The Indian Computer Emergency Response Team (CERT-In) of the Department of Electronics and Information Technology has said in an order that will come into force on June 28 unless the government delays due to slowing in its compliance. The decision is intended to "coordinate response activities as well as emergency measures with respect to cybersecurity incidents in the country. Here''s all you need to know about the move.
CERT-In said that the order has been taken into consideration under section (6) of the Information Technology Act, 2000. It stated that VPN services, including data centres, virtual private server (VPS) providers, and cloud service providers, will be required to register and maintain accurate information of their services for five years or longer, according to the law. "It''s condition of the law following any cancellation or the registration as the case."
The user information consists of the valid names of subscribers, the duration of subscribing to the service, IPs allocated to and being utilized, the email address and IP address, as well as the exact time recorded during the registration, the purpose of subscribing, verified address and contact numbers, and the ownership pattern of the subscribers signing into the service.
In the event of a catastrophe, the service providers will be required to provide the information as required by CERT-In.
Failure to provide the information or non-compliance with the order may result in "punitive action" under paragraph 7 of the IT Act, 2000, and other laws, according to the national agency.
Although the exact reason for the order has not been stated, CERT-In said that the issued instructions would "reag the identified gaps and problems" in order to include emergency response measures.
The expansion of India''s Internet base is key to the development of cybersecurity issues in the country. One of the major issues involved is the lack of awareness among the general public on how they should avoid becoming a victim of cybercriminals. For this reason, the ministry''s agency has forced service providers, intermediaries, data centres, and government departments to disclose vulnerabilities within six hours.
Nonetheless, directing VPN providers to collect and share information of their subscribers is strange as the primary objective of obtaining a VPN service is to avoid leaving any trace behind. Most VPN providers follow no-logs practices and often actively promote that they don''t keep users'' activity data, although some of them collect anonymised analytics data to troubleshoot and fix connection failures.
In such a scenario, it is unclear how some of the world''s most popular VPN service providers will be able to comply with the government''s order. It is also unclear whether the directions will be applicable to all service providers or those who are based in India.
The order will come into force starting in late June, although it may entraine some delay in its implementation as the majority of participants are likely to take time to comply with the instructions. The same order also required for crypto exchanges in the country to store user data for at least five years.
This is not the first time in history when VPN service providers come into the limelight in the country. A parliamentary committee last year urged the government to permanently block VPNs to limit cybercrimes. In addition, telecom operators like Reliance Jio were also seen restricting access to certain VPN services and proxy websites in the country in 2019.