The Indian government recently passed a rule requiring all the VPN service providers to collect and store user data for up to five years, which runs counter to most such networks’ primary mission.
Now the VPN providers are bracing for a battle with the authorities over new regulations that will alter how they operate in India.
The new rule
Titled “Directions under sub-section (6) of section 70B of the Information Technology Act, 2000 relating to information security practices, procedure, prevention, response and reporting of cyber incidents for Safe & Trusted Internet”, the new directive from the Indian Computer Emergency Response Team (CERT-In) under the Ministry of Electronics and Information Technology was released on April 28.
According to the government, VPN providers have two months to comply with the laws and begin data collection.
The reason given by CERT-In is that it requires the ability to investigate potential cybercrime, but the VPN companies disagree, with some stating that they will defy the orders.
Cybersecurity expert Sandip Kumar Panda, who is the CEO and Co-Founder of Instasafe, told News18: “While everyone is still waiting for a clear Data Privacy Law in this country, such a quietly issued new directive requiring an array of technology companies to start logging user data is creating more confusion among the service providers.”
Currently, different service providers have different policies and take on user data, he said. “Some of the biggest VPN companies state they collect only minimal information about their users and also allow for ways for their users to remain largely anonymous. Hence, their internal rules are now set to bring them into a confrontation with the IT ministry,” he explained.
Panda said the list of data points that the government has directed to store is quite exhaustive as storing these data points for such a long period will cost enormously to VPN vendors since they would have to store these in the cloud. Moreover, these guidelines would also require them to change their product which will be a major nuisance for the VPN providers, he added.
According to a report by WIRED, several VPN providers also echoed the same concern regarding the new directive. For example, Harold Li, vice president of ExpressVPN, stated that the company will never log user information or activity, and will change its operations and infrastructure “to preserve this principle if and when necessary”.
Additionally, Surfshark told WIRED that the VPN provider can’t now comply with India’s logging rules since it uses RAM-only servers that automatically overwrite user-related data, while ProtonVPN stated that even though it is monitoring the directives, it remains committed to its no-logs policy and to protecting the privacy of its users.
Similarly, Nord Security said that it would remove the servers from India if no other options are available. It should be noted that Nord Security is the developer of Nord VPN, which is one of the most popular VPN services in India.
How a VPN works
A VPN, or virtual private network, connects a user to the internet in a secure and encrypted manner. It enables users to conceal their browsing history, IP address, and geographical location, as well as their web activities and devices.
For a better understanding of the importance of VPNs, we can take a look at China—where authorities regulate internet usage domestically through its censorship system known as the “Great Firewall”. In that country, expats and native Chinese citizens both use VPN services to securely access blocked websites and mobile apps such as Facebook, Gmail, Google, YouTube, WhatsApp, and Western news media.
Now in India, the new rules regarding such services are causing a major concern.
The industry doesn’t seem satisfied with the directive which says that the VPN providers will need to keep validated client names, their physical addresses, email details, phone numbers and the reason they are using the service, together with the dates they use the service and their ownership pattern.
As per the document released by CERT-In, VPN service providers are also asked to keep the record of users’ IP addresses and email details which they shared while registering the service along with the timestamp of registration. They will be also required to keep track of all IP addresses assigned to customers as well as a list of IP addresses that consumers frequently use.
Apart from VPN providers, data centres and cloud service providers will also have to abide by these rules.
However, as reported, noncompliance with these rules, which as per the authorities are necessary from a security point of view, can result in a one-year prison sentence.
Venkatesh Sundar, who is the co-founder and CMO of Indusface, a leading Tata Growth Capital Funded SaaS company, told News 18: “Though the reasons for enforcing this with regard to the VPN service is understandable, I feel the steps are directly conflicting and counterproductive to the very purpose and benefits of VPN for legitimate purposes .”
This step, he said, directly attacks the core benefit the VPN service offers to its users and why users chose to use a VPN service (for their own safety and privacy and not for just illegal stuff). “I can see why this has triggered an immediate extreme reaction from VPN providers to quit the country. I personally feel, there could have been a better middle ground —that is to make the VPN providers abide by the laws of the countries and policies of restricted sites and not allow them to be able to grant access to services that are banned in the country,” Sundar said.
It’s easy to verify any VPN service provider if they are breaking the law and thus would have forced a better responsible behaviour from VPN providers to ensure while they give the benefit of user privacy, this cannot be used to circumvent laws as they have the same country-specific policies of restricting access in place, he said.
“This could have been a better middle ground instead of what I feel the latest is an extreme step that hits the core of the real value from the VPN service providers for many perfectly legitimate cases and benefits for users to maintain their privacy and safety while doing legal and legitimate things on the internet.” he further stated.