Govt. Mandates VPN Providers To Store User Logs For Up To 5 Years
Back in 2021, the Indian government proposed a law that would ban VPNs in their entirety. Nothing seemingly came of it for a while, but now, a milder, more terrifying version of the bill has resurfaced. The government of India has asked the Virtual Private Network (VPN) or cloud services providers in the country to collect and store “extensive and accurate” data of their customers for five years. As per reports, the directive has been issued by the Indian Computer Emergency Response Team (Cert-In) under the new cybersecurity policy from the Ministry of Electronics and Information Technology. This has resulted in these service providers being worried about their position and major companies like NordVPN have also considered leaving the country if they don’t get privacy to serve their customers. VPN service providers have said the new directive would mean a total loss of privacy for the users–one of the most important unique selling points of such services.
The policy that’s expected to go into effect in June 28, 2022 has also listed cryptocurrency exchanges and data centres under its provision. The directive asks VPN companies to keep user info even after the user no longer has an account with the service provider. They’ll be asked to store user names, IP addresses, usage patterns as well as other kinds of identifiable information. CERT-In is doing so to deal with a bunch of vulnerabilities including fake mobile apps, data breaches, unauthorised access to social media accounts and others.
VPN or “virtual private network” is a service that helps internet users stay private online by hiding their IP addresses. VPN establishes an encrypted connection between the user’s computer and the internet, providing a private tunnel for their data, making them anonymous and blocking anyone from tracking their movements like where they are going or what they are doing. It is the IP address– a special number unique user’s internet network– that helps websites, law enforcement agencies, cybercriminals or anyone else looking into an individual’s internet activities and track down their accurate location. Without a VPN, the user’s IP address is visible to the web. VPNs obscure the user’s internet usage by jumping the signal off multiple servers.
The government is applying these provisions to keep in check a total of 20 vulnerabilities including unauthorised access of social media accounts, IT systems, cyber attacks of any kind. Essentially, it doesn’t want bad actors online to have this invisibility cloak thinking they can get away by doing all the wrongs. By allowing access to VPN data, cybercrime teams can lock down on potential bad actors a lot more effectively -- something that would be almost impossible without it. The list doesn’t really include visiting banned websites, including those that stream pornography or illegal torrent websites. But this data would also be reflected if VPNs are to store all of your browsing histories.
India has been one of the biggest markets for VPN service providers and ranks second globally according to a report. This is due to the ever-growing internet censorship in the country. A report suggests that around 45% of users in the country rely on a VPN and hence the latest released order raises a lot of questions for the VPN service providers in the country. The governments new diktat comes at a time when VPN use has soared in the country due to increased digital habits during the pandemic and due to adhoc internet shutdowns by the government. As per advocacy group Access Now, government-imposed internet disruptions in India make up over 60% of the global shutdown.
Though it is unclear how the Centre plans to use the users’ VPN data, but, the move would make it easier for the law enforcement agencies to track criminals who use VPNs to hide their internet footprint. However, the users’ data and also be easily missed by the government and its agencies to suppress dissent. In the past, VPNs have been of vital importance in countries that try to suppress dissent. By using VPNs, dissidents are able to spoof their location and stay safe. Moreover, the government can also take action against users accessing content that is banned in India using VPNs, such as the game PUBG Mobile.