Hot potato: VPN users expect services to protect their privacy, but a new directive in India will require companies not only to collect large amounts of user data, but also to store it for five years and share it on request. The regulation applies to virtual private network providers, data centers, cloud service providers and crypto exchanges.
According to Intrackernew national directive from the Indian Computer Emergency Response Team, known as CERT-in, is an attempt to “coordinate response as well as emergency response to cyber security incidents.”
Companies, including VPN providers, must record customer names, usage patterns, contact information, verified IP addresses and physical addresses, and the purpose for which they hire services.
India’s Information Technology Minister has no idea how privacy or a VPN works. CERT-IN has no history of action on public issues. Giving him wide powers without oversight is a bad idea. https://t.co/8Y5cKGMCXb
— Srinivas Kodali (@digitaldutta) April 30, 2022
Another part of the directive states that companies must retain customer information even after they cancel their accounts or subscriptions. In addition, organizations must report “unauthorized access of any user to social media accounts.”
CERT-in claims that the requirements are such that the agency can respond to cyber incidents within six hours of their discovery. The directive is clearly not welcomed by users of these services, but companies providing them may not have much choice: failure to comply with requests for information can result in one year in prison.
Most VPNs offer no logs a policy that they don’t keep logs of customer online activities, and even those that do do so only temporarily. Due to the threat of legal action, some of these providers may be forced to leave the Indian market due to new regulations.
The directive is due to come into effect on June 27, although this could be delayed to give companies more time to comply with the rules.
Image credit: welcome
Credit: www.techspot.com /