In an effort to fight cybercrime, India is enacting a new policy that’ll require VPN providers to collect and turn over user data, including the IP addresses assigned to customers.
The policy is meant to bolster the powers of the country’s national agency, the Indian Computer Emergency Response Team (CERT-In), which deals with cybersecurity incidents.
“During the course of handling cyber incidents and interactions with the constituency, CERT-In has identified certain gaps causing hindrance in incident analysis,” India’s government said in adopting the new policy last week.
The new regulations call for VPN providers to log and store the following information from customers for at least five years:
Name, email address and phone number
The customer’s purpose for using the VPN service
The IP addresses allotted to the customer and the IP address the customer used to sign up with the service
The “ownership pattern” of the customer
Such information could help India unmask cybercriminals who use VPNs for malicious activities. But it also risks compromising the privacy of all other users on the VPN service, including what websites they've been visiting. As a result, the new policy threatens to undermine a key selling point to using a VPN, which are often promoted as tools to protect your digital privacy.
India’s policy also requires a wide range of internet services, including ISPs and data centers, to maintain logs of all their systems over a rolling 180-day period. In addition, cryptocurrency exchanges must maintain all their transaction and customer records for five years.
Get Our Best Stories!
Your Daily Dose of Our Top Tech News
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
We reached out to several VPN providers on the new requirements, and will update the story if we hear back. But we expect that major VPN vendors will refuse to follow the regulations, which could push the Indian government to block access to offending VPN providers or impose fines.
"The failure to furnish the information or non-compliance...may invite punitive action," the regulations state. The new policy goes into effect on June 27.
UPDATE 5/4/2022: Three VPN providers say they don't plan on following India's new policy requiring customer data collection.
Recommended by Our Editors
Surfshark told PCMag: "Surfshark has a strict no-logs policy, which means that we don’t collect or share our customer browsing data or any usage information. Moreover, we operate only with RAM-only servers, which means that any information that would usually be on the hard drive is wiped off automatically whenever a server is turned off. Thus at this moment even technically we would not be able to comply with the logging requirements. We are still investigating the new regulations and their implications for us, but the overall aim is to continue providing no-logs services to all of our users."
Meanwhile, ProtonVPN said: "India's new VPN requirements will erode civil liberties and make it harder for people to protect their data online. Proton is monitoring the situation, but ultimately we'll never take any measure that weakens our VPN service or threatens the privacy of our users."
ExpressVPN also said: "We are keeping a close eye on the situation as it evolves, but want to be clear that ExpressVPN is fully committed to protecting our users’ privacy, including through never logging user activity, and will adjust our operations and infrastructure to preserve this principle if and when necessary. As a company focused on protecting privacy and freedom of expression online, ExpressVPN will continue to fight to keep users connected to the open and free internet, no matter where they are located."
About Our Expert
Michael Kan
Senior Reporter
Experience
I've been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I'm currently based in San Francisco, but previously spent over five years in China, covering the country's technology sector.
Since 2020, I've covered the launch and explosive growth of SpaceX's Starlink satellite internet service, writing 600+ stories on availability and feature launches, but also the regulatory battles over the expansion of satellite constellations, fights with rival providers like AST SpaceMobile and Amazon, and the effort to expand into satellite-based mobile service. I've combed through FCC filings for the latest news and driven to remote corners of California to test Starlink's cellular service.
I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. Earlier this year, the FTC forced Avast to pay consumers $16.5 million for secretly harvesting and selling their personal information to third-party clients, as revealed in my joint investigation with Motherboard.
I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. I'm now following how President Trump's tariffs will affect the industry. I'm always eager to learn more, so please jump in the comments with feedback and send me tips.