According to reports, India now requires data logging from all VPNs, cryptocurrency exchanges and services, VPS providers, and cloud data centre providers. The country has also requested that the relevant services keep users’ personal information and activity records for a period of time. The government also recommends that this process continue even if consumers opt out
According to a recent press release from the Indian Computer Emergency Response Team (CERT-In), India’s Ministry of Electronics and Information Technology now requires all VPNs and similar service providers to log and preserve user data. As previously stated, officials from the country confront difficulties doing data analysis throughout various cybercrime investigations. These issues develop as a result of “gaps” created by the use of services like VPNs.
CERT-In has noticed significant limitations in event analysis during the course of dealing with cyber incidents and contacts with the constituency. As a result, CERT-In has required VPNs, VPS providers, cloud service providers, data centres, and crypto services to track and retain customers’ activity records under section 70B of the Information Technology Act of 2000, subsection (6). Indeed, such a demand implies that customers’ data will be shared with the government. In fact, in an advisory, CERT-In goes into great detail about how this data sharing and log maintenance should take place.
What information should the providers log?
The relevant service must store and retain user logs for at least 5 years under the new guidance, even if users cancel their registration or service subscription. Here’s what the alert says regarding the data logs in particular.
Data centres, VPS providers, Cloud Service providers, and Virtual Private Network Service (VPN Service) providers will be required to record the following factual information…
a. Validated names of subscribers/customers hiring the services
b. Period of hire including dates
c. IPs allotted to / being used by the members
d. Email address and IP address and time stamp used at the time of registration / on-boarding
e. Purpose for hiring services f. Validated address and contact numbers
g. Ownership pattern of the subscribers / customers hiring services Page 4 of 8 (vi) The virtual asset service providers, virtual asset exchange providers and custodian wallet providers (as defined by Ministry of Finance from time to time) shall mandatorily maintain all information obtained as part of Know Your Customer (KYC) and records of financial transactions.
The new directive directly contradicts the stated goals of services like VPNs, which promise online privacy. Failure to comply with this direction, on the other hand, will result in penalties under the same code. Today, many VPN companies have a stringent no-logs policy. As a result, sustaining operations in India would require them to compromise on this principle. Otherwise, they may be forced to leave the region.
Compliance with this guideline is practically hard for some VPNs, such as NordVPN, Surfshark, and ExpressVPN, because they use RAM-based server networks. It indicates that the servers are unable to store user logs. We’ll have to wait and see how the firms react and what their next measures are in this regard.