The Ministry of Electronics and Information Technology (MeitY) of India and the CERT-In recently announced the new policy for VPN providers in India via an official memo. The policy aims to give more power to CERT-In, which is responsible for monitoring cybercrimes in the country.
“During the course of handling cyber incidents and interactions with the constituency, CERT-In has identified certain gaps causing hindrance in incident analysis,” the Indian government said in a statement. Citing this issue and to help the emergency response team with cybercrime analyses, this new policy will go into effect on June 27.
Under this policy, VPN providers will be required to log and store user information such as their names, email addresses, and phone numbers for at least five years. The companies are also required to store the IP addresses that the customers have been allotted and the ones that they used to sign up, along with other details like their purpose for using VPN services and their “ownership pattern.”
Apart from these, the new policy also requires various ISPs and data centers to maintain proper logs of their systems over a rolling 180-day period. Furthermore, it extends to cryptocurrency exchange platforms and requires them to maintain transaction and customer records for five years.
With these steps, the government aims to prevent cybercriminals from using VPN services for malicious activities. However, it would also mean that all VPN users’ online activities will now be logged and stored in a database for the government to access anytime. While it may end up curbing cyber attacks, this new policy also puts a user’s personal information out in the open. Hence, it would now be difficult for VPN companies to promote their services with privacy as a key feature.
There is a chance that many VPN companies would object to the new policy but the government warns that “failure to furnish the information or non-compliance may invite punitive action.”