The Indian government has ordered VPN companies to collect and hand over user data for at least five years. The country’s Computer Emergency Response Team (CERT-in) has also asked the same thing from data centers, cloud service providers, and crypto exchanges.
Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (VPN Service) providers, shall be required to register the following accurate information which must be maintained by them for a period of 5 years or longer duration as mandated by the law after any cancellation or withdrawal of the registration as the case may be:Ministry of Electronics and Information Technology
What user data will VPN companies send to the Indian government?
According to the Ministry of Electronics and IT, VPN companies are to collect and hand over the following user data to the Indian Government:
- Validated customer names.
- Physical addresses.
- Email addresses.
- Contact numbers.
- Customer’s reason for using the service
- Period of time when the customer has used the service, including dates.
- Ownership pattern of the subscribers/customers that are using the services.
- Customer’s email address, IP address, and time stamp used at registration/onboarding.
- All IP addresses issued to a customer by the VPN.
- A list of IP addresses used by the customer base generally.
According to the IT Ministry, this is to “coordinate response activities as well as emergency measures with respect to cyber security incidents.” They also said the law would become effective after 60 days on July 27, 2022.
As per the new law, failing to meet these demands could lead to imprisonment for up to a year. The Indian government has also asked VPN companies to keep user records even after canceling their subscription.