India has recently mandated all internet service providers to gather their respective user data for the last five years, based on a press release by the CERT-IN (Indian Computer Emergency Response Team). CERT-In also added that they would be amassing data from service providers such as data centres, VPNs, body corporate, and intermediaries under the act.
The new directives, which will become effective on the 27th of June, include VPN, VPS, cloud service providers, KYC norms, custodian wallet service providers, and virtual asset exchange providers in those that are required to follow.
According to the CERT-IN press release, the new law intends to solve problems during incident analysis and ensure safe and trusted internet in India.
Several vital aspects are covered in the new directives, including the synchronisation of ICT system clocks, maintaining ICT system logs, providing subscriber registration details, and mandatory reporting of cyber incidents within six hours.
It is also mandated for the service providers to collect records of financial transactions for at least five years or longer for more optimum security in payment transactions and financial markets. These records include the data and period of hire, the purpose of subscribing to services, verified contact numbers and addresses, etc.
However, some VPN providers believe that the new directives risk compromising user privacy and contradict their unique selling point of ensuring users’ digital footprint security.
Reports about three mainstream VPN service providers opting not to follow the new law are already being heard. One of these is Surfshark, a Netherlands-based VPN firm that has long observed a no-logs policy in its procedure. Surfshark added that they assess the new laws’ implications since they intend to continue their standard policies.
The same goes with another VPN service provider, Proton VPN after they stressed that the new requirements are in contrast to civil liberties. They also added that they would choose their clients over measures that weaken or threaten user privacy.
The third VPN service provider that refused to comply with the new mandate was ExpressVPN which said they are fully committed to users’ privacy protection and would not agree to log activities.
