India tells VPN, cloud, and crypto companies to collect user data or face imprisonment
They must also store user data for five yearsBy Rob Thubron 35 comments
A hot potato: Users of VPNs expect that the services will protect their privacy, but a new directive in India will force companies not only to collect an extensive amount of user data but also to store it for five years and hand it over if requested. The ruling applies to Virtual Private Network providers, data centers, cloud service providers, and crypto exchanges.
As reported by Entracker, the new national directive from India's Computer Emergency Response Team, known as CERT-in, is an attempt "to coordinate response activities as well as emergency measures with respect to cyber security incidents."
Companies, including the VPN providers, must record customers' names, usage patterns, contact information, validated IP and physical addresses, and the purpose for which they are hiring the services.
India's IT Minister has no clue how privacy or VPN works. CERT-IN has no history of acting on public issues. Giving it wide powers without oversight is a bad idea. https://t.co/8Y5cKGMCXb--- Srinivas Kodali (@digitaldutta) April 30, 2022
Another part of the directive states that companies must keep customer information even after they cancel their accounts or subscriptions. Additionally, organizations must report on any users' "unauthorized access to social media accounts."
CERT-in claims the requirements are so the agency can respond to cyber incidents within six hours of discovering them. The directive isn't being welcomed by users of these services, obviously, but the companies providing them may not have much choice: failure to comply with requests for information can result in one year of imprisonment.
Most VPNs offer a no-logs policy in which they do not store logs of customers' online activities, and even those that keep them only do so temporarily. With the threat of legal action, some of these providers may be forced to leave the Indian market as a result of the new rules.
The directive is set to go into effect on June 27, though this could be delayed so that companies have more time to comply with the rules.
Image credit: Privecstasy