The new national requirement from India''s Computer Emergency Response Team, CERT-in, is a strategy "to coordinate response activities as well as emergency measures in response to cyber security issues," according to Entracker.
Companies, including the VPN providers, must include customers'' names, usage patterns, contact information, validated IP and physical addresses, and the purpose for which they are employing the services.
India''s IT Minister has no clue how privacy or VPN works. CERT-IN has no history of acting on public issues. It is a bad idea to give it large powers without oversight. https://t.co/8Y5cKGMCXb
In addition, businesses must keep customer information even after they cancel their accounts or subscriptions. Similarly, organizations must report on "unauthorized access to social media accounts."
CERT-in claims the requirements are so that the agency may respond to cyber incidents within six hours after discovering them. The directive isn''t being welcomed by users of these services, obviously, but the companies providing them may not have much choice: the failure to comply with requests for information can result in a one-year prison term.
Some VPNs have a no-logs policy in which they do not store logs of their online activities, and even those that keep them do so temporarily. Some may be forced to leave the Indian market as a result of the new rules.
The directive will come into force on June 27, although this may be postponed so that businesses have the choice to comply with the regulations.
Privecstasy''s Image Credit