The Indian government has provided some temporary relief to Virtual Private Network (VPN) providers in the country. The Indian Computer Emergency Response Team (CERT-In), the govt agency responsible for cybersecurity in the country has offered an extension of three months to VPN providers in the country to comply with the government’s latest rules. Also Read - EPFO pension scheme holders' data exposed online, claims security researcher
Both Ministry of Electronics and IT (MeitY) and CERT-In have received requests to extend the deadline for implementation of these Cyber Security Directions. Also Read - Indian govt banned 348 mobile apps, some Chinese, that were sending user data to other countries
CERT-In has decided to provide an extension till 25 September 2022 to Micro, Small, and Medium Enterprises (MSMEs) in order to enable them to build the capacity required for the implementation of the Cyber Security Directions. Also Read - Indian govt to make tech giants pay publishers for news and original content
Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers, and Virtual Private Network Service (VPN Service) providers have been given additional time till 25 September 2022 for implementation of the mechanisms announced by CERT-In.
Many prominent VPN service providers have already decided to shut shop in India, in reaction to the latest directives by the Indian govt. The names include ExpressVPN and SurfShark.
What are the new directives for VPN service providers?
According to the Directions under subsection (6) of section 70B of the Information Technology Act, 2000 CERT-In had asked VPN service providers to fall in line with the new laws. The govt has asked Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (VPN Service) providers to register certain information of users which must be maintained by them for a period of 5 years or longer duration.
This is the data set that VPN service providers will need to maintain:
a. Validated names of subscribers/customers hiring the services
b. Period of hire including dates
c. IPs allotted to / being used by the members
d. Email address and IP address and time stamp used at the time of
registration / on-boarding
e. Purpose for hiring services
f. Validated address and contact numbers
g. Ownership pattern of the subscribers/customers hiring services