In what is described as part of the efforts to fight cybercrime, India is enacting a new policy that will require VPN providers to collect and turn over user data, which includes the IP addresses assigned to customers.
The government claims this policy will bolster the powers of India’s national agency, the Computer Emergency Response Team (CERT-In), which deals with cybersecurity incidents.
“During the course of handling cyber incidents and interactions with the constituency, CERT-In has identified certain gaps causing hindrance in incident analysis,” the government explained.
The regulations call for VPN providers to log AND store the following information from customers for at least 5 (five) years:
- Name, email address, and phone number
- The customer’s purpose for using a VPN
- The IP addresses allotted to the customer as well as the IP address the customer used to sign up with the service
- The “ownership pattern” of the customer
This information could not only help India’s authorities “unmask” cybercriminals using VPNs for malicious activities, but also the regular folk who just want to be more anonymous online. As such, this new bill presents a major privacy issue for pretty much every citizen of India.
Heck, the regulation allows the government to know each and every site anyone in the country is visiting and that leaves a lot of room for misuse. Also, it partly kills the point of getting a VPN in the first place — some folks (ourselves included) get it for privacy, after all.
But wait, there’s more… India’s policy also requires ISPs and data center operators to maintain logs of all their systems over a rolling 180-day period. And like that’s not enough, cryptocurrency exchanges must maintain all their transaction and customer records for five years.
It is only natural that major VPNs will refuse to follow these rules and will likely have to shut down their servers in India. Otherwise, by not complying with the law, they could face “punitive action”.
There’s still little room for preparation as the new policy will go into effect on June 27. By that time, VPN providers could set up enough servers in surrounding countries to keep offering their services to their Indian customers. More to come, obviously.