Indian government mandates VPN providers to store user logs for up to five years

Back in 2021, the Indian government proposed a law that would ban VPNs in their entirety. Nothing seemingly came of it for a while, but now, a milder, more terrifying version of the bill has resurfaced. It essentially mandates all VPN providers to log and store data generated by Indian users for five years. It rit rings the death knell for "no log" VPN providers, who will now be forced to invest in extra storage servers, lest they lose the ability to do business in India.

The complete directive on can be found on the official CERT (Computer Emergency Response Team) website. It directs providers of virtual private networks, virtual private servers and cloud service providers to keep a log of a plethora of data, including the user's names, IP address/email address used during registration, a verified address/contact number, and a "purpose for hiring service". Providers will be required to hold on to the said data even after users terminate their contract with the company.

Essentially, getting a VPN subscription in India will soon be as cumbersome as getting a SIM card due to the sheer amount of paperwork involved. Entrackr has heard from Nord VPN that it could cease its Indian operations entirely due to the directive. Any provider who refuses to comply with the CERT's directive faces up to a year of imprisonment. It'll be interesting to see how commercial VPN providers respond to this directive.

In the meanwhile, one can always create their own VPN server from scratch. While the process is cumbersome and requires quite a bit of command-line work, there are several excellent tutorials out there that walk you through the process, such as this one on the Linus Tech Tips forum. Do note that it, too, requires a monthly subscription, but that is mostly on par with what one would pay for a VPN anyway.