Explanation: Indian government makes user data collection mandatory for VPNs

  • A new government directive will require virtual private networks (VPNs) to store user data for five years or more.
  • The government took this decision on April 28, 2022 to curb cybercrime activities.
  • Here’s how it will affect users.

The Indian government has introduced a new IT policy that requires virtual private network (VPN) companies to collect extensive customer data and retain it for five years or more. The directive came from the Computer Emergency Response Team, CERT-in. The new policy lists data centers and crypto exchanges under the same layout. The new policy will come into effect from the end of June 2022.

VPN companies will have to retain user information even after they delete their account or cancel their subscription. Companies will need to store usernames, IP addresses, usage patterns, and other forms of identifiable information.

The vulnerabilities that CERT-in asked to report include fake mobile apps, data breaches, unauthorized access to social media accounts and many more.

Discover the future of SaaS in India

The 6-part video series will capture the vision of India’s SaaS leaders and highlight the potential of the industry in the decades to come.May 11, 2022 Starts at 4:00 p.m. (45 minutes)Free registration
Our speakers
Girish Mathrubootham
Brian E. Taptich

Usually VPNs have a no-logs policy, companies only work with RAM disk servers and other no-log technologies due to which they are unable to monitor data and usage.

Recently, India has taken a heavy hand in online business. In April, the Indian government banned 22 YouTube channels. In 2021, Twitter, Google and Facebook had a standoff with the Indian government over control of social media content. Additionally, in 2020, the government banned more than 200 Chinese apps, including TikTok.

According to the Ministry of Electronics and Information Technology, the new policy aims to address loopholes that prevent the government from responding to certain cybercrime incidents.

How will the new policy affect how VPNs work?

The main reason to use a VPN is to keep your IP address private. It keeps customers safe from website trackers that track user data and location. The paid VPN offers a no-logs policy which provides complete privacy as it runs on RAM-only servers. With the new change, VPN companies will be forced to store servers that allow them to connect to user data and store it for five years or more. The shift to storage servers means higher costs for businesses, and user privacy will no longer be the core functionality of these services.

The detail of the policy has not yet been disclosed, chances are we will see a provision or alternative that guarantees user privacy while keeping a log. Although it seems unlikely, the only option is to wait and see how the VPN providers adapt to this policy.

What will happen if VPN services keep your data?

Once VPN companies keep your data, they can access the connection logs. They can track the time you connected to the VPN and how long you have been connected. Companies can access the IP address and server you originally connected to. With the enforcement of the new policy, VPN service providers can share your connection logs with law enforcement.

They can also access your usage logs, including a list of websites you visit, content or message you sent or received, list of apps and services you access through your device. Additionally, they can access your physical location.


Google India appoints ex-Modi think tank official as head of policy

Twitter fails to calm nervous advertisers over Musk’s plans in rushed sales showcase

Comments are closed.