Centre asks VPN services to log, hand over customer data
Soon, companies offering virtual private network (VPN) or cloud services in India may be required to collect, as well as maintain, extensive and “accurate” data of their consumers for five years under Union ministry of electronics and information technology’s (MeitY) cybersecurity policy.
The new directives from India’s Computer Emergency Response Team (CERT-in), the government’s nodal agency for detecting and responding to cyber incidents, may have far-reaching ramifications on how VPN services are offered and used in the country.
“The failure to furnish the information or non-compliance with the ... directions, may invite punitive action,” the order dated April 28 said. The policy, details of which were first reported by HT last week, will come into effect within 60 days of the order.
It states that all cloud service providers and VPN providers will be required to maintain a series of extensive customer information for at least five years. This includes validated names, address and contact number of customers, period of subscription, email address and IPs being used and purpose for using services, among others.
The rules will also apply to data centres, virtual private server (VPS) providers.
The companies in question will have to maintain all customer information for five years or longer (as mandated by law), even after “any cancellation or withdrawal of the registration” by a customer.
“With respect to transaction records, accurate information shall be maintained in such a way that individual transaction can be reconstructed along with the relevant elements comprising of, but not limited to, information relating to the identification of the relevant parties including IP addresses along with timestamps and time zones, transaction ID, the public keys (or equivalent identifiers), addresses or accounts involved (or equivalent identifiers), the nature and date of the transaction, and the amount transferred,” it adds.
Also under the policy, the government has asked service providers, intermediaries, data centres, body corporates and government organisations to mandatorily report any breaches or leaks within six hours of them being flagged.
Union minister for MeitY Ashwini Vaishnaw last week allayed privacy concerns surrounding the storing of data by the provider, stating that there was “nothing to worry about”. ““There is no privacy concern. Suppose, somebody takes a mask and shoots, wouldn’t you ask them to remove that mask? It is like that,” Vaishnaw said at an event in Bengaluru.
The government was yet to respond to a specific query by HT on the issue.