wordpress blog stats
Connect with us

Hi, what are you looking for?

Do VPN providers have to store web activity logs of users? Yes and No

The government’s clarification has added to the uncertainty.

person connecting to a VPN service

Following the issuance of the cybersecurity directive by the Indian government last month, there have been multiple media reports and Twitter conversations alleging that Virtual Private Network (VPN) providers have to store web activity logs of users to comply with the directive. This goes against the very premise of why customers use VPNs: privacy. But the directive does not explicitly have any such requirement. So, why is this concern floating around?

There’s no clear answer to whether VPN providers have to maintain a log of websites visited by a user, and the recently released FAQs by the Ministry of Electronics and Information Technology (MeitY) also do not clear the air on this issue. But, here are the two sides of the debate.

No, web activity does not have to be logged

The provision in the directive that specifically applies to VPN, cloud service, and data centre providers is the requirement to register the following accurate information about customers for a period of 5 years or longer duration after any cancellation or withdrawal of the registration:

  • Validated names of subscribers or customers hiring the services
  • Period of hire including dates
  • IPs allotted to or being used by the members
  • Email address and IP address and time stamp used at the time of registration
  • The purpose of hiring services
  • Validated address and contact numbers
  • Ownership pattern of the subscribers or customers hiring services

There is no mention of or reference to web activity in this list of items, which is why it seems like an overreading/misreading to make the conclusion that VPN providers must store logs of users’ web activity.

Yes, web activity might have to be logged as well

But, there is another provision in the directive that applies to all companies, including VPN providers, that introduces the confusion: All entities must mandatorily enable logs of all their systems and maintain them securely for a rolling period of 180 days. Now, since there is no list of what logs should be maintained, these logs could be expected to also contain web activity logs of VPN users.

Adding to the uncertainty, the government in its FAQs document provided the following response to the question of what logs need to be stored:

Advertisement. Scroll to continue reading.

The logs that should be maintained depend on the sector that the organisation is in, such as Firewall logs, Intrusion Prevention Systems logs, SIEM logs, web/database/mail/ FTP/Proxy server logs, Event logs of critical systems, Application logs, ATM switch logs, SSH logs, VPN logs etc. It may be noted that this list of logs is not exhaustive but has been mentioned to provide flavour of logs to be maintained by the relevant teams. From the incident response and analysis perspective both successful as well as unsuccessful events shall be recorded.” (emphasis ours)

As noted in the emphasised portions of the response, VPN providers will have to maintain logs specific to their sector and that might include web activity logs, which is also mentioned as an example in the response.

Unless the government updates its FAQs document to clearly specify whether or not web activity logs must be maintained, this ambiguity will continue to exist. VPN providers have, however, clearly stated that they will not change their no-logs policy and will either legally challenge the directive or leave the country.

What is the new cybersecurity directive?

The new cybersecurity directive was issued by the Indian government’s Computer Emergency Response Team (CERT-In) on April 28 and covers aspects related to the timeframe for reporting cybersecurity incidents, synchronisation of system clocks, maintenance of logs, maintenance of KYC and transaction information for crypto exchanges, and maintenance of detailed customer information for VPN, cloud service, data centre providers. Cybersecurity experts, VPN providers, and tech companies have all criticised the directive for a long list of reasons.

Also Read:

Have something to add? Post your comment and gift someone a MediaNama subscription.

Advertisement. Scroll to continue reading.
Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



The Delhi High Court should quash the government's order to block Tanul Thakur's website in light of the Shreya Singhal verdict by the Supreme...


Releasing the policy is akin to putting the proverbial 'cart before the horse'.


The industry's growth is being weighed down by taxation and legal uncertainty.


Due to the scale of regulatory and technical challenges, transparency reporting under the IT Rules has gotten off to a rocky start.


Here are possible reasons why Indians are not generating significant IAP revenues despite our download share crossing 30%.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ