Recently the Indian Computer Emergency Response Team commonly known as CERT-In issued a directive in which they directed VPN service providers in India to collect and store customer data for a period of five years. This mandate is equally applicable to cloud service providers, virtual private servers, and data centers located or operating in India. These intermediaries and service providers have been strictly instructed to maintain accurate customer registration details and logs of accessing their services.
According to Section 67C of the Information Technology Act, 2000 & Amendment 2008 intermediaries are required to retain information for a specified period and in the form specified by the Hon’ble Central Government. Otherwise, there is a provision for punishment with imprisonment of description for a term of three years and also with a fine. In the directive issued by CERT-In, they have specified VPN and such service providers to store the names, addresses, contact numbers, and email addresses of their customers for a time period of five years. They have also instructed intermediaries to store the timestamp and IP address of the user used at the time of registration.
Benefits of sanctioning this Directive by CERT-In
Most premium VPN service providers have a zero-log policy to protect customer privacy and anonymity. However, during the analysis and handling of cyber incidents, law enforcement agencies and investigators are facing gaps. The directive policy issued by the Computer Emergency Response Team will make it easier for the government and investigating personnel to overthrow such gaps. This will help the Indian Government to track and take appropriate actions against the culprits involved in such cyber incidents.
Earlier, most VPN service providers used to hide the presence of users on the Internet. Internet service providers and other third parties or governments were not able to see the activities of the users on the Internet. Law Enforcement Agencies were unable to analyze users on which websites or resources they accessed or shared the media on the Internet. However, after this mandate, the primary function of VPN service providers is to hide the user’s IP from the ISP and third-party websites, but not from the government.
This order shall become effective after 60 days from the date of issue of this direction. VPN Service Providers in India that fail to meet the specified criteria or find any non-compliance may invite penal action against themselves. Some popular VPN providers such as Nord have warned that India’s new rule on virtual private networks to store their user’s data could force them to shut down their servers located in the Indian geographical location.
Kindly read more articles related to Cyber Attacks :