A few days back, the Government of India issued new guidelines directing companies providing virtual private network (VPN) services in the country to record and store the details of their users. These guidelines were issued by the Indian Computer Emergency Response Team (CERT-In).
CERT further informed that the new guidelines will come into effect after 60 days of the issue of the order. However, the directive has been slammed by various sections of society, including VPN companies, consumers, and rights activists. The Internet Freedom Foundation said, “The directions were released by CERT-In without any public consultation with technology and cyber security experts, which has led to the inclusion of multiple unwarranted provisions.”
The directive issued by the Indian government makes it mandatory for the VPN providers to maintain the following data under the know your customer (KYC) policy for a span of five years –
Validated name of subscribers/customers
Period of hire
IPs allotted to the user
Email address, IP address, and time stamp used at the time of registration.
Purpose of hiring services
Validated address and contact numbers
Ownership pattern of the subscribers