Experts, VPN users unhappy with mandate to store user data for 5 years

“VPN apps allow me to access the internet for free. The purpose of using a VPN is that my personal information is not tracked by tech companies that sell personal data. Pune-based tech Ritesh Kalvellu , 26, makes it very clear why he is unconvinced by CERT-In’s recent directive for VPNs to retain Know-Your-Customer (KYC) information.

The guidelines require service providers such as VPS, VPNs, intermediaries and data centers to retain user data for five years, and report cyber incidents within six hours. Companies are also required to track and maintain user records even after a user has canceled their subscription to the service.

Aneesh P, a 21-year-old student enrolled in an online college based in Germany, uses VPN apps to keep in touch with his professors and classmates. “The VPN provides me with a secure connection to local German news channels, streaming services and helps me find my homework – most importantly, I don’t see any ads on my web browser, which means no one follows my web history and I would like it to stay that way.

A VPN hides your identity and encrypts your data while providing access to an IP address in a country of your choosing. It protects your identity by replacing your computer’s IP address with a temporary IP address hosted on a remote server.

Sarfaraz Shaikh, a 38-year-old businessman, told that he works remotely from cafes and uses public wifi, which he then connects to a VPN service to ensure his data does not are not recorded. “If my data started to be tracked and logged by VPN companies, then why would I even bother to buy the subscription?”

Like Shaikh, several others believe that this directive results in less privacy and that since the data is recorded, it would be possible to track browsing and downloading history.

While the recent directive from CERT-In, the cyber arm of the Ministry of Electronics and Information Technology, aims to close the gap in cyber impact analyzes by having access to more information and data to improve cybersecurity, but internet freedom experts and companies believe that this directive would lead to a serious privacy violation and impact on VPN companies operating in India.

The Internet Freedom Foundation (IFF) raised concerns about the guidelines’ clause that says companies must “store data for five years or more.” “The ambiguity around the period as well as the lack of reasoning behind its extension could lead to serious privacy breaches,” IFF said in a statement to

The policy requires VPN service providers to collect and report a large amount of customer data even after the customer cancels their subscription or account. This includes, but is not limited to, subscriber/customer names, verified physical, email, and IP addresses, contact numbers, and other personally identifiable information. These excessive data collection and transmission requirements will not only impact VPN service providers, but also VPN users.

Prasanth Sugathan, General Counsel, believes that some providers may even choose to leave India rather than comply with such strict guidelines which go against the data minimization principle adopted by most VPN services. .

The absence of a data protection law in india makes the situation all the more problematic with limited recourse for a citizen. “Forcing private actors to collect such information without strong data protection law puts the privacy of the average user at risk,” said Udbhav Tiwari, Senior Director, Global Public Policy, Mozilla.

“The KYC requirement is broad and could impact the operations of cloud service providers. The customer information sought under this requirement is sensitive and could deter consumers from using cloud services,” said Rizvi, explaining how this policy would affect VPN companies.

The five-year policy will also mean that VPN providers will see their costs increase significantly, which will then likely have to be borne by the consumer.

“The amount of data required is high. This will increase the operational costs of running a VPN and users will think twice before opting for such services. While it is important for CERT.IN to monitor and investigate cybersecurity incidents, citizens’ privacy must not be compromised to achieve this goal,” Sugathan added.

Comments are closed.