Under a new national directive from India’s Computer Emergency Response Team, known as CERT-In, the virtual private network companies will be required to collect extensive customer data, and maintain it for five years or more.
The body announced that VPNs in the country will have to keep customer names, validated physical and IP addresses, usage patterns and other forms of personally identifiable information. Those who don't follow could potentially face up to a year in prison under the new directive.
Along with VPN providers, data centers and cloud service providers are both listed under the same provision. The companies will have to keep customer information even after the customer has canceled their subscription or account.
Under the ministry's full directive, VPN companies will be required to collect and report the following information:
· Validated customer names, physical address, email address and phone numbers.
· The reason each customer is using the service, the dates they use it and their “ownership pattern”.
· The IP address and email address used by a customer to register for the service, along with a registration time-stamp.
· All IP addresses issued to a customer by the VPN, and a list of IP addresses being used by its customer base generally.
Most VPNs offer a no-logging policy, a public promise against logging, collecting or sharing customer usage and browsing data. If VPNs in India are required under the new directive to keep customer registration data, or to monitor and report social media usage, many could potentially go against the law simply by continuing to operate.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
