Recently, the Indian Computer Emergency Response Team (Cert-In) published a new directive that requires Virtual Private Network (VPN) providers to store user data for five years.

VPNs conceal a person’s internet usage by jumping the signal off multiple servers. A log of these servers can effortlessly lead legislation enforcement agencies back to the original user.

VPN providers will require to reserve validated customer names, their physical addresses, email ids, phone numbers, and the reason they are using the service, along with the dates they use it and their “ownership pattern”. Most importantly, however, VPN providers will have to store all IP addresses issued to a customer and a list of IP addresses that their customers generally use.

In addition, Cert is also asking VPN providers to keep a record of the IP and email addresses that the customer utilizes to register the service, along with the timestamp of registration.

That is why most top VPN operators provide a “no logging” service at least for paying users. This means they do not keep logs of the user’s usage history or the IP addresses of the servers involved. Such services could violate Cert’s rules by simply operating in India.

However, ‘no logs’ does not mean zero logs. VPN services still need to maintain some logs to run their service efficiently.