VPN Providers in India to be mandated to store user data for upto 5 years

[RockSolid1106]

Summary

The Indian Government has announced a new policy, which mandates VPN Providers in India to log user data(names, email addresses, phone numbers, IP addresses) for upto 5 years. This policy aims to give more power to CERT-in(Indian Computer Emergency Response Team) which is responsible for monitoring cyber crimes. This policy will be enforced from June 27. This of course has raised concerns regarding privacy.

 

Quotes

Quote

The Ministry of Electronics and Information Technology (MeitY) of India and the CERT-In recently announced the new policy for VPN providers in India via an official memo. The policy aims to give more power to CERT-In, which is responsible for monitoring cybercrimes in the country.

 

Under this policy, VPN providers will be required to log and store user information such as their names, email addresses, and phone numbers for at least five years. The companies are also required to store the IP addresses that the customers have been allotted and the ones that they used to sign up, along with other details like their purpose for using VPN services and their “ownership pattern.”

 

Browsing the internet using a VPN is expected to be safe and is a method to remain away from prying eyes. If the data is stored and is shared with the agencies, it could be a massive risk of personal data getting exposed.

 

All information that is mandated to be stored by companies according to CERT-in:

Spoiler

a. Validated names of subscribers/customers hiring the services
b. Period of hire including dates
c. IPs allotted to / being used by the members
d. Email address and IP address and time stamp used at the time of
registration / on-boarding
e. Purpose for hiring services
f. Validated address and contact numbers
g. Ownership pattern of the subscribers / customers hiring services

 

My thoughts

I smell some privacy issues here.. Of course, the idea of using a VPN to protect your privacy is a bad one in the first place, but this seems to make it even worse. I personally don't like how the Indian Government is not giving an F about its citizens' privacy. There was this previously too:

 

They just seem to be giving users less and less control over their privacy and data. I understand they're doing it to help them investigate cyber crimes and other stuff, but to me this is just an invasion of people's privacy. Data breaches happen all the time, and that would be quite some personal information that would be leaked if that happened.

Would be interesting to see what you guys think.

 

Sources

https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf

https://beebom.com/india-new-policy-requires-vpn-providers-collect-customer-data/

https://www.techradar.com/in/news/indian-government-wants-vpns-to-store-and-share-user-data

https://www.youtube.com/watch?v=BRC-Ze6ZAck

Edited May 4, 2022 by RockSolid1106

[BobVonBob]

14 minutes ago, RockSolid1106 said:

I smell some privacy issues here.

Understatement of the century. Modern governments feel the need to know everything everyone is doing at all times, privacy be damned, citizens' safety in the inevitable data breach be damned. One would hope politicians will have to face the music, but basically all of them are shielded from consequence by the corporations and billionaires they're in the pockets of.

 

Woo surveillance state! I've got my collection of dubious images ready to make my assigned FBI agent regret having eyes!

[MageTank]

Man I am conflicted. One part of me is against the idea of intrusion of peoples privacy. The other part of me wonders if this would help in combating any of the tech scam call centers... Curious to see how this pans out.

[Donut417]

So how are they going to ban VPNs outside their jurisdiction? Because Nord for example is based in Panama. It’s kinda like the DMCA in the US, if you use Nord, they are not obligated to play ball with US authorities if you choose to pirate copyrighted works. 

[TetraSky]

And just like that, every VPN provider in India went bankrupt.

[wanderingfool2]

Not sure if it ever passed, but I think Canada was considering a similar thing.

 

Honestly, while 5 years might be a bit much I do understand where the sentiment is coming from.  If a crime is committed and someone was using a VPN that boasted no logging then they literally can get away with it.  As much as people want their privacy, there really needs to be limits put on privacy.

 

e.g. Imagine someone extorting/blackmailing who used a VPN without logging.  Unless the person makes some sort of mistake it's going to be impossible to track them down.  Sure even with VPN's logging it still might be difficult but at least with the logging requirements it requires more effort to stay anonymous.

 

1 hour ago, Donut417 said:

So how are they going to ban VPNs outside their jurisdiction? Because Nord for example is based in Panama. It’s kinda like the DMCA in the US, if you use Nord, they are not obligated to play ball with US authorities if you choose to pirate copyrighted works. 

Well I mean any servers themselves that are run within India I'd assume would have to apply by the law.  It won't matter where the company is situated in, if they run a server in India hosting VPN it has to comply by the law.  There is also the potential the law could be written so that it prevents companies that don't comply from selling VPN services internally.  Thus if they still sell services they could be fined/barred from offering services.

 

 

[Heliian]

Let's be honest.  VPNs are mostly used to mask your online identity for accessing content you wouldn't normally have access to.  

 

As we know, VPNs do log data, just not so openly so mandating a 5 year log isn't that big of a deal. 

 

The upside is that it might combat the rampant online criminality originating from India. 

 

[Vishera]

You can have both privacy and security,one should not come at the expense of the other.

An example for that is Switzerland.

[Donut417]

2 hours ago, wanderingfool2 said:

I'd assume would have to apply by the law.  It won't matter where the company is situated in, if they run a server in India hosting VPN it has to comply by the law. 

If that was the case then people would be going to jail for breaking the DMCA, because Nord has servers in the US. But they dont.

 

2 hours ago, wanderingfool2 said:

There is also the potential the law could be written so that it prevents companies that don't comply from selling VPN services internally.  Thus if they still sell services they could be fined/barred from offering services.

Kinda hard to enforce that. Last I heard people in China still use VPN's to get around the great firewall. Why do you think India will have better luck? You cant fine a company thats not on your nations soil. 

[Shreyas1]

4 hours ago, MageTank said:

Man I am conflicted. One part of me is against the idea of intrusion of peoples privacy. The other part of me wonders if this would help in combating any of the tech scam call centers... Curious to see how this pans out.

How would it do that? I was under the impression that they used regular cell networks?

 

[Lightwreather]

One question I have:
Do self-hosted VPNs count?

If not there's a possible loophole that can be exploited.

[VirusDumb]

Quote

Types of cyber security incidents mandatorily to be reported by service

providers, intermediaries, data centres, body corporate and Government

organisations to CERT-In:

[Refer Rule 12(1)(a) of The Information Technology (The Indian Computer

Emergency Response Team and Manner of Performing Functions and Duties)

Rules, 2013]

i. Targeted scanning/probing of critical networks/systems

ii. Compromise of critical systems/information

iii. Unauthorised access of IT systems/data

iv. Defacement of website or intrusion into a website and unauthorised changes

such as inserting malicious code, links to external websites etc.

v. Malicious code attacks such as spreading of virus/worm/Trojan/Bots/

Spyware/Ransomware/Cryptominers

vi. Attack on servers such as Database, Mail and DNS and network devices such

as Routers

vii. Identity Theft, spoofing and phishing attacks

viii. Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks

ix. Attacks on Critical infrastructure, SCADA and operational technology

systems and Wireless networks

x. Attacks on Application such as E-Governance, E-Commerce etc.

xi. Data Breach

xii. Data Leak

xiii. Attacks on Internet of Things (IoT) devices and associated systems,

networks, software, servers

xiv. Attacks or incident affecting Digital Payment systems

xv. Attacks through Malicious mobile Apps

xvi. Fake mobile Apps

xvii. Unauthorised access to social media accounts

xviii. Attacks or malicious/ suspicious activities affecting Cloud computing

systems/servers/software/applications

xix. Attacks or malicious/suspicious activities affecting systems/ servers/

networks/ software/ applications related to Big Data, Block chain, virtual

assets, virtual asset exchanges, custodian wallets, Robotics, 3D and 4D

xx. Attacks or malicious/ suspicious activities affecting systems/

servers/software/ applications related to Artificial Intelligence and Machine

Learning

Recently there has been a lot of attack on Indian govt run accounts by crypto bots, I think the government is trying to clamp down on these.

 

 

8 hours ago, RockSolid1106 said:

I personally don't like how the Indian Government is not giving an F about its citizens' privacy. There was this previously too:

I'mma have to disagree with you on this one, the previous issue, was just government investigating the data social media company were selling to advertisers, the government just wanted to know what data is leaving the country as they might pose a threat against the national security due to the geopolitical conditions of then.

And the government will not exist if it ignores the citizen, the democracy of the country is structured this way, People will start protesting, there will be riots and clashes. But I hope that won't need to happen as these rules are almost non enforceable.

 

Some earlier cases where these failed

1. Porn ban, pornography is banned in India, many Indians don't even know this, only some major ISPs block porn sites, but still Indians access them as there are more sites than the ISPs could block.

 

2. The previous issue you mentioned, those rules were never enforced, and the government eventually gave up

 

3. Torrent ban, same thing with the porn ban.

 

 

The government knows these will fail, they just try enforce them to keep illegal activities under control. 

[MORPH_WOLF]

10 hours ago, RockSolid1106 said:

Summary

The Indian Government has announced a new policy, which mandates VPN Providers in India to log user data(names, email addresses, phone numbers, IP addresses) for upto 5 years. This policy aims to give more power to CERT-in(Indian Computer Emergency Response Team) which is responsible for monitoring cyber crimes. This policy will be enforced from June 27. This of course has raised concerns regarding privacy.

 

Quotes

 

All information that is mandated to be stored by companies according to CERT-in:

  Reveal hidden contents

a. Validated names of subscribers/customers hiring the services
b. Period of hire including dates
c. IPs allotted to / being used by the members
d. Email address and IP address and time stamp used at the time of
registration / on-boarding
e. Purpose for hiring services
f. Validated address and contact numbers
g. Ownership pattern of the subscribers / customers hiring services

 

My thoughts

I smell some privacy issues here.. Of course, the idea of using a VPN to protect your privacy is a bad one in the first place, but this seems to make it even worse. I personally don't like how the Indian Government is not giving an F about its citizens' privacy. There was this previously too:

 

They just seem to be giving users less and less control over their privacy and data. I understand they're doing it to help them investigate cyber crimes and other stuff, but to me this is just an invasion of people's privacy. Data breaches happen all the time, and that would be quite some personal information that would be leaked if that happened.

Would be interesting to see what you guys think.

 

Sources

https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf

https://beebom.com/india-new-policy-requires-vpn-providers-collect-customer-data/

https://www.techradar.com/in/news/indian-government-wants-vpns-to-store-and-share-user-data

https://www.youtube.com/watch?v=BRC-Ze6ZAck

I would like to tell you as soon as i read this God damn post, I immediately opened Gmail and E-mailed  The Ministry of Electronics and Information Technology, complaining and ranting about this law cuz I am a Indian Citizen.

[MORPH_WOLF]

1 hour ago, Caroline said:

Hmm... taking the P out of VPN is something governments have been wanting to do since their inception.

No no its VIRTUAL PUBLIC NETWORK now. so the P is still in VPN just has a different meaning. LOL

 

[wanderingfool2]

6 hours ago, Donut417 said:

If that was the case then people would be going to jail for breaking the DMCA, because Nord has servers in the US. But they dont.

That's not how the DMCA works, you do know that right?  They can't be brought to jail for it.

 

If servers are situated in a country, those servers need to apply by local law.  It doesn't matter where the company is situated, the laws of the physical location of the server take precedent.

 

There is also an argument to be made that the no log VPN's may also be liable...but honestly I'm betting it hasn't reached the point yet where studios want to invest the millions that it would take to properly sue (and get no payout, as the VPN's will just go belly up).  *Opinion on this one*

 

6 hours ago, Donut417 said:

Kinda hard to enforce that. Last I heard people in China still use VPN's to get around the great firewall. Why do you think India will have better luck? You cant fine a company thats not on your nations soil. 

Sure you can, if they have physical property you can seize that.  Depending on treaties and such you can also pursue them at the country of origin.  You can also use it as justification to completely ban non-compliant businesses.

 

Also while people still do use VPN's in China, I do feel that it's a lot more restricted still.  It's also the concept that if you have an exit point in China, I'm betting that it's monitored and logged who is accessing it.

[Pitboy64]

In India's case ... if this helps cyber police crack down on Indian call centre scamming, I'm actually all for it.
Not that I want this in Canada, or any western democratic country, but maybe India needs to be a little more authoritarian to get control of this scum of an industry once and for all.  It is soo rampant in India that if their govt actually wants to stop it, then they need the playbook to change to do so, and they should have that power.
The rest of us ... will only benefit.

[Arika]

2 hours ago, MORPH_WOLF said:

I would like to tell you as soon as i read this God damn post, I immediately opened Gmail and E-mailed  The Ministry of Electronics and Information Technology, complaining and ranting about this law cuz I am a Indian Citizen.

Why would you send them an email, then tell them not to email you back, but instead give them your phone number and discord?

No government department will message you on discord. You are giving them mixed messages by saying you care about privacy, but then give them more information about you.

[suicidalfranco]

Another day, another government violating the citizenry rights and freedom.

Move along, nothing to see here.

[Mark Kaine]

3 hours ago, MORPH_WOLF said:

I would like to tell you as soon as i read this God damn post, I immediately opened Gmail and E-mailed  The Ministry of Electronics and Information Technology, complaining and ranting about this law cuz I am a Indian Citizen.

you probably just put yourself on one of their top priority watch lists lol.

 

Also FYI discord logs *everything*

[Lightwreather]

3 hours ago, MORPH_WOLF said:

I would like to tell you as soon as i read this God damn post, I immediately opened Gmail and E-mailed  The Ministry of Electronics and Information Technology, complaining and ranting about this law cuz I am a Indian Citizen.

So uhh, btw, it's not very hard for VPN companies to just turn on logging on their VPN networks.

Assuming they use Wireguard or OpenVPN it's a simple digit to change in the config file.

But it's more likely that these copanies are using a different protocol but I doubt it'll be much harder than that.

If anyone knows, please do tell

[VirusDumb]

3 hours ago, MORPH_WOLF said:

I would like to tell you as soon as i read this God damn post, I immediately opened Gmail and E-mailed  The Ministry of Electronics and Information Technology, complaining and ranting about this law cuz I am a Indian Citizen.

Nobody's gonna read that (the mail)

Reason:- 

1. The description you've given in bold is wrong. "or face upto a year in prison" is not written anywhere in the official memo released.

2. You're swearing in a mail addressed to bureaucrats. Which gives away that you're immature and probably under the age of 15, nobody takes people of that age group seriously, specially bureaucrats.

 

 

[VirusDumb]

24 minutes ago, Mark Kaine said:

you probably just put yourself on one of their top priority watch lists lol.

 

Also FYI discord logs *everything*

There's no watchlist maintained by the Indian government lol. 

[Mark Kaine]

5 minutes ago, VirusDumb said:

There's no watchlist maintained by the Indian government lol. 

 

 

[VirusDumb]

2 hours ago, Pitboy64 said:

In India's case ... if this helps cyber police crack down on Indian call centre scamming, I'm actually all for it.
Not that I want this in Canada, or any western democratic country, but maybe India needs to be a little more authoritarian to get control of this scum of an industry once and for all.  It is soo rampant in India that if their govt actually wants to stop it, then they need the playbook to change to do so, and they should have that power.
The rest of us ... will only benefit.

As an Indian, yes that wouldn't help, the laws are hard to enforce, also the scam centres pose as travel agencies, call centers for legit businesses and etc, and in most cases they are legitimately doing what they pose as and scamming on side, that's why it's hard to catch them.

 

Also don't want to discuss politics here but, authoritarianism can't be made in India, it's a democracy with regular elections, the ruling party will lose all its power as soon as they take a decision the people don't like

[VirusDumb]

5 hours ago, Caroline said:

Hmm... taking the P out of VPN is something governments have been wanting to do since their inception.

Yes, but it won't work, the government is trying to scare certain bodies which use VPN for illegal activities