A new directive from the Ministry of Electronics and Information Technology (MeitY) and the Indian Computer Emergency Response Team (CERT-in) requires VPN companies to retain data on users for 5 years or more. The rule also applies to data centres and cryptocurrency exchanges and will come into effect from July 27.
According to a new directive, the government institutions have obligated these businesses to retain and report instances of cyber security breaches or any such related incidents and retain data on users for up to 5 years or more.
With rising cases of cyber attacks on organisations and businesses since the outbreak of COVID19, the government agencies have observed that they have been unable to get access to updated information or either face delay in transmission of the latest attacks. This has been a hindrance for the agencies to work in a more efficient and faster manner.
MeitY has listed 20 types of cyber breaches or incidents that should be notified to CERT-in which include data breaches, data leaks, attacks targeted at IoT devices, services and software, identity theft and spoofing and phishing attacks. The government has also mandated that any targeting scanning or probing of an organisation's critical systems has to be notified to CERT-in at the earliest.
The government has extended the rule not just to VPNs, but also to cryptocurrency exchanges, social media companies and app developers. Any unauthorised access to social media accounts or malicious apps that are installed on smartphones and tablet devices will also help governments work faster to identify and stop future attacks as well.
The government has stated in the circular that companies who fail to comply with the new rules by the given deadline could see a fine of Rs 1 lakh or more and/or could also imprisonment for up to 1 year.
Worrying signs for VPNs as well as users
There has not been a positive response from Indian users who rely on using VPNs to consume content or to browse the web with their privacy intact. According to the report, many VPN apps rely on servers that only temporarily store data and do not require any login credentials.
If these companies are forced to store data going forward, it is expected to increase operating costs when they get dedicated servers. This could even force many such companies from operating in India.
Additionally, browsing the internet using a VPN is expected to be safe and is a method to remain away from prying eyes. If the data is stored and is shared with the agencies, it could be a massive risk of personal data getting exposed.
