Experts, VPN users unhappy with mandate to store users’ data for 5 years

The guidelines mandate service providers such as VPS, VPN, intermediaries, and data centres to retain user data for five years, and report cyber incidents within six hours. Companies are also required to keep track and maintain user records even after a user has cancelled his/her subscription to the service.

Aneesh P, a 21-year-old student who is enrolled in a long-distance online college based in Germany, uses VPN apps to stay connected with his teachers, and classmates. “The VPN provides me with a secure connection to German local news channels, streaming services, and assists me with finding my assignments —most importantly, I don’t see any advertising on my web browser, which means nobody is tracking my web history and I’d want it to remain like that.”

A VPN hides your identity and encrypts your data while also giving access to an IP in a country of your choice. It shields your identity by replacing your computer’s IP address with a temporary IP address hosted on a remote server.

Sarfaraz Shaikh, a 38-year-old businessman, told indianexpress.com that he works remotely from cafes and uses public wifi, which he then connects to a VPN service to ensure his data is not logged. “If my data would start being tracked and recorded by VPN companies, then why would I even bother to purchase the subscription?”

Like Shaikh, several others believe this guideline translates to lesser privacy and with data being logged, it would be possible to track browsing and download history.

While the Ministry of Electronics and Information Technology’s cyber arm CERT-In’s recent directive is to bridge the gap in cyber incidence analyses by having access to more information and data to enhance cyber security but experts and Internet freedom companies think this directive would result in serious privacy violation and impact VPN companies operating in India.

The Internet Freedom Foundation (IFF) raised concerns about the clause in the guidelines which states that the companies have “to store data for five years or more”. “The ambiguity around the time frame along with the lack of reasoning behind extending it could lead to serious privacy violations,” IFF said in a statement to indianexpress.com.

The policy requires VPN service providers to collect as well as report a wide amount of customer data even after the customer has cancelled their subscription or account. This includes but is not limited to names of subscribers/customers, validated physical, email and IP addresses, contact numbers, and other such personally identifiable information. Such excessive requirements for collecting and handing over data will not just impact VPN service providers but VPN users as well.

Prasanth Sugathan, Legal Director, SFLC.in believes that some providers may even choose to exit India than comply with such stringent guidelines that go against the principle of data minimisation adopted by most VPN services.

The lack of a data protection law in India makes the situation all the more problematic with limited recourse available for a citizen. “Forcing private players to collect such information without a strong data protection law places the privacy of the average user at risk,” said Udbhav Tiwari, Senior Manager, Global Public Policy, Mozilla.

“The KYC requirement is broad and might impact the operations of cloud service providers. The customer information sought under this requirement is sensitive and could deter consumers from availing the cloud services,” Rizvi said, explaining how this policy would affect VPN companies.

The five-year policy will also mean that VPN providers will see their costs jump significantly, which will then likely have to be borne by the consumer.

“The amount of data that is required is high. It will increase the operational costs of running a VPN and users will think twice before opting for such services. Although it is important for CERT.IN to monitor and investigate cyber security incidents, the privacy of citizens should not be compromised to achieve this objective,” Sugathan added.