VPN Services: UnCERT-in times for VPN services providers in India

[ad_1]

Users of virtual private networks (VPNs) in India face disruptions, with providers such as Surfshark and NordVPN saying they are unlikely to be able to adhere to a new security directive from the government due to privacy policy concerns. India has more than 270 million VPN users, who use them to access company networks securely, remain anonymous, access geo-restricted content, stay safe on public Wi-Fi networks and get around internet restrictions among other things.

The directive from Indian Computer Emergency Response Team (CERT-In), India’s top cybersecurity agency, is set to take effect at the end of June. That mandates VPN services, among others, to maintain the personal data of users for five years or longer and hand them over to the government when asked or face punitive action.

House Panel Had Sought Ban

The move, aimed at preventing cybersecurity breaches, may end up making VPN services illegal in India if providers don’t comply. The parliamentary standing committee of home affairs had called for a ban on VPNs last year, citing threats.

Top VPN companies told ET that logging sensitive user data would go against the nature of their services, which are designed to protect user privacy. Netherlands based-Surfshark, a popular VPN service in India, said that it doesn’t even have the technical means to comply with the order.

“We operate only with RAM-only servers, which means that at this moment, even technically, we would not be able to comply with the logging requirements,” Gytis Malinauskas, Surfshark’s legal head, told ET.

NordVPN, based in Panama, said it’s currently operating as usual but may have to reassess the situation if and when the order goes into effect two months from now.

“We are committed to protecting the privacy of our customers, therefore, we may remove our servers from India if no other options are left,” said Laura Tyrylyte, NordVPN’s security spokesperson, told ET.

ExpressVPN, registered in the British Virgin Islands and another popular VPN service that claims to bypass even China’s strict Great Firewall, said it’s aware of the directive and is monitoring developments.

“VPNs are critical for user safety and the preservation of user’s right to online privacy and are fundamentally opposed to any efforts to undermine such technologies,” ExpressVPN said in a statement to ET.

The company states in its privacy policy that it does not “collect logs of your activity, including no logging of browsing history, traffic destination, data content, or DNS queries. We also never store connection logs, meaning no logs of your IP address, your outgoing VPN IP address, connection timestamp, or session duration.”

Experts say services such as NordVPN, Surfshark, ExpressVPN and the like pride themselves on no-logs systems that assure users of privacy, going as far as getting themselves audited by firms like PwC to confirm compliance with their privacy policies.

Some VPN providers also said they are governed by laws of the countries they are based in and may not necessarily come under the jurisdiction of Indian laws.

“We are operating under the jurisdiction of the Netherlands, and there are no laws requiring us to log user activity,” Surfshark said. Similarly, ExpressVPN said it’s governed by laws of the British Virgin Islands, which too doesn’t require VPN services to maintain user logs.

The VPN user base in India has been surging over the past two years, owing to a rise in remote working due to the pandemic.

VPN penetration in India in 2021 spiked to 20% of the population, from a mere 3.28% in 2020, according to an adoption tracker maintained by AtlasVPN. The tracker shows India had more than 270 million VPN users, up from just 45 million in 2020, spurred by increasing adoption of remote working models by firms that require connecting to internal servers using encrypted tunnels. India ranked 20th in the index.

Frequent internet shutdowns by the government have also spurred VPN growth, experts said. The government blacked out internet services 106 times in 2021, according to a report by Access Now, a tech policy think tank.

While the new directive does not impact access to geo-restricted content using VPNs, it is definitely going to pose a roadblock in staying anonymous, said Soutrik Gupta, lead network engineer at network solutions firm Kloudspot Inc.

“It brings using VPN and using internet without VPN at the same level since it’s either the internet service provider (ISP) who is going to track my usage data, or the VPN provider if the order comes into effect,” Gupta said.

The CERT-In order also mandates companies to disclose cybersecurity incidents within six hours of discovery. This has drawn flak from industry bodies.

ET reported May 9 that cybersecurity agency, the Information Technology Industry (ITI) Council, has written to CERT-In head Sanjay Bahl, asking for a delay in implementing the directive and to invite wider stakeholder consultation, including a detailed technical discussion on the matter.

[ad_2]

Source link

https://businesstantra.in/folder