five years.

Notably, this is not the first time when we are seeing VPN service providers coming into the limelight in the country. A parliamentary panel last year urged the government to permanently block VPNs to restrict cybercrimes. Telecom operators including Reliance Jio was also seen restricting access to certain VPN services and proxy websites in the country in 2019.