Centre asks VPN services to log, hand over customer data
NEW DELHI: Soon, companies offering virtual private network (VPN) or cloud services in India may be required to collect, as well as maintain, extensive and “accurate” data of their consumers for five years under Union ministry of electronics and information technology’s (MeitY) cybersecurity policy.
The new directives from India’s Computer Emergency Response Team (CERT-in), the government’s nodal agency for detecting and responding to cyber incidents, may have farreaching ramifications on how VPN services are offered and used in the country. “The failure to furnish the information or non-compliance with the... directions, may invite punitive action,” the order dated April 28 said. The policy, details of which were first reported by HT last week, will come into effect within 60 days of the order.
It states that all cloud service providers and VPN providers will be required to maintain extensive customer information, including validated names, address, contact number, email address and IPs, for at least five years. The rules will also apply to data centres, virtual private server (VPS) providers. The companies will have to maintain all customer information for five years or longer (as mandated by law), even after “any cancellation or withdrawal of the registration” by a customer.
“With respect to transaction records, accurate information shall be maintained... along with ...information relating to the identification of the relevant parties including IP addresses along with timestamps and time zones, transaction ID, the public keys (or equivalent identifiers), addresses or accounts involved (or equivalent identifiers), the nature and date of the transaction, and the amount transferred,” it adds. Also under the policy, the government has asked service providers, intermediaries, data centres, body corporates and government organisations to mandatorily report breaches or leaks within six hours of them being flagged.
Union minister for MeitY Ashwini Vaishnaw last week allayed privacy concerns surrounding the storing of data by the provider, stating that there was “nothing to worry about”.
The government was yet to respond to a specific query by HT on the issue.