When you mandate the mass collection of user data, you don’t build security. You build a target. The CERT-In directive forcing VPN providers and cloud services in India to log user data for five years fundamentally misunderstands infrastructure defense. By demanding the collection of names, IP addresses, and usage patterns, the regulation breaks the core…