MeitY’s direction to VPN companies to share user data or face jail invites concern over privacy

The Ministry of Electronics & Information Technology (MeitY)  on April 28 issued directions to Virtual Private Network (VPN) provider companies to collect and share user data including IP addresses with it,  for a period of five years. Along with VPN providers, the notification posted by the Ministry’s Computer Emergency Response Team (CERT-in), also ordered data centers, crypto-exchanges and other intermediaries to collect and turn over user data in order to “coordinate response activities as well as emergency measures with respect to cyber security incidents” and report cyber-incidents within six hours of their happening.

Further, the CERT-in said that these directions would come into force  60 days after the date this notification was issued. As per the government’s directions, the failure to furnish the information or abide by the directions could lead to imprisonment of upto one year, as per sub-clauses (7) of Section 70B of the IT Act 2000. As per Section 70B of the IT Act’s provisions, CERT-in also said that its directions were relevant to “information security practices, procedure, prevention, response and reporting of cyber incidents”.

Although the order is designed to tackle cyber-incidents including cyber-crimes, the scope of user-information ordered to be stored poses potential privacy risks. The new regulations called  data centers, VPN and cloud service providers to log and turn over customer information that includes the names of subscribers/customers hiring the services, their e-mail addresses, phone numbers, the customer’s “purpose for hiring the VPN service”, IP addresses allotted to the customer and being used by the members, as well as ownership pattern of the subscribers / customers hiring services.

The range of such information demanded thus undermines one of the most attractive features of the VPN service, which is to protect the user’s digital privacy. The VPN service is designed to encrypt its user’s data, while shielding the identity of the user’s IP address and allowing access to the temporary IP address of any other country.

Meanwhile, netizens and rights bodies on Twitter questioned the government’s move. Through a series of tweets, the digital policy and rights organisation, Internet Freedom Foundation, issued a statement questioning the CERT-in’s directions, noting that they were “vague and harmful” and “undermined user privacy and information security”, going against the CERT’s own mandate.

Global human rights watchdog Amnesty International also responded by tweeting that the Indian government’s latest directive was “[A] new major blow to the rights to privacy and freedom of expression in India.” Others, including politicians such as Trinamool Congress’s MP Derek O’Brien reacted to the news saying that, “VPN now stands for Virtual Policing Network.”

The Leaflet