India Tells VPN Providers, Crypto Exchanges To Keep User Data for 5 Years

The Indian Computer Emergency Response Team (CERT-In) has directed Virtual Private Network (VPN) providers, crypto exchanges, and other service providers to maintain customer records for at least five years.

The body, which operates under the Ministry of Electronics and Information Technology, added that service providers will have to hand over user information within a specified timeline, if it orders them to do so.

The new directions will be applicable from late June, it said.

CERT-In gets its powers from Section 70B of The Information Technology Act, 2000, which says those who don't comply with the directions might face "imprisonment for a term which may extend to one year or with fine which may extend to one lakh rupees or with both."

Since VPNs are often used for anonymous browsing, most services presently claim to have a strict "no-log" policy which means user data isn't collected at all.

Data Centres, Virtual Private Server (VPS) providers, Cloud Service
providers, and Virtual Private Network Service (VPN Service) providers, CERT-In said, will be required to maintain logs of the following information:

• Validated names of subscribers/customers hiring the services

• Period of hire including dates

• IPs allotted to/being used by the members

• Email address and IP address and time stamp used at the time of registration/on-boarding

• Purpose for hiring services

• Validated address and contact numbers

• Ownership pattern of the subscribers/customers hiring services

Meanwhile, virtual asset service providers, virtual asset exchange providers and custodian wallet providers have been directed to maintain all information obtained from the Know Your Customer (KYC) process and records of financial transactions for a period of five years.

CERT-In can demand this information for the purposes of "cyber incident response, protective and preventive actions related to cyber incidents."

The body said this will help "ensure cyber security in the area of payments and financial markets for citizens while protecting their data, fundamental rights and economic freedom in view of the growth of virtual assets."

"Any service provider, intermediary, data centre, body corporate and
Government organisation shall mandatorily report cyber incidents to CERT-In within 6 hours of noticing such incidents or being brought to notice about such incidents," it added.

The notification says that these directions are intended to make it easier for CERT-In to analyse and respond to cyber security incidents. However, the range of data that the government is asking service providers to store is concerning, as far as privacy is concerned.

"While well-intentioned, the new rules contain vastly expanded data retention requirements as compared to industry norms. Forcing private players to collect such information without a strong data protection law places the privacy of the average user at risk," said Udbhav Tiwari, Senior Manager, Global Public Policy, Mozilla.

The five-year policy will also mean that VPN providers will see their costs jump significantly, which will then likely have to be borne by the consumer.

"The demand that all records of subscribers, users, etc be retained and maintained for five years will have a profound impact, not only on privacy and data protection of the users, but also impose major financial costs for the companies providing these services," said Saikat Datta, Strategic Advisor, The Dialogue.

"When it comes to the adoption of VPNs in India it was around 3.5 percent, at the beginning of the year, and is only the first half of 2021, it grew to 25.7 percent. So the sector is already looking at huge growth. And this is detrimental to the ongoing trajectory," said Anshul Dhir COO and co-founder, EasyFi Network.

Last year, The Parliamentary Standing Committee on Home Affairs asked the Indian government to obstruct access to virtual private networks, alleging that such services enable 'criminals to remain anonymous online.'