Indian Government Now Wants VPNs To Collect And Turn Over Personal Data On Users

The government of India still claims to be a democracy, but its decade-long assault on the internet and the rights of its citizens suggests it would rather be an autocracy.

The country is already host to one of the largest biometric databases in the world, housing information collected from nearly every one of its 1.2 billion citizens. And it’s going to be expanded, adding even more biometric markers from people arrested and detained.

The government has passed laws shifting liability for third-party content to service providers, as well as requiring them to provide 24/7 assistance to the Indian government for the purpose of removing “illegal” content. Then there are mandates on compelled access — something that would require broken/backdoored encryption. (The Indian government — like others demanding encryption backdoors — refuses to acknowledge this is what it’s seeking.)

In the name of cybersecurity, the Indian government is now seeking to further undermine the privacy of its citizens. The government’s cybersecurity agency is now requiring almost every entity using a computer to give it a heads-up when they’re hacked.

India’s nodal cybersecurity agency, Computer Emergency Response Team (CERT-In), has directed all service providers, intermediaries, data center providers, corporates, and government organizations to report cyber incidents within six hours of their detection.

That’s an ok thing to ask for. The next part, however, isn’t:

The new directions issued by CERT-In also require virtual asset, exchange, and custodian wallet providers to maintain records on KYC and financial transactions for a period of five years. Companies providing cloud, virtual private network (VPN) will also have to register validated names, emails, and IP addresses of subscribers.

Taking the “P” out of “VPN:” that’s the way forward for the Indian government, which has apparently decided to emulate China’s strict control of internet use. And it’s yet another way the Indian government is stripping citizens of their privacy and anonymity. The government of India wants to know everything about its constituents while remaining vague and opaque about its own actions and goals.

CERT-In claims this directive closes gaps that have “hindered incident responses.” It also claims that stripping users of anonymity and privacy will guarantee a “safe and trusted internet” in India. That seems unlikely. It’s not going to make citizens trust their government more. And it’s going to push users to other services located outside of the government’s control that may subject residents to data harvesting by even less trustworthy entities. That’s only going to create more problems and it will do nothing to protect the safety of India’s internet users.

