India to force VPN companies to hand over user data
A wealth of customer data will need to be stored for a minimum of five years
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Using your favoriteVPNin India may soon be impossible thanks to new regulations that will require VPN providers to collect and store a wide range of data on their customers for a period of five years.
As reported byENTRACKR, the Computer Emergency Response Team (CERT-in) which is under the control of the country’s Ministry of Electronics and Information Technology has issued anew set of directionsin an effort to “coordinate response activities as well as emergency measures with respect to cyber security incidents.
Share your thoughts on Cybersecurity and get a free copy of the Hacker’s Manual 2022.Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at theend of this surveyto get the bookazine, worth $10.99/£10.99.
VPN providers aren’t the only companies that will be required to store customer data though as the directions also apply to data centers, cryptocurrency exchanges and Virtual Private Server (VPS) providers as well.
Beginning in June of this year, companies in these industries will be required to register customer names, customer ownership patterns, customer contact information and the reason they have purchased their services in the first place.
Improving cyber incident response at a cost
CERT-in’s new order appears to be aimed at ensuring the government agency can respond to all manner of cyber incidents within six hours of their discovery. While the order itself may be well-intentioned, the range of data CERT-in is asking organizations to store and provide upon request is quite unusual.
CERT-in requires organizations to report data breaches, fake mobile apps, attacks on server infrastructure and even unauthorized access to a user’ssocial mediaaccounts. Additionally, businesses that fail to provide the necessary information are governed by Section 70B(7) of theIT Actwhich could lead to up to one year in prison.
Ban VPN services in India, says parliamentary panel>Bitcoin in India could be banned again in crackdown on cryptocurrencies>India picks tiny video conferencing start-up to replace Zoom
Another snag in the Indian government’s plan is that most VPNs have a ‘no-logs policy’ or at the very least, only keep user data temporarily. As a result of CERT-in’s new directions, many VPN providers and other IT companies could potentially stop doing business in India as they can no longer legally operate in the country.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
The new directions will go into effect at the end of June unless the window for compliance is extended which very well could be the case. Until then though, consumers and businesses in the country should pick up one of thebest India VPNswhile they still can.
ViaENTRACKR
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.
Should your VPN always be on?
3 reasons why PIA fell in our best VPN rankings
Anker Nebula Mars 3 review: A powerful and truly portable projector
