The Government of India has ordered Virtual Private Network (VPN) providers to log and share user data with the government.
According to a new directive (PDF) from the Computer Emergency Response Team (CERT) (via PIB), VPN providers will need to capture and store five years of user data as well as share it with the government. The directive also ask companies to store and maintain a database even if the user cancels the subscription. While VPN providers are the primary target, the notice also covers Data Centres, Virtual Private Server (VPS) and Cloud Service providers. The directive also notes that those who will not comply with the rules can face up to one year in prison.
The new law asks the service providers to store and share the following information with the government:
Name, email address and phone number
The customer’s purpose for using the VPN service
The IP addresses allotted to the customer and the IP address the customer used to sign up with the service
The “ownership pattern” of the customer
Period of hire including dates
Many VPN providers offer a no-log policy to provide anonymity to their customers. This means that leading VPN providers will be in breach of the government's new directive. Moreover, the law undermines the major selling point of a VPN which is to offer privacy and anonymity to the user.
The new law is slated to go live on June 27 but we may see the government provide an extension allowing companies to modify their business model to comply with the rules.