A new order has been issued by the Indian Government by which VPN companies are bound to collect user data and properly maintain it for a minimum of five years. The Indian Computer Emergency Response Team, commonly abbreviated as CERT-In, which falls under Ministry of Electronics and IT, announced that VPN companies from now onwards have to maintain detailed lists of personal information of customers such as names, service usage patterns, and validated physical as well as IP addresses.
Not only VPN companies but also data centers as well as cloud service providers fall under this new announcement. Recently, the Indian government mandates new regulations for reporting cyber breaches for all organizations. According to the new policy, companies have to maintain user data even after the termination of customer subscriptions. Companies need to report to CERT-In in case of unauthorized access to online social media accounts.
VPN Companies to Collect and Maintain User Data for Cyber Security
According to the new order, VPN companies will collect the following user information:
- User name, contact numbers and physical addresses
- Reasons for using VPN services
- Both IP and email addresses used for registration
- Registration time-stamp and ownership pattern
The ministry has provided a time period of 60 days to VPN companies for making appropriate arrangements. Failure to follow the new law will result to a prison sentence for a year.
A Difficult Order to Follow for VPN Companies Issued by CERT-In
The new order will create a rather difficult situation for VPN companies as well as VPN users. Most of the virtual private network services offer a no-logging policy which means that VPN providers won’t store or share user information to maintain data privacy and confidentiality. Also, leading VPN service providers such as ExpressVPN or Surfshark operate with log-less technology like RAM-disk servers. This indicates that theoretically they won’t be able to monitor for URLs. Unless they change their working method and existing technology, they will unable to operate in India because of the new government order.
According to the announcement issued by the Ministry of Electronics and IT, the new order will clear ‘certain gaps’ that exist within the system which will ultimately help in addressing unspecified cyber incidents. However, India is well-known for implying heavy restrictions on online activities. The country has banned 22 YouTube channels in April and more than 200 Chinese apps in 2020. Future events will tell us whether the new policy is beneficial or not.
We, a CERT-In empanelled agency, is the most preferred cyber security advisor that supports key public as well as private sector enterprises in the industry delivering state-of-the-art solutions on vulnerability and penetration testing (VAPT), managed security services, web application audit, NoC, SoC, SIEM/SOAR and many more. Our Anti-Ransomware Readiness (ARR) Audit is a combination of active and passive non-intrusive techniques that delivers a strong technical process to an organization to mitigate ransomware threats.
Do check our website www.primeinfoserv.com for more details or write us at info@primeinfoserv.com or contact us at +913340085677 for queries.