In India, virtual private network companies will be required to collect extensive customer data — and maintain it for five years or more — under a new national directive from the country’s Computer Emergency Response Team, known as CERT-in. It’s a policy that will likely make life more difficult for both VPN companies and VPN users there.
The body, under the country’s Ministry of Electronics and IT, announced Thursday that VPNs in the country will have to keep customer names, validated physical and IP addresses, usage patterns and other forms of personally identifiable information. As first reported by Entracker, those who don’t comply could potentially face up to a year in prison under the governing law cited in the new directive.
The directive isn’t limited to VPN providers. Data centers and cloud service providers are both listed under the same provision. The companies will have to keep customer information even after the customer has canceled their subscription or account. And, in all case, CERT-in will require the companies to report on their users’ “unauthorized access to social media accounts.”
Read more: Casual vs. Critical: When Your VPN Is a Matter of Life or Death, Here’s How to Pick One
Most VPNs offer a no-logging policy, a public promise against logging, collecting or sharing customer usage and browsing data. Leading services like ExpressVPN and Surfshark operate only with RAM-disk servers and other log-less technology, meaning the VPNs would be theoretically incapable of monitoring for URLs listed in the directive. If VPNs in India are required under the new directive to keep customer registration data — or to monitor and report social media usage — many could potentially run afoul of the law simply by continuing to operate.
India has a history of applying a heavy hand to online activity.
In April, India banned 22 YouTube channels. In 2021, Facebook, Google Twitter ended a tense stand-off with the Indian government when they largely complied with the government’s expanded control over social media content in the country. In 2020, the country banned over 200 Chinese apps, including TikTok, and ultimately banned 9,849 social media URLs.
The digital rights advocacy group Access Now reported last month that government-imposed internet shutdowns and disruptions in India accounted for 106 of a global total of 182 such government actions, or nearly 60%. The directive likewise follows notable spikes in VPN demand in India, where independent research firm Top10VPN estimates the shutdowns affected 59.1 million users in 2021.
The Ministry of Electronics and IT said in a release Saturday that the new directive is intended to help it deal with “certain gaps” that hinder it from responding to unspecified “cyber incidents and interactions with the constituency.”
Under the ministry’s full directive, VPN companies will be required to collect and report the following information:
- Validated customer names, physical address, email address and phone numbers.
- The reason each customer is using the service, the dates they use it and their “ownership pattern.”
- The IP address and email address used by a customer to register for the service, along with a registration time-stamp.
- All IP addresses issued to a customer by the VPN, and a list of IP address being used by its customer base generally.
Read more: Why You Should Be Skeptical About a VPN’s No-Logs Claims
The ministry’s full directive is slated to take effect on June 27, although the government may delay implementation to allow time for wider compliance.