0

India orders VPN providers to record and hand over customer data

In an effort to combat cybercrime, India is enacting a new policy that will require VPN providers to collect and hand over user data, including IP addresses assigned to customers.

The policy is meant to bolster the powers of the country’s national agency, the Computer Emergency Response Team of India (CERT-In), which deals with cybersecurity incidents.

“During the course of handling cyber incidents and interactions with the electorate, CERT-In has identified certain gaps that hinder incident analysis,” the Indian government said in adopting the new policy last week.

The new regulations require VPN providers to record and store the following customer information for at least five years:

  • Name, email address and phone number

  • The customer’s purpose for using the VPN service

  • The IP addresses assigned to the customer and the IP address the customer used to register for the service

  • The customer’s “ownership pattern”

Such information could help India unmask cybercriminals using VPNs for malicious activities. But you also risk compromising the privacy of all other users of the VPN service, including the websites they have been visiting. As a result, the new policy threatens to undermine a key selling point for using a VPN, which is often touted as a tool to protect your digital privacy.

India’s policy also requires a wide range of Internet services, including ISPs and data centers, to keep logs of all their systems for a continuous period of 180 days. Additionally, cryptocurrency exchanges must keep all of their transaction and customer records for five years.

Recommended by Our Editors

We’ve reached out to several VPN providers about the new requirements and will update the story if we hear back. But we expect major VPN providers to refuse to follow the regulations, which could push the Indian government to block access to offending VPN providers or impose fines.

“Failure to provide the information or non-compliance… may invite punitive action,” the regulation states. The new policy goes into effect June 27.

SecurityWatch<\/strong> newsletter for our top privacy and security stories delivered right to your inbox.”,”first_published_at”:”2021-09-30T21:22:09.000000Z”,”published_at”:”2022-03-24T14:57:33.000000Z”,”last_published_at”:”2022-03-24T14:57:28.000000Z”,”created_at”:null,”updated_at”:”2022-03-24T14:57:33.000000Z”})” x-show=”showEmailSignUp()” class=”rounded bg-gray-lightest text-center md:px-32 md:py-8 p-4 mt-8 container-xs”>

Do you like what you are reading?

Enroll in security surveillance newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain advertising, offers or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You can unsubscribe from newsletters at any time.