The Indian government recently passed a rule requiring all the VPN service providers to collect and store user data for up to five years, which runs counter to most such networks’ primary mission.
Now the VPN providers are bracing for a battle with the authorities over new regulations that will alter how they operate in India.
THE NEW RULE
Titled “Directions under sub-section (6) of section 70B of the Information Technology Act, 2000 relating to information security practices, procedure, prevention, response and reporting of cyber incidents for Safe & Trusted Internet”, the new directive from the Indian Computer Emergency Response Team (CERT-In) under the Ministry of Electronics and Information Technology was released on April 28.
Cybersecurity expert Sandip Kumar Panda, who is the CEO and Co-Founder of Instasafe, told News18: “While everyone is still waiting for a clear Data Privacy Law in this country, such a quietly issued new directive requiring an array of technology companies to start logging user data is creating more confusion among the service providers.”
Currently, different service providers have different policies and take on user data, he said. “Some of the biggest VPN companies state they collect only minimal information about their users and also allow for ways for their users to remain largely anonymous. Hence, their internal rules are now set to bring them into a confrontation with the IT ministry,” he explained.
Panda said the list of data points that the government has directed to store is quite exhaustive as storing these data points for such a long period will cost enormously to VPN vendors since they would have to store these in the cloud. Moreover, these guidelines would also require them to change their product which will be a major nuisance for the VPN providers, he added.