A screen depicting a blue representation of VPN with a finger on it
Source: TechRadar

India orders VPN companies and collect and hand over user data
This order from the government will forces VPNs to store user data for five years or more.

image depicting a yellow screen with a VPN logo and blue background
A new government order from India requires VPN companies to store and submit user data.
Source: PC Mag

Reports this week specify how virtual private network companies in India will need to collect extensive customer data, maintaining it for five years or more, under a new order. This new national directive is from the country’s Computer Emergency Response Team, called CERT-in. Apparently, it is a policy that would possibly make life challenging for VPN companies, along with its users.

On Thursday, the body under India’s Ministry of Electronics and IT announced that country’s VPNs would have to store certain aspects of the customers’ data. This includes their name, validated physical and IP addresses, patterns of usage, along with other types of personally recognisable data. The initial reports on the matter specify that whoever does not comply could possibly end up facing about a year in prison according to a governing law mentioned in the new directive.

Moreover, the directive does not exactly stop at VPN providers. Both, data centres and cloud service providers are listed under this provision itself. The firms would have store the customer information even after the user goes on to cancel their subscription or account. Finally, CERT-in would require these companies to report on the customers ‘unauthorised access’ to accounts on social media platforms.

How do VPNs work exactly?

VPNs, in most cases provide a no-logging policy, a public promise against logging, collecting or sharing their usage and browsing history. Top providers such as ExpressVPN and Surfshark work only with RAM disk servers and other log less technology. This indicates that the VPNs would be technically incapable of tracking the URLs listed in the new directive. Hence, if these VPNs are required to store customer registration data, or to track and report usage on platforms, many could end up running afoul of the law just by going on working.

India’s history with the online world:

India clearly has had a history of trying to regulate online activity such as banning 22 YouTube channels last month. Last year, platforms such as Facebook, Google, Twitter put an end to a serious stand off with the government as they complied with its extensive control over the contents on social media. Moreover, it banned more than 200 Chinese apps TikTok in 2020, finally banning 9,849 social media URLs.

Access Now, a digital rights advocacy group stated that the government imposed internet shutdowns accounted for about 60% of all government actions. Similarly, the directive witnessed significant spikes in VPN demand in India, reportedly affecting about 59.1 million users last year.