India Orders VPN Companies to Collect and Share User Data

A new directive from India’s Computer Emergency Response Team (CERT-in) will require that various online services and companies collect their customers’ data. Companies will also have to store that data for 5 years and hand it over when the authorities request it.

CERT-in, which falls under the umbrella of the country’s Ministry of Electronics and IT, made the announcement on April 28, 2022. This decision affects all VPNs, as well as cloud service providers, crypto exchanges and wallet providers, and data centers that operate in the country.

If No. 20(3)/2022-CERT-In is enacted, the amendment puts the data of every Indian at risk and makes it easier for Indian authorities to monitor citizens’ online behavior.

CyberGhost has removed its physical servers from India. To protect our Ghosties’ online privacy, we have shut down our physical infrastructure in India, and we now offer virtual locations.

India’s Data Directive Invades Citizens’ Digital Privacy

This move is clearly politically motivated. Under this directive, companies will be forced to report “unauthorized access to social media accounts.” CERT-in doesn’t provide a definition for what counts as “unauthorized access,” but it may refer to banned social media platforms. The Indian government has banned social media platforms in the past and reports indicate it may have similar plans for the future.

Screenshot of India's new data collection directive on the CERT-in website

Traditionally, VPNs offer a way for citizens to get around those types of bans, but this new law will effectively cut off that avenue. Indian citizens who try to access banned social media sites via a VPN will have to be reported. It’s still unclear at the time of writing what Indian authorities will do with these reports.

Companies will have to log customer data and keep it for half a decade – even after a customer stops using their service. Indian authorities claim this move is directed at fighting rising cybercrime. Any company that fails to comply with this law, which takes effect on 27 June, faces up to a year of imprisonment.

“CERT-In has identified certain gaps causing hindrance in incident analysis,” the Ministry of Electronics and IT said in a press release. This new directive is intended to fill those gaps so the body can better handle “cyber incidents and interactions with the constituency”. Neither the Ministry nor CERT-in has identified or clarified what these incidents or interactions refer to.

Under the new CERT-in directive companies need to provide the following information to Indian authorities:

    • ➡ Validated customer names.
    • ➡ Physical and IP addresses (including IPs allotted to customers by VPNs).
    • ➡ Period of hire, including dates.
    • ➡ Email address and IP address and time stamp used at the time of registration / on-boarding.
    • ➡ Contact numbers.
    • ➡ Internet usage patterns.
    • ➡ Unauthorized access to social media accounts.
    • ➡ Purpose for hiring services.
    • ➡ Ownership pattern of the subscribers / customers hiring services.

All of these details and more have to be collected and reported to CERT-in for security purposes, according to the government body. How that information will be used, stored or kept secure has not been disclosed by CERT-in. It’s also unclear how collecting Indian citizens’ personal data and information like their reason for using a service will help the body fight cybercrime.

How Does No. 20(3)/2022-CERT-In Affect Indian Citizens and Companies?

Indian citizens have used VPNs for years to access content, protect their privacy, and prevent data brokers from collecting their personal information. VPN usage surged whenever the Indian government blocked or banned various websites and social platforms in the past. Recently, India temporarily banned TikTok and WeChat (in 2020) and strongarmed Twitter into reducing visibility of hashtags and accounts during the 2021 farm protests.

The CERT-in directive doesn’t specify how this affects companies that offer services in the country but aren’t based in India. That means it’s still unclear how the law will be applied to any international companies that don’t comply by collecting and handing over customer data. It can possibly result in Modi’s government banning access to those services and websites via ISPs.

Many citizens and digital experts are concerned about the future of personal privacy in democratic India. This new directive provides the Indian government with unfettered leeway to monitor and control citizens’ access to the internet. In the past, laws that propose drastic changes related to the flow of information have preceded other, often harsher, laws intended to curb and control the public.

Leave a comment

Write a comment

Your email address will not be published. Required fields are marked*