May 6,2022:In an effort to fight cybercrime, India is enacting a new policy that’ll require VPN providers to collect and turn over user data, including the IP addresses assigned to customers.
The policy is meant to bolster the powers of the country’s national agency, the Indian Computer Emergency Response Team (CERT-In), which deals with cybersecurity incidents.
“During the course of handling cyber incidents and interactions with the constituency, CERT-In has identified certain gaps causing hindrance in incident analysis,” India’s government said in adopting the new policy last week.
The new regulations call for VPN providers to log and store the following information from customers for at least five years:
Name, email address and phone number
The customer’s purpose for using the VPN service
The IP addresses allotted to the customer and the IP address the customer used to sign up with the service
The “ownership pattern” of the customer
Such information could help India unmask cybercriminals who use VPNs for malicious activities. But it also risks compromising the privacy of all other users on the VPN service, including what websites they’ve been visiting. As a result, the new policy threatens to undermine a key selling point to using a VPN, which are often promoted as tools to protect your digital privacy.
