India’s IT ministry has ordered VPN companies to collect and store user data for at least five years, according to a new report released last week. CERT-in, or the Computer Emergency Response Team, also instructed data centers and crypto exchanges to collect and store user data for the same period to coordinate response activities and emergency measures related to cybersecurity in the country.
Failure to comply with the requirements of the Ministry of Electronics and Computing could lead to a prison sentence of up to one year, according to the new law. Companies are also required to track and maintain user records even after a user has canceled their subscription to the service.
How does this affect internet users in India?
Many use VPN services in India to maintain a layer of privacy. VPNs or virtual proxy networks allow users to stay safe from website trackers that can track data such as a user’s location. Paid VPN services and even some free vouchers often offer a no-logs policy. This allows users to have complete privacy as the services themselves run on RAM-only servers, preventing any storage of user data beyond a standard temporary scale.
If the new change is implemented, companies will be forced to switch to storage servers, which will allow them to connect to user data and store it for the set duration of at least five years. The move to storage servers will also mean higher costs for businesses.
For the end user, this translates to less privacy and possibly higher costs. Since the data is recorded, it would be possible to track your browsing and downloading history. Meanwhile, paid VPN services may increase the cost of subscription plans to cover the expense of the new storage servers they now need to use.
When can you expect change?
The new laws are expected to come into force 60 days after their publication, which means that they could come into force from July 27, 2022.
What data will VPN companies send to the government?
CERT-in would require companies to report a total of twenty vulnerabilities, including unauthorized access to social media accounts, computer systems, attacks on servers, and more. See the full list of twenty vulnerabilities below.
1. Targeted analysis/probing of critical networks/systems.
2. Compromise of critical systems/information.
3. Unauthorized Access to Computer Systems/Data.
4. Disfiguration of the website or intrusion into a website and unauthorized modifications such as the insertion of malicious code, links to external websites, etc.
5. Malicious code attacks such as the spread of viruses/worms/Trojans/bots/spyware/ransomware/cryptominers.
6. Attack on servers such as database, mail and DNS and network devices such as routers.
7. Identity theft, impersonation and phishing attacks,
8. Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks.
9. Attacks against critical infrastructure, SCADA and operational technology systems and wireless networks.
10. Attacks on applications such as e-governance, e-commerce, etc.
11. Data Breach.
12. Data Leakage.
13. Attacks Against Internet of Things (IoT) Devices and Related Systems, Networks, Software and Servers.
14. Attacks or incidents affecting digital payment systems.
15. Attacks via malicious mobile applications.
16. Fake mobile apps.
17. Unauthorized Access to Social Media Accounts.
18. Malicious/Suspicious Attacks or Activities Affecting Cloud Computing Systems/Servers/Software/Applications.
19. Malicious/suspicious attacks or activities affecting systems/servers/networks/software/applications related to big data, blockchain, virtual assets, virtual asset exchanges, custodial wallets, robotics, 3D and 4D printing, additive manufacturing, drones.
20. Attacks or malicious/suspicious activities affecting systems/servers/software/applications related to artificial intelligence and machine learning.
