Reportedly, India now demands all VPNs, cryptocurrency exchanges and services, VPS providers, and cloud data center providers to log data. The country has also asked the relevant services to retain users’ personal details along with activity logs for several years. The government also urges that this practice should continue even after users unsubscribe.
India Asks VPNs, Crypto, And Others To Log Data
According to a recent press release from the Indian Computer Emergency Response Team (CERT-In), Ministry of Electronics & IT, India, now urges all VPNs, and similar service providers to log and retain users’ data.
As elaborated, the country officials face trouble while performing data analysis during various cybercrime investigations. These problems arise due to the “gaps” emerging from the use of services like VPNs.
During the course of handling cyber incidents and interactions with the constituency, CERT-In has identified certain gaps causing hindrance in incident analysis.
Therefore, under the sub-section (6) of section 70B of the Information Technology Act, 2000, CERT-In has directed VPNs, VPS providers, cloud service providers, data centers, and crypto services to track and maintain users’ activity logs.
Indeed, such a demand indicates sharing of users’ data with the government. In fact, explaining the detailed situations in an advisory, CERT-In has elaborated on how this data sharing and log maintenance should happen.
What information should the providers log?
Under the new direction, the relevant service needs to maintain and retain user logs for at least 5 years, even upon users’ withdrawal of registration or service unsubscription. Specifically, here’s what the advisory states about the data logs.
Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers, and Virtual Private Network Service (VPN Service) providers, shall be required to register the following accurate information…
a. Validated names of subscribers/customers hiring the services
b. Period of hire including dates
c. IPs allotted to / being used by the members
d. Email address and IP address and time stamp used at the time of registration / on-boarding
e. Purpose for hiring services
f. Validated address and contact numbers g. Ownership pattern of the subscribers / customers hiring services Page 4 of 8 (vi) The virtual asset service providers, virtual asset exchange providers and custodian wallet providers (as defined by Ministry of Finance from time to time) shall mandatorily maintain all information obtained as part of Know Your Customer (KYC) and records of financial transactions
The new directive clearly conflicts with the intended purposes of services like VPNs that pledge online anonymity. Whereas, failure to comply with this directive would subject the companies to punishments under the said code. Numerous VPN providers today boast a strict no-logs policy. Hence, continuing their operations in India would mean that they have to compromise this policy. Otherwise, they might have to consider exiting the region.
Whereas, for some other VPNs like NordVPN, Surfshark, and ExpressVPN, complying with this policy is nearly impossible since they maintain RAM-based server networks. It means that the servers are incapable of retaining user logs.
We are yet to see how the companies would respond and decide their next steps in this regard.