India order VPN services providers to store user data

To fight cybercrime, India is passing a new policy that will require VPN services to collect and turn over the user’s data, including the IP addresses assigned to their customers. 

The policy is meant to strengthen the country’s national agency’s powers, the Indian Computer Emergency Response Team (CERT-In), which deals with cybersecurity incidents. 

“While handling any cyber incident with the constituency, CERT-In has identified specific gaps that cause obstacles in incident analysis,” India’s government said while adopting the new policy last week.

The new regulations call for VPN Services providers to log and store the following information of customers for at least five years: 

• Name, email address, and contact number
• The purpose of using the VPN service
• The IP addresses that are allotted to the customer and the IP address the customer used to sign up in your Service
• The “ownership pattern” of the customer

Such information could help India unmask the cybercriminals using VPNs for malicious activities. But, the main problem is it also risks the privacy of all other users using the VPN service, which includes the websites they’ve been visiting. As a result, the new policy risks undermining a key selling point of using a VPN, which is often promoted as a tool to protect your digital privacy.

India’s policy requires a wide range of internet services, including Internet Service providers (ISPs) and data centers, to maintain the logs of all their systems over a rolling period of 180-days. In addition, cryptocurrency exchanges should also keep all their transaction and customer records for at least five years. 

We reached out to several VPN services providers on the new requirements and will update the story if we hear back. But we expect that significant VPN service providers will refuse to follow the respected regulations, which could push the Indian government to block the access to offending VPN providers or impose fines.

The regulations state that the failure to provide the information or non-compliance may invite penal action, the regulations state. The new Indian policy will go into effect on June 27.

How will the current policy affect the working of VPNs?

The main reason for using a VPN is to maintain your IP address private. It allows customers to stay free of online website trackers that track users’ data and location. Paid VPN offers a no-logging policy that gives total privacy as it operates on RAM-only serves. With the new change, VPN companies will be forced to store servers, allowing them to log in user data and keep it for five years or more. Switching to storage servers means higher costs for companies, and user privacy will no longer be these services’ core functionality.

The nitty-gritty of the policy is yet to be disclosed, and there are chances that we might see some provision or alternative that ensures user privacy while keeping a log. While it appears unlikely, the only option left is to wait and see how the VPN Service providers will adjust themselves to this policy.

What will happen if VPN Services keep your data?

Once the VPN companies start to keep your data, they can access all your connection logs. They can save track time when you connected to VPN and how long you were connected. Companies can access to IP address and server you initially linked to. With the enforcement of the recent Policy, VPN service providers can share all your connection logs with law enforcement.

They can also access your usage logs, including a list of websites you visit, content or message you’ve sent or received, a list of applications and services you are accessing through your device, and your physical location.

UPDATE 5/4/2022: Three VPN Service providers said they don’t plan to follow India’s new policy that requires customer data collection.

Surfshark said: Surfshark has a strict no-logs policy, which means they don’t collect or share their customer’s browsing data or any valuable information. Moreover, we operate only with RAM-only servers, which means that any kind of information usually on the hard drive is deleted automatically whenever a server is switched off. Thus at this point, even technically, we would not be able to comply with the logging requirements as per Indian policy. We are still investigating the new regulations and their implications, but the overall aim is to continue providing no-logs services to all of our users.

Meanwhile, ProtonVPN also said: that India’s new VPN requirements will corrupt civil liberties and make it more difficult for people to protect their data online. Proton is monitoring the situation, but ultimately they will never take any measure that weakens their VPN service or threatens their users’ privacy.

ExpressVPN also said: “We are holding a close eye on the situation as it grows, but want to make clear that ExpressVPN is fully determined to protecting our users’ privacy, including by never logging user activity, and will alter our operations and infrastructure to keep this principle if and when necessary. As a company focused on protecting privacy and freedom of expression online, ExpressVPN will resume fighting to maintain users connected to the open and free internet, no matter where they are located.”

If you feel any problems related to this article. Kindly do contact us here. We are here to help you with it

For more updates just follow us on Instagram.