India cracks down on privacy-first VPNs with demand to store logs for 5 years
No-log VPNs may find themselves unwelcome in India, when and if a directive that has recently been published by the country’s cybersecurity agency comes into effect.
The document released by the Indian Computer Emergency Response Team (CERT) late last month states that Virtual Private Network (VPN) service providers on par with data centers, cloud service providers, and Virtual Private Server (VPS) providers will have to keep a long list of user data for at least 5 years, even after users cancel their subscription for good.
The logs that VPN providers will have to store after the directive enters into force late July include:
- Users' names, addresses and phone numbers
- Period of use
- IPs that VPNs assign users
- Users' email and IP addresses, as well as the information on when exactly they signed up to the service (time stamp)
- Purpose of use
- Ownership pattern
India's Ministry of Electronics & IT claims that by tightening its grip on VPN and other online services providers it wants to improve cyber security. The ministry says the new legislation is aimed at closing the "gaps" that are "causing hindrance in incident analysis" and should "enhance overall cyber security posture and ensure safe & trusted Internet in the country".
In case of non-compliance with the provisions of the directive, providers risk facing repercussions under India’s Information Technology Act. The relevant article of the Act envisions that those who run foul of the law could face up to 1 year in jail or a fine to the tune of 100,000 rupees ($1,300), or both.
The new law is bound to deal a blow to the operations of "anonymous" VPNs that abide by a strict no-logging policy. Either they will have to cave in to the demands, and start operating storage servers which means less privacy for the end user, or be forced to migrate to a gray zone or cease their operations in India altogether. Moreover, the new requirements can rack up costs of VPN services for Indian customers, since the vendors will have to either rent or own storage servers to keep logs.
For its part, AdGuard does not keep any logs, this would run contrary to the company values. Therefore, we will not be able to comply with the demands of this law. We are constantly monitoring the situation and thinking about possible solutions. If we are left with no choice, we will be forced to reconsider the presence of our servers in this region.