Indian Government Asks VPN Service Providers to Collect User Data, Here’s Why

Indian Government says that these directions will enhance overall cyber security posture and ensure safe and trusted Internet in the country

The Indian Computer Emergency Response Team (CERT-In), under the aegis of the Ministry of Information and Technology, Government of India recently made it mandatory for data centers, virtual private server (VPS) providers, VPN service providers, cloud service providers to store user data for five years. This decision has been taken to identify and close certain gaps that were hindering the process of incident analysis, said CERT-in.

“During the course of handling cyber incidents and interactions with the constituency, CERT-In has identified certain gaps causing hindrance in incident analysis. To address the identified gaps and issues so as to facilitate incident response measures, CERT-In has issued directions relating to information security practices, procedure, prevention, response and reporting of cyber incidents under the provisions of sub-section (6) of section 70B of the Information Technology Act, 2000. These directions will become effective after 60 days,” said a statement from the organisation.

Information That Needs to Be Maintained by VPN Service Providers

VPN service providers will have to register the following information which must be maintained by them for a period of 5 years or longer duration as mandated by the law:

• Validated names of subscribers or customers hiring the services.
• Period of hire including dates.
• IPs allotted being used by the members.
• Email address and IP address and time stamp used at the time of registration or on-boarding.
• Purpose for hiring services. 
• Validated address and contact numbers.
• Ownership pattern of the subscribers or customers hiring services.

Furthermore, service providers will also have to mandatorily report the following incidents to CERT-in:

• Targeted scanning or probing of critical networks or systems.
• Compromise of critical systems or information.
• Unauthorised access of IT systems or data.
• Defacement of website or intrusion into a website and unauthorised changes such as inserting malicious code, links to external websites and so on. 
• Malicious code attacks such as spreading of virus, worm, Trojan, Bots, Spyware, Ransomware or Cryptominers.
• Attack on servers such as database, mail and DNS and network devices such as routers.
• Identity theft, spoofing and phishing attacks
• Denial of service (DoS) and distributed denial of service (DDoS) attacks.
• Attacks on critical infrastructure, SCADA and operational technology systems and Wireless networks.
• Attacks on application such as e-governance, e-commerce and others.
• Data breach, and data leak.
• Attacks on Internet of Things (IoT) devices and associated systems, networks, software, and servers.
• Attacks or incident affecting digital payment systems.
• Attacks through malicious mobile apps.
• Fake mobile apps.
• Unauthorised access to social media accounts, and so on.