IT Ministry orders VPN providers, crypto players to store user data for five years


The Ministry of Electronics and Information Technology’s Computer Emergency Response Team (CERT-in) on Thursday directed Virtual Private Network providers, data centers, and crypto exchanges to preserve a wide range of data on their customers for five years, in what it said was an effort “to coordinate response activities as well as emergency measures with respect to cyber security incidents”.

“Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (VPN Service) providers, shall be required to register” customers’ names, customers’ ownership patterns, their contact information, and the purpose for which they are hiring these services. 

We have reached out to the IAMAI’s Blockchain and Crypto Assets Council for comment on the implications for the crypto industry.

The order on the whole is purportedly aimed at ensuring that CERT-in can respond to cyber incidents within six hours of discovering them. The range of data it is asking IT organizations to preserve and provide upon request, though, appears unusual. 

What’s more, the consequences of not providing this information are governed by Section 70B(7) of the IT Act, which provides for upto one year of imprisonment. 

We have reached out to CERT-in to find out if these requirements apply only to Indian companies or also to foreign firms that serve Indian customers.

The new directions will go into force from late June 2022, unless the window for complying gets extended, which usually happens for such directions.

The vulnerabilities that CERT-in requires organizations to report extends to twenty items, ranging from run-of-the-mill data breaches, fake mobile apps, attacks on server infrastructure to “Unauthorised access to social media accounts,” which all have differing levels of impact on an organization’s services and different levels of seriousness. 

Interestingly, most VPN’s usually have a ‘no logs policy’ or keep user data only temporarily. To that extent, this order, if taken to its logical conclusion, will probably push many out of the legal domain in India. Other issues will also be raised probably, where they quote storage costs as a factor, and the liability of misuse from such stored data. That not storing user data is exactly the opportunity many  VPN’s sought to fill is of course another issue that they will need to find an answer to now, to continue to operate legally in India. 

Send Suggestions or Tips