Last Updated on May 9, 2022 by Anu Joy
Virtual private network (VPN) service providers aren’t too happy with the Ministry of Electronics and Information Technology. The Ministry’s wing, Indian Computer Emergency Response Team (CERT-In), has mandated that firms offering VPN services must maintain all customer data for five years and be ready to share them with the government authorities when required. This goes against the user privacy model that is the foundation of such services.
New VPN Order To Come Into Effect From June 28
Subscribe to Onsitego
Get the latest technology news, reviews, and opinions on tech products right into your inboxAfter passing the order last week, CERT-In is getting ready to enforced it from June 28. The directive requires VPN service providers to maintain a database of user’s names, email IDs, and IP addresses for a period of five years or longer, even if the customer discontinues the service. The agency reportedly believes that keeping such logs could help solve cybercrime incidents in India.
The order directs service providers to hand over the logs to CERT-In when required. Failing to do so, the firm will have to suffer punitive action under sub-section (7) of the section 70B of the IT Act, 2000.
Laura Tyrylyte, Head of Public Relations at Nord Security told Gadgets 360 that the company may remove their servers from India if there’s no change in the directive, as the new orders are in direct opposition with the firm’s promise of protecting user privacy.
VPN Directive Loophole?
Legal experts say that the order is vague and doesn’t detail the consequences of failing to comply with the directive. Prateek Waghre, Policy Director at the Internet Freedom Foundation (IFF) found a loophole in the order—it doesn’t mention if VPN service providers that do not operate under an Indian IP will have to obey the new policy.
It remains to be seen if the Indian government catches on and tweaks the directive. Ironically, the order will spell doom for users who regularly use VPN to avoid being tracked by shady websites and cybercriminals.
Discussion about this post