A virtual private network company in India must collect and retain customer data for five years. Details must include name, address, contact number and email address of customers who hire the services, period of use, IP address assigned to them, time stamps used when registering, purpose for using the service and ownership pattern of the users. Failure to provide the information or non-complying with the directives may result in punitive action.
VPNs are used to hide your identity when you’re surfing the web. They also allow you to access blocked content such as Netflix. However, most VPNs don’t log your activity. Your ISP and other third parties can’t see which websites you visit or what data you send and receive online.
VPNs are used by people who want to protect their privacy. They use them to access content blocked by governments or companies.
Excessive collection of data by government agencies will harm both VPN providers and VPN users. It is unclear how this will increase cyber security.
Any company that provides VPN services will have to keep the personal data of their customers even if they cancel their account. In the case of cloud service providers, CERT-in expects these companies to report any unauthorized access to social media accounts.
The vast majority of VPNs offer no-logging policies with servers that use log-less data storage. If VPNs in India are required to keep customer registration data or information about social media use, many of them could break the law in the process simply by continuing to operate.
A recent report by Access Now showed that there were 60% of government-imposed internet shutdowns in India. This was due to the rise of VPN demand in India as reported by Top10VPN and it affected 59.1 million users.
Under the ministry’s full directive, VPN companies will be required to identify users and report on their activities like : Validated customer names, physical address, email address and phone numbers.
