India Orders VPN Companies to Collect and Hand Over User Data

A new government order will force virtual private networks to store user data for five years or longer.

Rae Hodge Former senior editor
Rae Hodge was a senior editor at CNET. She led CNET's coverage of privacy and cybersecurity tools from July 2019 to January 2023. As a data-driven investigative journalist on the software and services team, she reviewed VPNs, password managers, antivirus software, anti-surveillance methods and ethics in tech. Prior to joining CNET in 2019, Rae spent nearly a decade covering politics and protests for the AP, NPR, the BBC and other local and international outlets.
Rae Hodge
3 min read
Sarah Tew/CNET

In India, virtual private network companies will be required to collect extensive customer data -- and maintain it for five years or more -- under a new national directive from the country's Computer Emergency Response Team, known as CERT-in. It's a policy that will likely make life more difficult for both VPN companies and VPN users there.

The body, under the country's Ministry of Electronics and IT, announced on April 28 that VPNs in the country will have to keep customer names, validated physical and IP addresses, usage patterns and other forms of personally identifiable information. As first reported by Entrackr, those who don't comply could potentially face up to a year in prison under the governing law cited in the new directive.

The directive isn't limited to VPN providers. Data centers and cloud service providers are both listed under the same provision. The companies will have to keep customer information even after the customer has canceled their subscription or account. And, in all case, CERT-in will require the companies to report on their users' "unauthorized access to social media accounts."

Read more: Casual vs. Critical: When Your VPN Is a Matter of Life or Death, Here's How to Pick One

Most VPNs offer a no-logging policy, a public promise against logging, collecting or sharing customer usage and browsing data. Leading services like ExpressVPN and Surfshark operate only with RAM-disk servers and other log-less technology, meaning the VPNs would be theoretically incapable of monitoring for URLs listed in the directive. If VPNs in India are required under the new directive to keep customer registration data -- or to monitor and report social media usage -- many could potentially run afoul of the law simply by continuing to operate. 

India has a history of applying a heavy hand to online activity.

In April, India banned 22 YouTube channels. In 2021, Facebook, Google Twitter ended a tense stand-off with the Indian government when they largely complied with the government's expanded control over social media content in the country. In 2020, the country banned over 200 Chinese apps, including TikTok, and ultimately banned 9,849 social media URLs.

The digital rights advocacy group Access Now reported last month that government-imposed internet shutdowns and disruptions in India accounted for 106 of a global total of 182 such government actions, or nearly 60%. The directive likewise follows notable spikes in VPN demand in India, where independent research firm Top10VPN estimates the shutdowns affected 59.1 million users in 2021.  

The Ministry of Electronics and IT said in a release Saturday that the new directive is intended to help it deal with "certain gaps" that hinder it from responding to unspecified "cyber incidents and interactions with the constituency."  

Under the ministry's full directive, VPN companies will be required to collect and report the following information: 

  • Validated customer names, physical address, email address and phone numbers.
  • The reason each customer is using the service, the dates they use it and their "ownership pattern."
  • The IP address and email address used by a customer to register for the service, along with a registration time stamp.
  • All IP addresses issued to a customer by the VPN, and a list of IP address being used by its customer base generally.

Read moreWhy You Should Be Skeptical About a VPN's No-Logs Claims

British Virgin Islands-based PureVPN, which touts 3 million users globally, said the new directive could impact the company's position in India. 

"We're quite astonished at this policy move by the world's largest democracy which is on the brink of becoming the world's largest police state. We are reaching out to Indian authorities and reviewing the policy guidelines to assess what it means for foreign companies serving users in India. PureVPN is a no-log VPN. User anonymity and security is a central priority, but if that is compromised by this policy then we will have to consider our position in India," PureVPN CEO Uzair Gadit told CNET in a May 5 email. 

Gadit said that though the new directive asks VPN companies to store their customer's data for at least 5 years, PureVPN stores no personally identifiable information. 

"Nor does it record or store user activity. So this presents a significant risk for our users. More widely, this will impact the wider VPN industry," Gadit said.

The ministry's full directive is slated to take effect on June 27, though the government may delay implementation to allow time for wider compliance. 

First published May 2, updated on May 5 to include comment from PureVPN CEO Uzair Gadit.