Blog

The Government of India has recently passed a law mandating all VPNs to collect and hold user data for up to five years, and this means the end of VPNs as we know them.

According to a press statement from the Indian Computer Emergency Response Team (CERT-In), the body, monitored by the Ministry of Electronics and Information Technology (MeitY), has issued directions relating to information security practices, procedures, prevention, response and reporting of cyber incidents under the provisions of sub-section (6) of section 70B of the Information Technology Act, 2000.

These directives will be in effect from June 27, 2022.

Under clause (v) of the directions, the government has now mandated that Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (VPN Service) providers have to collect and store the following information for five years or longer:

• Validated names of subscribers/customers hiring the services
• Period of hire including dates
• IPs allotted to/being used by the members
• Email address and IP address and time stamp used at the time of
• Registration/on-boarding
• Purpose for hiring services
• Validated address and contact numbers
• Ownership pattern of the subscribers/customers hiring services

All around the world, VPNs are used by both individuals and companies to encrypt their data over the internet and protect themselves with the anonymity and encryption that comes with them.

However, this means that the anonymity of a user using a VPN or a VPS does not exist anymore for users in India. Companies will also have to report “unauthorized access to social media accounts” as part of the directive.

What is more concerning here is the fact that even though a person deletes an account or cancels the subscription, their usage data will still have to be held.

Further, CERT-In has also issued similar data collection directives for crypto exchanges and other payments-related services as well.

“The virtual asset service providers, virtual asset exchange providers and custodian wallet providers (as defined by the Ministry of Finance from time to time) shall mandatorily maintain all information obtained as part of Know Your Customer (KYC) and records of financial transactions for a period of five years so as to ensure cyber security in the area of payments and financial markets for citizens while protecting their data, fundamental rights and economic freedom in view of the growth of virtual assets,” clause (vi) read.

The companies can’t afford to be in defiance of these demands either, as non-compliance can lead to up to a year in jail.

VPNs are built on the foundation of not holding, collecting, or recording any user data on the customers that use its services. That is the whole point of a VPN. A VPN works by decoupling the web addresses you visit from your IP address, which means the demand from the government to collect customer information and activity-related information goes fundamentally against the idea of a VPN.

Some VPN companies deploy RAM-only servers that are wiped clean every time they are restarted; since that happens often, customer data is regularly and automatically erased. Most of the famous VPNs such as NordVPN, Surfshark, and ExpressVPN all have RAM-only servers. Therefore, these VPNs will have to comply at a significant cost to them, because they will have to introduce new servers that store user data.

While India has not condemned VPNs to illegality, it has taken steps to ensure that people are discouraged from using VPNs; this is the same treatment India has given to cryptocurrency and the whole crypto ecosystem, by systematically freezing them out so that they can’t be usable enough to meaningfully penetrate the market.

India’s action on VPNs will also prompt countries that have been looking to crack down on VPN usage to introduce similar legislation, to put VPNs in a grey area where few tend to tread.

However, India has moved yet again towards a direction of limiting its users’ freedom on the internet.