Recently, the government of India has asked the Virtual Private Network (VPN) or cloud services providers to collect and store ‘extensive and accurate’ data of their customers for five years.
According to an order released on April 26, data centres, virtual private server (VPS) providers, cloud service providers and VPN service providers need to register the accurate information related to subscriber names, customers hiring the services, ownership pattern of the subscribers etc, and maintain them for five years or longer duration as mandated by the law.
READ | Here’s how you can easily record voice calls on WhatsApp – Check step-by-step guide
Under the new directive formulated by CERT-IN, a department with the IT Ministry, VPN companies will need to hand over this information to the government if asked.
The government said the move was an effort to “coordinate response activities as well as emergency measures with respect to cyber security incidents” and help it fill “certain gaps” that cause hindrance in handling cyber threats.
What are VPNs?
A VPN or Virtual Private Network allows a user to browse the internet while protecting their identity including masking their device’s IP address, encrypting their data, and routing it through secure networks in other states or countries.
Generally, VPNs are used by journalists and activists across the world to bypass government censorship and safely browse the internet. However, people also use VPNs for various reasons including accessing a banned porn website or avoiding getting tracked by all the advertisers.
How do new rules impact users?
The new rules by CERT-In are going to impact users in the way they use the data.
According to experts, this directive does not only defeat the purpose of VPNs but is also possibly aimed at state-sponsored surveillance and cybersecurity.
Meanwhile, Internet Freedom Foundation, a digital rights group in India, calls these rules excessive.
In a note it says, “Issued without public consultations, these directions raise serious concerns related to state-sponsored surveillance and data retention beyond need or purpose. Therefore, we call on CERT-In to recall these directions.”
READ | Android vs iPhone: New study reveals smartphone users of this company are better drivers
CERT-In is empowered under section 70B of the Information Technology Act to collect, analyse and disseminate information on cyber security incidents.
CERT-In said that during the course of handling cyber incidents and interactions with the constituency, it has identified certain gaps causing hindrance in the analysis of breach incidents.