How India’s new VPN rules change the status quo

News: On 28 April 2022, the Indian Computer Emergency Response Team (Cert-In) issued new directives that require Virtual Private Network (VPN) providers to store user data for five years.

What does the directive say?

Under the new directions,

Storage of user data:

VPN providers will need to store validated customer names, their physical addresses, email ids, phone numbers, and the reason they are using the service, along with the dates they use it and their “ownership pattern”.

In addition, Cert is also asking VPN providers to keep a record of the IP and email addresses that the customer uses to register the service, along with the timestamp of registration.

Most importantly, however, VPN providers will have to store all IP addresses issued to a customer and a list of IP addresses that its customers generally use.

What does this mean for VPN providers?

VPNs basically obscure a person’s internet usage by jumping the signal off multiple servers. A log of these servers can easily lead law enforcement agencies back to the original user.

That is why most top VPN operators provide a “no logging” service—at least for paying users. This means they do not keep logs of the user’s usage history or the IP addresses of servers involved. Such services could be in violation of Cert’s rules by simply operating in India.

However, ‘no logs’ does not mean zero logs. VPN services still need to maintain some logs to run their service efficiently.

The Indian government has not banned VPNs yet, so they can still be used to access content that is blocked in an area, which is the most common usage of these services. However, journalists, activists, and others who use such services to hide their internet footprint will have to think twice about them.

What does it mean for users?

For law enforcement agencies, a move like this will make it easier to track criminals who use VPNs to hide their internet footprint.

Potential misuse

– Experts have pointed out that governments and their agencies can easily misuse such a rule, and it may actually drive such users towards the dark and deep web, which are much tougher to police than VPN services.

It is also unclear whether the Centre will use this to take action against users accessing content that is blocked in India using VPNs, such as the game PUBG Mobile.

Source: This post is based on the article “How India’s new VPN rules change the status quo” published in Livemint on 6th May 22.

Print Friendly and PDF