The Indian government is doing so to address gaps in responding to cybersecurity incidents, but the new regulations undermine a main selling point to having a VPN.
In an effort to fight cybercrime, India is enacting a new policy that’ll require VPN providers to collect and turn over user data, including the IP addresses assigned to customers.
The policy is meant to bolster the powers of the country’s national agency, the Indian Computer Emergency Response Team (CERT-In), which deals with cybersecurity incidents.
“During the course of handling cyber incidents and interactions with the constituency, CERT-In has identified certain gaps causing hindrance in incident analysis,” India’s government said in adopting(Opens in a new window) the new policy last week.
The new regulations(Opens in a new window) call for VPN providers to log and store the following information from customers for at least five years:
Name, email address and phone number
The customer’s purpose for using the VPN service
The IP addresses allotted to the customer and the IP address the customer used to sign up with the service
The “ownership pattern” of the customer
Such information could help India unmask cybercriminals who use VPNs for malicious activities. But it also risks compromising the privacy of all other users on the VPN service, including what websites they’ve been visiting. As a result, the new policy threatens to undermine a key selling point to using a VPN, which are often promoted as tools to protect your digital privacy.
India’s policy also requires a wide range of internet services, including ISPs and data centers, to maintain logs of all their systems over a rolling 180-day period. In addition, cryptocurrency exchanges must maintain all their transaction and customer records for five years.
We reached out to several VPN providers on the new requirements, and will update the story if we hear back. But we expect that major VPN vendors will refuse to follow the regulations, which could push the Indian government to block access to offending VPN providers or impose fines.
“The failure to furnish the information or non-compliance…may invite punitive action,” the regulations state. The new policy goes into effect on June 27.
UPDATE 5/4/2022: Three VPN providers say they don’t plan on following India’s new policy requiring customer data collection.
Surfshark told PCMag: “Surfshark has a strict no-logs policy, which means that we don’t collect or share our customer browsing data or any usage information. Moreover, we operate only with RAM-only servers, which means that any information that would usually be on the hard drive is wiped off automatically whenever a server is turned off. Thus at this moment even technically we would not be able to comply with the logging requirements. We are still investigating the new regulations and their implications for us, but the overall aim is to continue providing no-logs services to all of our users.”
Meanwhile, ProtonVPN said: “India’s new VPN requirements will erode civil liberties and make it harder for people to protect their data online. Proton is monitoring the situation, but ultimately we’ll never take any measure that weakens our VPN service or threatens the privacy of our users.”
ExpressVPN also said: “We are keeping a close eye on the situation as it evolves, but want to be clear that ExpressVPN is fully committed to protecting our users’ privacy, including through never logging user activity, and will adjust our operations and infrastructure to preserve this principle if and when necessary. As a company focused on protecting privacy and freedom of expression online, ExpressVPN will continue to fight to keep users connected to the open and free internet, no matter where they are located.”
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
Your subscription has been confirmed. Keep an eye on your inbox!
I’ve been with PCMag since October 2017, covering a wide range of topics, including consumer electronics, cybersecurity, social media, networking, and gaming. Prior to working at PCMag, I was a foreign correspondent in Beijing for over five years, covering the tech scene in Asia.
Read Michael’s full bio
PCMag.com is a leading authority on technology, delivering lab-based, independent reviews of the latest products and services. Our expert industry analysis and practical solutions help you make better buying decisions and get more from technology.
© 1996-2022 Ziff Davis. PCMag Digital Group
PCMag, PCMag.com and PC Magazine are among the federally registered trademarks of Ziff Davis and may not be used by third parties without explicit permission. The display of third-party trademarks and trade names on this site does not necessarily indicate any affiliation or the endorsement of PCMag. If you click an affiliate link and buy a product or service, we may be paid a fee by that merchant.