India Orders VPN Providers to Log and Hand Over Customer Data

pcmag.com:

In an effort to fight cybercrime, India is enacting a new policy that’ll require VPN providers to collect and turn over user data, including the IP addresses assigned to customers. 

The policy is meant to bolster the powers of the country’s national agency, the Indian Computer Emergency Response Team (CERT-In), which deals with cybersecurity incidents. 

“During the course of handling cyber incidents and interactions with the constituency, CERT-In has identified certain gaps causing hindrance in incident analysis,” India’s government said in adopting the new policy last week.

The new regulations call for VPN providers to log and store the following information from customers for at least five years: 

Name, email address and phone number

The customer’s purpose for using the VPN service

The IP addresses allotted to the customer and the IP address the customer used to sign up with the service

The “ownership pattern” of the customer

Such information could help India unmask cybercriminals who use VPNs for malicious activities. But it also risks compromising the privacy of all other users on the VPN service, including what websites they've been visiting. As a result, the new policy threatens to undermine a key selling point to using a VPN, which are often promoted as tools to protect your digital privacy.

India’s policy also requires a wide range of internet services, including ISPs and data centers, to maintain logs of all their systems over a rolling 180-day period. In addition, cryptocurrency exchanges must maintain all their transaction and customer records for five years. 

We reached out to several VPN providers on the new requirements, and will update the story if we hear back. But we expect that major VPN vendors will