Crypto exchanges, cloud services, and VPN providers with operations in India find themselves at a crossroads. Under the Indian government's new CERT-in rules, VPNs and other data handlers will be required to log user data, as well as store their information for five years. Moreover, providers will be required to report any cyber incidents to the Indian government within 6 hours.
The short of it is that the Indian IT Ministry requires all this data to "help fight cybercrime," as is always the case when governments seek to deny their citizens the right to privacy. We've seen this happen before when the Five Eyes nations tried to impose encryption backdoors back in 2018. As it happens, India and Japan also joined in on those demands.
In any case, this new move would essentially nullify any privacy benefits of VPNs. Moreover, crypto and cloud services would be at risk of shutting down (or at least greatly restricting) local operations due to user privacy concerns. A quick glance at the new data collection rules will confirm these suspicions.
First off, let's take a look at what information VPNs and data centers need to collect from their users.
VPN Data Logging in India - What's Being Collected?
Quite a lot, actually. All info sourced directly from the CERT-in directives document, dated April 28, 2022:
- Full subscriber name, address, and contact number(s).
- Email and IP address used during registration, plus time stamp.
- IP addresses used by individual customers, and the subscriber base in general.
- Reason for using the VPN service, dates of usage, and "ownership pattern."
Most of these are fairly straightforward: the IT Ministry wants to know the who, what, when, and where of every VPN userbase. The "ownership pattern" bit seems intentionally vague, though. If we were to take an educated guess, a user's ownership pattern is just code for full online activity. That includes:
- Browsing and download history
- Network app usage (e.g., WhatsApp, Instagram, Netflix, etc.)
- Any encrypted or unencrypted communication
In other words, every bit of data that a VPN is supposed to hide from the prying eyes of hackers, ISPs, and the Indian government.
Mandatory Cyber Security Incident Reports
We've previously published a full list of cyber incidents that VPNs and other companies need to report to the Indian government, along with responses from ExpressVPN and NordVPN on the whole debacle.
MUST-READ: India Orders VPN Companies to Log & Hand Over User Data
Most of these align with India's intention of combating cybercrime. VPNs have to report incidents of phishing, malware use, DoS attacks, social media hacking attempts, injecting malicious code into websites, and more.
However, some of the points in the CERT-in directive aren't as clear-cut as the rest. For example, one of them vaguely states "data leak." One would assume this refers to hackers leaking user data online after a breach, doxxing, and similar scenarios.
But what's stopping the Indian government from going after individuals that may leak data uncovering political corruption? After all, they're no strangers to arresting activists for "attacks on democracy" and sparking outrage among the public for it.
VPNs play a huge part in protecting the identity of investigative journalists and their sources, activists, whistleblowers, and more. The new CERT-in directive basically gives the government a free pass to monitor and silence opposition. We're pretty much seeing a repeat of the National Security Law in Hong Kong from back in 2020.
Unfortunately, existing whistleblower protections in India may not be enough to counteract the possible effects of this law. Major VPN providers have already reported that they will monitor the situation and would remove their servers in the area if given no other option.