- The Ministry of Electronics and Information Technology has come up with a new rule that will not favor internet privacy.
- VPS, VPNs, data centers, Intermediaries, and crypto exchanges must store their clients’ data for 5 years. The rule applies to every user, including those who're active and not active but have used the services.
- MeitY rule emerged in April and will become effective by June 2022. But VPN service providers with a no-log policy, such as ExpressVPN, say they won't follow the rule.
One of the advantages of using reputable VPN services and crypto exchanges is that they don’t store users’ data. As a result, VPNs protect their clients from exposure and exploitation, even from government surveillance. That is one of the critical reasons internet users run to these services.
But now, India’s MeitY (Ministry of Electronics and Information Technology) and CERT-In (Indian Computer Emergency Response Team) demand that these service providers track and record users’ data, which will ultimately compromise users’ privacy.
The new rule emerged in late April and will kick off by June this year–within a space of one month. These Indian government bodies are mandating VPNs, data centers, VPS, crypto exchanges, and even intermediaries to record users’ data.
The period of five years means that whatsoever information you shared with these providers will remain in their database for that long. Moreover, whether you’re still using the service or not, your data must stay until the five years elapses. According to CERT-In and MeitY, the reason is to enable a faster solution to cases relating to cybersecurity.
How implementation will work, and what are the resultant challenges
For these new rules to work correctly, the CERT-In mandates the parties involved to develop a Point of Contact for easy communication. That means all the data centers, VPS, India VPN providers, Crypto exchanges, and Government organizations must be interacting with CERT-In to ensure compliance.
On that note, there are supporting laws for punishing non-compliant participants. This direction will take effect from June 27, 2022.
But then, there have been a lot of controversies regarding the new rule and how it will affect these service providers. Foremost, VPN services make sure that third parties don’t access their users’ geographical location, browsing history, and IP address. These practices help to maintain the users’ anonymity.
But now, CERT-In mandates them to gather and store such information as emails, IP addresses, intent for usage, and contact numbers. Also, even cloud services and Datacenters will follow the new rule. So, how will these services do that in the wake of this new rule?
Moreover, some VPN services operate with the “no-log” policy, meaning they won’t log traffic or collect users’ data. So, how will they maintain users’ trust when they’re to collect sensitive and personal information that will expose users?
Imminent repercussions from the new MeitY rule
Many reputed personalities in the business world have commented on the new rule’s repercussions. Firstly, Apar Gupta, the Director of the Internet Freedom Foundation, stated that the rule would force some VPNs out of the Indian market. This is because all the providers who offer the “no-log” policy will not meet up with the requirements.
Gupta also pointed out that the new 180-day log maintenance on ICT systems will affect cybersecurity. It means that people’s personal data can land in the hands of online thieves.
Due to these changes in operations, top VPN services, including ExpressVPN, Surfshark, and ProtonVPN, have declared that they won’t comply with collecting users’ data. These services practice the “no-log” policy and intend to keep it that way.