The Computer Emergency Response Team of India, known as CERT-in has asked companies offering Virtual Private Network services to collect and store information of Indian users for up to five years.

Furthermore, the collected information has also to be shared with the Government. For now, VPN providers are the prime targets, but similar orders have been issued for Data Centres, Virtual Private Server (VPS), Cloud Service providers, and Cryptocurrency Exchanges.

The information that needs to be stored and shared with the government include,

  • Validated customer names, physical addresses, email addresses, and phone numbers.
  • The reason each customer is using the service, the dates they use it, and their “ownership pattern.”
  • The IP address and email address used by a customer to register for the service, along with a registration time-stamp.
  • All IP addresses issued to a customer by the VPN, and a list of IP addresses being used by its customer base generally.

It’s worth noting that the companies need to save the data for five years even if the user cancels his subscription. Companies that fail to comply with the new rules can face up to one year in prison.

A majority of mainstream VPN companies offer privacy and anonymity to the user. In fact, a no-log policy is one of the most important features offered by VPN providers. Clearly, after the implementation of this rule, companies will have to modify their business model.

The new law is slated to go live on June 27 but we can definitely see an extension to allow time for wider compliance.

Do share your thoughts and opinions on the aforementioned news on our socials.