- VPN companies, data centres, and crypto exchanges will now collect user data and store it for five years or longer
- The new law from the IT Ministry of India to collect and store data will come into action from July 27th onwards
- If a company fails to meet the Ministry of Electronics and IT’s demands, it could be imprisoned for up to one year
IT Ministry of India has ordered VPN companies to collect and store users’ data for five years or longer in a report published on Thursday. The Computer Emergency Response Team(CERT-in) also asked data centres and crypto exchanges to collect and store user data for at least five years or longer to coordinate response activities and emergency measures concerning cyber security incidents. The VPN companies are supposed to collect and store the user’s name and authenticate the user’s home address and IP address, and user usage patterns.
According to the new governing law, if a company fails to meet the Ministry of Electronics and IT’s demands, it could be imprisoned for up to one year. The laws will come into action after 60 days of being issued, i.e., July 27th onwards. The companies will keep tracking and maintaining user records even after the user has cancelled the subscriptions or de-activated their account.
Most VPNs these days offer a no-logging policy and full privacy to the customer by not collecting and sharing the user’s data, as they operate on RAM-only servers, meaning the data is stored temporarily. If the order is to be taken in action, the companies will have to switch to storage servers, which will increase the cost quota for the service’s operation.
CERT-in requires companies to report a total of twenty vulnerabilities, including “Unauthorized access to social media accounts,” all of which have varying levels of impact on a company’s services and consequences. Here’s the list of all vulnerabilities:
- Targeted scanning/probing of critical networks/systems.
- Compromise of critical systems/information.
- Unauthorised access of IT systems/data.
- Defacement of website or intrusion into a website and unauthorised changes such as inserting malicious code, links to external websites etc.
- Malicious code attacks such as spreading of virus/worm/Trojan/Bots/Spyware/Ransomware/Cryptominers.
- Attack on servers such as Database, Mail and DNS and network devices such as Routers.
- Identity Theft, spoofing and phishing attacks,
- Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks.
- Attacks on Critical infrastructure, SCADA and operational technology systems and Wireless networks.
- Attacks on Application such as E-Governance, E-Commerce etc.
- Data Breach.
- Data Leak.
- Attacks on Internet of Things (IoT) devices and associated systems, networks, software, servers.
- Attacks or incident affecting Digital Payment systems.
- Attacks through Malicious mobile Apps.
- Fake mobile Apps.
- Unauthorised access to social media accounts.
- Attacks or malicious/ suspicious activities affecting Cloud computing systems/servers/software/applications.
- Attacks or malicious/suspicious activities affecting systems/ servers/ networks/ software/ applications related to Big Data, Block chain, virtual assets, virtual asset exchanges, custodian wallets, Robotics, 3D and 4D Printing, additive manufacturing, Drones.
- Attacks or malicious/ suspicious activities affecting systems/ servers/software/ applications related to Artificial Intelligence and Machine Learning.