VPN providers in India mandated to collect customer data

Recently, the Indian Computer Emergency Response Team (Cert-In) issued new directives that require Virtual Private Network (VPN) providers to store user data for five years.

What is VPN?

• VPN describes the opportunity to establish a protected network connection when using public networks.
• It encrypts internet traffic and disguise a user’s online identity.
• This makes it more difficult for third parties to track your activities online and steal data.
• The encryption takes place in real time.

How does a VPN work?

• A VPN hides your IP address by letting the network redirect it through a specially configured remote server run by a VPN host.
• This means that if you surf online with a VPN, the VPN server becomes the source of your data.
• This means your Internet Service Provider (ISP) and other third parties cannot see which websites you visit or what data you send and receive online.
• A VPN works like a filter that turns all your data into “gibberish”. Even if someone were to get their hands on your data, it would be useless.

Why do people use VPN?

• Secure encryption: A VPN connection disguises your data traffic online and protects it from external access. Unencrypted data can be viewed by anyone who has network access and wants to see it. With a VPN, hackers and cyber criminals can’t decipher this data.
• Disguising whereabouts: VPN servers essentially act as your proxies on the internet. Because the demographic location data comes from a server in another country, your actual location cannot be determined.
• Data privacy is held: Most VPN services do not store logs of your activities. Some providers, on the other hand, record your behaviour, but do not pass this information on to third parties. This means that any potential record of your user behaviour remains permanently hidden.
• Access to regional content: Regional web content is not always accessible from everywhere. Services and websites often contain content that can only be accessed from certain parts of the world.
• Secure data transfer: If you work remotely, you may need to access important files on your company’s network. For security reasons, this kind of information requires a secure connection. To gain access to the network, a VPN connection is often required.

What does the new CERT-IN directive say?

• VPN providers will need to store validated customer names, their physical addresses, email ids, phone numbers, and the reason they are using the service, along with the dates they use it and their “ownership pattern”.
• In addition, Cert is also asking VPN providers to keep a record of the IP and email addresses that the customer uses to register the service, along with the timestamp of registration.
• Most importantly, however, VPN providers will have to store all IP addresses issued to a customer and a list of IP addresses that its customers generally use.

What does this mean for VPN providers?

• VPN services are in violation of Cert’s rules by simply operating in India.
• That said, it is worth noting that ‘no logs’ does not mean zero logs.
• VPN services still need to maintain some logs to run their service efficiently.

Does this mean VPNs will become useless?

• The Indian government has not banned VPNs yet, so they can still be used to access content that is blocked in an area, which is the most common usage of these services.
• However, journalists, activists, and others who use such services to hide their internet footprint will have to think twice about them.

Why such a move?

• Crime control: For law enforcement agencies, a move like this will make it easier to track criminals who use VPNs to hide their internet footprint.
• Curbing dark-net activities: Users these days are shifting towards the dark and deep web, which are much tougher to police than VPN services.

Exam Track

Prelims Take Away

• Cert-IN
• VPN
• ISP