Virtual private network (VPN) companies in India must collect and maintain customer data for at least 5 years, according to a directive from Computer Emergency Response Team (CERT-In).
(Sign up to our Technology newsletter, Today’s Cache, for insights on emerging themes at the intersection of technology, business and policy. Click here to subscribe for free.)
The mandate applies to Virtual Private Server (VPS) providers, VPN service providers, cloud service providers, data centers, and is aimed at maintaining accurate information on customer registrations details.
Details must include names, addresses, contact numbers and email address of customers hiring the services, period of hire, IPs allotted to them, time stamp used at the time of registration, purpose for hiring services and ownership pattern of the customers.
The order will become effective after 60 days and failure to furnish the information or non-compliance with the directions, may invite punitive action, CERT-In said.
The CERT-In serves as the national agency that analyses cyber threats and handles cyber incidents reported to it.
During the course of handling cyber incidents CERT-In has identified certain gaps causing hindrance to threat analysis. These directions issued will help them to address the identified gaps.
These directives challenge the primary function of a VPN which is to hide users’ IP address from their Internet Service Providers and other third parties.
Most VPN services do not store logs of user activities. ISPs and other third parties cannot see which websites users visit or what data they send and receive online.
The new directive of collecting and storing users’ information questions the very existence of VPNs.
