India Orders VPN Companies to Collect and Hand Over User Data

id=”article-body” class=”row” section=”article-body” data-component=”trackCWV”>

In India, companies will be required to collect extensive customer data — and maintain it for five years or more — under a new national directive from the country’s Computer Emergency Response Team, known as CERT-in. It’s a policy that will likely make life more difficult for both VPN companies and VPN users there.

The body, under the country’s Ministry of Electronics and IT, announced on April 28 that VPNs in the country will have to keep customer names, validated physical and IP addresses, usage patterns and other forms of personally identifiable information. As first reported by , those who don’t comply could potentially face up to  under the governing law cited in the new directive.

The directive isn’t limited to VPN providers. Data centers and cloud service providers are both listed under the same provision. The companies will have to keep customer information even after the customer has canceled their subscription or account. And, in all case, CERT-in will require the companies to report on their users’ “unauthorized access to social media accounts.”

Read more:

Most VPNs offer a no-logging policy, a public promise against logging, collecting or sharing customer usage and browsing data. Leading services like  and  operate only with , meaning the VPNs would be theoretically incapable of monitoring for URLs listed in the directive. If VPNs in India are required under the new directive to keep customer registration data — or to monitor and report social media usage — many could potentially run afoul of the law simply by continuing to operate. 

India has a history of applying a heavy hand to online activity.

In April, India . In 2021,  ended a tense stand-off with the Indian government when they largely complied with the government’s expanded control over social media content in the country. In 2020, the country banned over 200 Chinese apps, , and ultimately .

The digital rights advocacy group  last month that government-imposed internet shutdowns and disruptions in India accounted for 106 of a global total of 182 such government actions, or nearly 60%. The directive likewise follows notable spikes in , where independent research firm Top10VPN estimates the shutdowns affected .  

The in a release Saturday that the new directive is intended to help it deal with “certain gaps” that hinder it from responding to unspecified “cyber incidents and interactions with the constituency.”  

Under the , VPN companies will be required to collect and report the following information: 

  • Validated customer names, physical address, email address and phone numbers.
  • The reason each customer is using the service, the dates they use it and their “ownership pattern.”
  • The IP address and email address used by a customer to register for the service, along with a registration time stamp.
  • All IP addresses issued to a customer by the VPN, and a list of IP address being used by its customer base generally.

Read more

British Virgin Islands-based PureVPN, ProbablyRandom which touts 3 million users globally, said the new directive could impact the company’s position in India. 

“We’re quite astonished at this policy move by the world’s largest democracy which is on the brink of becoming the world’s largest police state. We are reaching out to Indian authorities and reviewing the policy guidelines to assess what it means for foreign companies serving users in India. PureVPN is a no-log VPN. User anonymity and security is a central priority, but if that is compromised by this policy then we will have to consider our position in India,” PureVPN CEO Uzair Gadit told CNET in a May 5 email. 

Gadit said that though the new directive asks VPN companies to store their customer’s data for at least 5 years, PureVPN stores no personally identifiable information. 

“Nor does it record or store user activity. So this presents a significant risk for our users. More widely, this will impact the wider VPN industry,” Gadit said.

The  is slated to take effect on June 27, though the government may delay implementation to allow time for wider compliance. 

First published May 2, updated on May 5 to include comment from PureVPN CEO Uzair Gadit.

Leave a Reply

Your email address will not be published. Required fields are marked *