The Indian Computer Emergency Response Team (CERT-In) of the Ministry of Electronics and Information Technology has said in an order that Virtual Private Network (VPN) providers will be required to register and protect user information for at least five years. June 28 – Unless the government delays due to slowness in its compliance. The decision aims to help in “coordinating response activities as well as emergency measures with respect to cyber security incidents” in the country. Here’s what you need to know about the move.
in one eight page instructions He was released last week, CERT-In Said that the order under sub-section (6) of section 70B of the Information Technology Act, 2000 has been taken into consideration. It states that vpn Service providers – including data centers, virtual private server (VPS) providers, and cloud service providers – will be required to register and retain accurate information on their services for five years or more “as opposed to any cancellation or After registration is mandated by law. The case may be”.
User information includes the valid name of the subscriber, the length of time you are subscribing to the service, the IP assigned and in use, the email address and IP address as well as the exact time entered during registration, the purpose of subscribing, valid address and contact number and the ownership pattern of the customers signing in to the service.
In case of any eventuality, the service provider shall be bound to furnish the information sought by CERT-In.
The national agency said that failure to provide information or non-compliance with the order may invite “punitive action” under sub-section (7) of section 70B of the IT Act, 2000 and other applicable laws.
While the exact reason for the order is yet to be stated, CERT-In claimed that the issued directions would help “address the identified gaps and issues” for providing incident response measures.
The growth of India’s internet base is playing a vital role in expanding cyber security incidents in the country. One of the major reasons for such issues is the lack of awareness among the general public on how they should avoid becoming a victim of cybercriminals. Organizations including government departments are also not proactive in plugging security loopholes. For this, the ministry’s agency is making it mandatory for service providers, intermediaries, data centres, corporate bodies and government departments to report vulnerabilities to CERT-In within six hours.
However, instructing VPN providers to collect and share their customers’ information is odd as the main objective of getting a VPN service is to avoid leaving any traces behind. Most VPN Companies Follow no-logs practices and often actively promote that they do not keep user activity data, although some of them Collect anonymous analytics data To troubleshoot and fix connection failures.
In such a situation, it is not clear how some of the popular VPN service providers in the world will be able to comply with the order of the government. It is also not clear whether the directions will apply to all service providers or people living in India.
The order will come into effect from the end of June, though there may be some delay in its implementation as most of the players are likely to take time to follow the instructions given. the same command made it too Essentials for crypto exchanges To store user data in the country for at least five years.
Notably, this is not the first time we are seeing VPN service providers in the country coming under the spotlight. Last year a parliamentary panel urged the government To block VPN permanently To prohibit cyber crimes. including telecom operators Reliance Jio had also seen Restricting access to certain VPN services and proxy websites in the country in 2019