As reported by Entracker, the new national directive from India’s Computer Emergency Response Team, known as CERT-in, is an attempt “to coordinate response activities as well as emergency measures with respect to cyber security incidents.” Companies, including the VPN providers, must record customers’ names, usage patterns, contact information, validated IP and physical addresses, and the purpose for which they are hiring the services. Another part of the directive states that companies must keep customer information even after they cancel their accounts or subscriptions. Additionally, organizations must report on any users’ “unauthorized access to social media accounts.” CERT-in claims the requirements are so the agency can respond to cyber incidents within six hours of discovering them. The directive isn’t being welcomed by users of these services, obviously, but the companies providing them may not have much choice: failure to comply with requests for information can result in one year of imprisonment. Most VPNs offer a no-logs policy in which they do not store logs of customers’ online activities, and even those that keep them only do so temporarily. With the threat of legal action, some of these providers may be forced to leave the Indian market as a result of the new rules. The directive is set to go into effect on June 27, though this could be delayed so that companies have more time to comply with the rules. h/t: CNET Image credit: Privecstasy
