What India’s new VPN rules mean for you

On 28 April, the Indian Computer Emergency Response Team (Cert-In) issued new directives, first reported by Mint, that require Virtual Private Network (VPN) providers to store user data for five years. What does that mean?

What does the directive say? 

Under the new directions, VPN providers will need to store validated customer names, their physical addresses, email ids, phone numbers, and the reason they are using the service, along with the dates they use it and their “ownership pattern”. In addition, Cert is also asking VPN providers to keep a record of the IP and email addresses that the customer uses to register the service, along with the timestamp of registration. Most importantly, however, VPN providers will have to store all IP addresses issued to a customer and a list of IP addresses that its customers generally use.

Read more: Government asks VPN, custodian crypto wallets to store data for 5 years

What does this mean for no-logging VPN?

VPNs basically obscure a person’s internet usage by jumping the signal off multiple servers. A log of these servers can easily lead law enforcement agencies back to the original user. That is why most top VPN operators provide a “no logging” service—at least for paying users. This means they do not keep logs of the user’s usage history or the IP addresses of servers involved. Such services could be in violation of Cert’s rules by simply operating in India. That said, it is worth noting that ‘no logs’ does not mean zero logs. VPN services still need to maintain some logs to run their service efficiently. 

What kind of data do VPNs log? 

Some VPNs log data required to enforce device caps, measure how much data they have used, and monitor network performance. However, many services log browsing data, metadata about a person’s usage, websites they have visited, IP addresses involved, and more. Some, such as Hola VPN, also collect information on other apps installed on a person’s phone and when they register or sign-in to social media, according to the firm’s privacy policy. The name and email address of a user is available to virtually any VPN service. 

What does it mean for users? 

For law enforcement agencies, a move like this will make it easier to track criminals who use VPNs to hide their internet footprint. But experts have pointed out that governments and their agencies can easily misuse such a rule. They also pointed out that this may actually drive such users towards the dark and deep web, which are much tougher to police than VPN services. It is also unclear whether the Centre will use this to take action against users accessing content that is blocked in India using VPNs, such as the game PUBG Mobile.