India Orders VPN Companies to Log & Hand Over User Data

• The Indian IT ministry has mandated all VPN companies to collect and turn in user data for 5 years or face a jail term.
• This includes validated names and contact info of customers, along with their assigned IP addresses, and more.
• The new law will likely be effective from July 27, 2022.

The Indian government has passed new legislation requiring all VPN service providers to preserve a 5-year record of their users. On April 28, 2022, the Indian IT ministry asked all VPN companies to log and send over user data, including IP addresses assigned to customers. The new limitation undermines the very foundations of a VPN, rendering it counterproductive for a lot of users.

Computer Emergency Response Team (CERT-in) has argued that this move is being made to fight cybercrime in the country. The government said that “During the course of handling cyber incidents and interactions with the constituency, CERT-In has identified certain gaps causing hindrance in incident analysis.” The order will become effective after 2 months (July 2022), and according to the new law, failure to comply could lead to a year’s imprisonment.

VPN providers must log and preserve the following user information for at least 5 years under the new regulations: Name, email address, and phone number, the purpose for using the VPN service, IP addresses allotted to the customer, as well as the IP address which the customer used to sign up with the service, and the ownership pattern of the customers. Companies must also keep track of and maintain user records even after a user cancels a subscription to the service.

While the above information can certainly help the government track down individuals who are using VPNs for malicious activities, it also heavily compromises the privacy of all VPN users and undermines the main selling point and the existence of a VPN.

VPNs are primarily designed for the purpose of concealing your IP address from third parties and your ISP. These tools provide users with a shadow IP address and help them access content that may be geo-restricted. It also safeguards your privacy online and protects you from breaches with strong encryption protocols. Most VPNs have a strict no-log policy, like ExpressVPN, and NordVPN, among others. These tools usually operate with RAM-disk servers and other log-less technology. If data collection is made mandatory, tracking your browsing history would be very easy. 

The new directive applies to data centers, Virtual Private Server (VPS) providers, VPN Service providers, Cloud service providers; KYC norms and practices by virtual asset service providers, virtual asset exchange providers, and custodian wallet providers. Cyber security incidents must be reported within 6 hours of occurrence, and critical user data must be turned over as directed to the authorities.

The virtual asset service providers, virtual asset exchange providers, and custodian wallet providers also need to maintain KYC details and financial transaction records of customers for a period of 5 years.

All service providers, intermediaries, data centers, body corporate, and Government organizations shall connect to the Network Time Protocol (NTP) Server of National Informatics Centre (NIC) or National Physical Laboratory (NPL) or with NTP servers traceable to these NTP servers, for
synchronization of all their ICT systems clocks.

Service providers, intermediaries, data centers, body corporate, and Government organizations must report the following cyber security incidents to the CERT-In:

• Targeted scanning/probing of critical networks/systems.
• Compromise of critical systems/information.
• Unauthorised access of IT systems/data.
• Defacement of website or intrusion into a website and unauthorised changes such as inserting malicious code, links to external websites etc.
• Malicious code attacks such as spreading of virus/worm/Trojan/Bots/Spyware/Ransomware/Cryptominers.
• Attack on servers such as Database, Mail and DNS and network devices such as Routers.
• Identity Theft, spoofing and phishing attacks,
• Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks.
• Attacks on Critical infrastructure, SCADA and operational technology systems and Wireless networks.
• Attacks on Application such as E-Governance, E-Commerce etc.
• Data Breach.
• Data Leak.
•  Attacks on Internet of Things (IoT) devices and associated systems, networks, software, servers.
• Attacks or incident affecting Digital Payment systems.
•  Attacks through Malicious mobile Apps.
• Fake mobile Apps.
• Unauthorised access to social media accounts.
• Attacks or malicious/ suspicious activities affecting Cloud computing systems/servers/software/applications.
• Attacks or malicious/suspicious activities affecting systems/ servers/ networks/ software/ applications related to Big Data, Block chain, virtual assets, virtual asset exchanges, custodian wallets, Robotics, 3D and 4D Printing, additive manufacturing, Drones.
• Attacks or malicious/ suspicious activities affecting systems/ servers/software/ applications related to Artificial Intelligence and Machine Learning.

In response to this mandate, VPN companies are refusing to log user information, and some are contemplating halting their operations in India. TechNadu contacted ExpressVPN's Harold Li, VP of Communications & Brand Strategy, and received the following quote:

We also contacted NordVPN, and this is what Laura Tyrylyte, Head of Public Relations at Nord Security, said:

We are keeping a close eye on the situation as it evolves, but want to be clear that ExpressVPN is fully committed to protecting our users’ privacy, including by never logging user activity, and will adjust our operations and infrastructure to preserve this principle as necessary

— ExpressVPN (@expressvpn) May 5, 2022