vpn image unsplash petter lagson 1651760357856

Government mandates VPN providers to store and share user data: What you need to know

The Indian Computer Emergency Response Team (CERT-In) of the Ministry of Electronics and Information Technology has issued directives that virtual private network (VPN) providers must register and store user information for at least five years. June 28 – Unless the government delays due to a delay in its compliance. The decision aims to “coordinate response activities as well as emergencies related to cybersecurity incidents in the country”. Here’s what you need to know about evacuation.

In a Eight-page command CERT-In stated that the order was considered under sub-section (6) of Section 70B of the Information Technology Act, 2000, issued last week. VPN service providers – in addition to data centers, virtual private server (VPS) providers and cloud service providers – are required to record and maintain accurate information about their services for a period of five years or more “as required by law after any termination or registration of a case”.

User information includes the subscriber’s valid names, membership period for the service, assigned and used IPs, email address and IP address as well as the exact time of registration, purpose of membership, verified address and contact numbers, and subscriber ownership pattern for signing up for the service.

In the event of any incident, the service providers are bound to provide the information called by CERT-In.

Failure to provide the information or fail to comply with the order may invite “punitive action” under sub-section (7) of the IT Act, Section 70B, 2000 (7) and other applicable laws, the national agency said.

Although the exact reason for the order has not yet been given, CERT-In states that the issued directives will help resolve “identified gaps and issues” to provide event response action.

The growth of India’s internet base is playing an important role in the proliferation of cyber security incidents in the country. The main reason for such problems is the lack of awareness among the general public on how to avoid falling victim to cyber criminals. Even organizations, including government departments, have not been active in correcting security vulnerabilities. To this end, the Ministry mandates that service providers, intermediaries, data centers, body corporate and government departments report vulnerabilities to CERT-In within six hours.

However, it is strange that VPN providers should be instructed to collect and share information about their subscribers, as the main purpose of getting a VPN service is to leave no trace. Most VPN companies Follow no-logs methods And often actively campaign, although they do not keep users’ activity data Collect data from anonymous analytics To fix and resolve connection failures.

In such a scenario, it is unclear how some of the world’s leading VPN service providers will comply with government mandate. It is also not clear whether the directives apply to all service providers or to those in India.

This order will come into effect from the end of June, although there may be some delay in its implementation as it is likely to take time for most players to follow the instructions given. The same order made it mandatory for crypto exchanges in the country to store user data for at least five years.

In particular, this is not the first time VPN service providers have come to light in the country. Last year, a parliamentary panel asked the government to permanently block VPNs to control cybercrime. Telecom operators, including Reliance Jio, have also been seen restricting access to specific VPN services and proxy websites in the country in 2019.


Leave a Comment

Your email address will not be published.