In an attempt to curb cybercrime, the Indian government is enacting a new policy that’ll require VPN companies to collect and turn over user data, including the IP addresses assigned to customers.

The body(Computer Emergency Response Team, known as CERT-in), under the country's Ministry of Electronics and IT, announced Thursday that VPNs in the country will have to keep customer names, validated physical and IP addresses, usage patterns and other forms of personally identifiable information. As first reported by Entrackr, those who don't comply could potentially face up to a year in prison under the governing law cited in the new directive.

“During the course of handling cyber incidents and interactions with the constituency, CERT-In has identified certain gaps causing hindrance in incident analysis,” India’s government official said in adopting the new policy last week.

Such data could assist India with exposing cybercriminals who use VPNs for malicious activities. Yet, it likewise gambles with compromising the privacy of the users on the VPN services, including what websites they've been visiting.  As a result, the new policy threatens to undermine a key selling point of using a VPN, which is often promoted as a tool to protect your digital privacy.

India's approach likewise requires a wide scope of internet providers, including ISPs and data centres, to maintain logs of all their systems over a rolling 180-day period. Furthermore, digital currency trades should keep up with all their transactions and customer records for 5 years.

CERT-in will reportedly require companies to report a total of twenty vulnerabilities including unauthorised access to social media accounts, IT systems, attacks on servers and more. Check a full list of the twenty vulnerabilities below.

1. Targeted scanning/probing of critical networks/systems.

2. Compromise of critical systems/information.

3. Unauthorised access to IT systems/data.

4. Defacement of website or intrusion into a website and unauthorised changes such as inserting malicious code, links to external websites etc.

5. Malicious code attacks such as spreading of viruses/worms/Trojan/Bots/Spyware/Ransomware/Cryptominers.

6. Attack on servers such as Database, Mail and DNS and network devices such as Routers.

7. Identity Theft, spoofing and phishing attacks,

8. Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks.

9. Attacks on Critical Infrastructure, SCADA and operational technology systems and Wireless networks.

10. Attacks on Applications such as E-Governance, E-Commerce etc.

11. Data Breach.

12. Data Leak.

13. Attacks on Internet of Things (IoT) devices and associated systems, networks, software, and servers.

14. Attacks or incidents affecting Digital Payment systems.

15. Attacks through Malicious mobile Apps.

16. Fake mobile Apps.

17. Unauthorised access to social media accounts.

18. Attacks or malicious/ suspicious activities affecting Cloud computing systems/servers/software/applications.

19. Attacks or malicious/suspicious activities affecting systems/ servers/ networks/ software/ applications related to Big Data, Blockchain, virtual assets, virtual asset exchanges, custodian wallets, Robotics, 3D and 4D Printing, additive manufacturing, Drones.

20. Attacks or malicious/ suspicious activities affecting systems/ servers/software/ applications related to Artificial Intelligence and Machine Learning.