The Indian IT Ministry has ordered VPN companies to collect and store users’ data for a period of at least five years, as per a new report published last week. CERT-in, or the Computer Emergency Response Team has also asked data centers and crypto exchanges to collect and store user data for the same period to coordinate response activities and emergency measures related to cyber security in the country.
Failing to meet the Ministry of Electronics and IT’s demands could lead to imprisonment of up to a year, as per the new governing law. Companies are also required to keep track of and maintain user records even after a user has canceled his/her subscription to the service.
How does this affect Internet users in India?
Many resort to VPN services in India to maintain a layer of privacy. VPNs or virtual proxy networks allow users to stay free of website trackers that can keep track of data like a user’s location. Paid VPN services and even some good free ones, often offer a no-logging policy. This allows users to have full privacy as the services themselves operate on RAM-only servers, preventing any storage of user-data beyond a standard temporary scale.
If the new change is implemented, companies will be forced to switch to storage servers, which will allow them to log in user-data and store it for the set term of at least five years. Switching to storage servers will also mean higher costs for the companies.
For the end-user, this translates to lesser privacy and perhaps, higher costs. With data being logged, it would be possible to track your browsing and download history. Meanwhile, paid VPN services may increase cost of subscription plans to cover expenses of the new storage servers that they must now use.
When can you expect the change?
The new laws are expected to come into action from 60 days of being issued, which means they could kick in from July 27, 2022.
What data will VPN companies be sending to the government?
CERT-in will reportedly require companies to report a total of twenty vulnerabilities including unauthorised access of social media accounts, IT systems, attacks on servers and more. Check a full list of the twenty vulnerabilities below.
1. Targeted scanning/probing of critical networks/systems.
2. Compromise of critical systems/information.
3. Unauthorised access of IT systems/data.
4. Defacement of website or intrusion into a website and unauthorised changes such as inserting malicious code, links to external websites etc.
5. Malicious code attacks such as spreading of virus/worm/Trojan/Bots/Spyware/Ransomware/Cryptominers.
6. Attack on servers such as Database, Mail and DNS and network devices such as Routers.
7. Identity Theft, spoofing and phishing attacks,
8. Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks.
9. Attacks on Critical infrastructure, SCADA and operational technology systems and Wireless networks.
10. Attacks on Application such as E-Governance, E-Commerce etc.
11. Data Breach.
12. Data Leak.
13. Attacks on Internet of Things (IoT) devices and associated systems, networks, software, servers.
14. Attacks or incident affecting Digital Payment systems.
15. Attacks through Malicious mobile Apps.
16. Fake mobile Apps.
17. Unauthorised access to social media accounts.
18. Attacks or malicious/ suspicious activities affecting Cloud computing systems/servers/software/applications.
19. Attacks or malicious/suspicious activities affecting systems/ servers/ networks/ software/ applications related to Big Data, Block chain, virtual assets, virtual asset exchanges, custodian wallets, Robotics, 3D and 4D Printing, additive manufacturing, Drones.
20. Attacks or malicious/ suspicious activities affecting systems/ servers/software/ applications related to Artificial Intelligence and Machine Learning.