On 28 April, the Indian Computer Emergency Response Team (Cert-In) issued new directives, first reported by Mint, that require Virtual Private Network (VPN) providers to store user data for five years. What does that mean? Mint explains:
What does the directive say?
Under the new directions, VPN providers will need to store validated customer names, their physical addresses, email ids, phone numbers, and the reason they are using the service, along with the dates they use it and their “ownership pattern”. In addition, Cert is also asking VPN providers to keep a record of the IP and email addresses that the customer uses to register the service, along with the timestamp of registration. Most importantly, however, VPN providers will have to store all IP addresses issued to a customer and a list of IP addresses that its customers generally use.
What does this mean for VPN providers?
VPNs basically obscure a person’s internet usage by jumping the signal off multiple servers. A log of these servers can easily lead law enforcement agencies back to the original user. That is why most top VPN operators provide a “no logging” service—at least for paying users. This means they do not keep logs of the user’s usage history or the IP addresses of servers involved. Such services could be in violation of Cert’s rules by simply operating in India. That said, it is worth noting that ‘no logs’ does not mean zero logs. VPN services still need to maintain some logs to run their service efficiently.
Does this mean VPNs will become useless?
No. The Indian government has not banned VPNs yet, so they can still be used to access content that is blocked in an area, which is the most common usage of these services. However, journalists, activists, and others who use such services to hide their internet footprint will have to think twice about them.
What kind of data do VPNs log?
What does it mean for users?
For law enforcement agencies, a move like this will make it easier to track criminals who use VPNs to hide their internet footprint. But experts have pointed out that governments and their agencies can easily misuse such a rule. They also pointed out that this may actually drive such users towards the dark and deep web, which are much tougher to police than VPN services. It is also unclear whether the Centre will use this to take action against users accessing content that is blocked in India using VPNs, such as the game PUBG Mobile.