India’s nodal cybersecurity agency Computer Emergency Response Team (CERT-In) has directed companies providing a virtual private network (VPN), cloud service as well as virtual asset, exchange, and custodian wallet providers to register and maintain information about their customers for a period of 5 years. The new directives were announced on April 29 and were reported by Mint.
The information sought from VPN and cloud providers is slightly different from what has been asked of virtual asset providers given the nature of their services. For instance, VPN providers have to maintain validated names of subscribers, IPs allotted to them, IP addresses, email addresses, validated addresses, and contact numbers for 5 years even after the customer has canceled the registration. Meanwhile, virtual asset providers have to maintain Know Your Customer (KYC) details of subscribers along with records of financial transactions. In both instances, the information can be used to identify the customer.
In its order, CERT-In explains, the transaction records (for virtual asset providers) should be maintained accurately in a way that would allow “individual transaction to be reconstructed” along with information relating to the “identification of the relevant parties including IP addresses, timestamps and time zones, transaction ID, the public keys and accounts involved.”
The need to keep track of transactions on crypto platforms stems from the growing use of cryptos for money laundering and other illegal activities. According to Vicky Ray, principal researcher, Unit 42, Palo Alto Networks, the anonymity associated with cryptos are being used in India and elsewhere for tax evasion, money laundering, and to buy illicit goods and services.
Similarly, VPN is being used by many to bypass geographical and Internet service providers’ (ISP) restrictions to access content that may be banned or not available in India. Several websites that have been banned in the country through court orders can still be accessed using VPNs.
India ranked fourth among 85 countries in the VPN penetration rate in the first half of 2021, according to Atlas VPN’s Global VPN adoption index. VPN installation in India grew from 3.28% in 2020 to 25.27% in the first half of 2021. Last September, a Parliamentary Committee on Home Affairs recommended a ban on VPN apps in India.
Forcing companies to keep records for 5 years has been criticized by privacy advocates. For instance, privacy watchdog Internet Freedom Foundation warned in a Twitter post, that mandatory collection and perpetual storage of large amounts of sensitive user data can "create cyber security risks." In case of technical vulnerabilities ", such data can and may get exposed" putting millions of users at risk. IFF said it will also throttle innovation and increase the cost of digital services.
CERT-In on its part argues that the new directions will enhance “overall cybersecurity posture” and guarantee “safe and trusted Internet” in the country.