Listen to this story
“VPN service providers that do not adhere to the latest cyber-security guidelines issued by the Indian Computer Emergency Response Team are ‘free to leave India’ if they do not comply with the rules”, Minister of State for Electronics and Information Technology Rajeev Chandrasekhar said recently. For those not heavily invested in cybersecurity news, this is Chandrasekhar’s retaliation to the backlash against the CERT-In’s new rules for VPN providers. CERT-In issued guidelines that mandate all VPN companies to store user data for up to five years. Even if the user has deleted the VPN account, this data has to be maintained.
VPN companies will need to maintain validated names of customers using such services, period of hire, including dates, IPs allotted to or being used by the members, e-mail addresses, IP addresses and time stamp used at the time of registration or on-boarding, the purpose for hiring services, etc. Companies will also be required to report cybersecurity incidents to CERT-In within six hours of becoming aware of them. The new rules will come into effect in late June.
Last week, Economic Times reported that CERT-In issued some clarifications to the rules, saying they would apply only to individual VPN customers and not to enterprise or corporate VPNs.
(Read the full document by the government here).
Government is not backing down
While releasing the FAQs for this directive recently, Chandrasekhar did not mince his words. He clearly stated that if a VPN provider wants to hide and not reveal those who use VPN to do business, they can leave the country. That is the only option available.
This is not the first time that the Indian government has tried to curb the problems that can crop up with VPNs. As per a report by Medianama, last year, a plea from a Parliamentary Standing Committee asked the government to block virtual private networks in the country. According to the panel, VPNs are a technological challenge, and criminals use them to remain anonymous online. It also asked the Ministry of Home Affairs to coordinate with the Ministry of Electronics and Information Technology to use the help of internet service providers (ISPs) to ban VPN services in India.
What’s the big deal about VPNs?
A VPN can hide your online identity and make it difficult for third parties to track your activities online and steal data. Essentially, a VPN allows the network to “redirect it through a specially configured remote server run by a VPN host. If you surf online with a VPN, the VPN server becomes the source of your data,” says Kaspersky. Your internet service provider cannot keep track of which sites you are clicking and visiting.
VPN providers are pissed
The reactions from VPN providers have obviously not been positive. As per a report by Economic times, Laura Tyrylyte, head of public relations at Nord Security, said that the company is investigating the new directive recently passed by the Indian government and exploring the best course of action. There is still some time for the law to come into effect. She even went on to say that the company may remove their servers from India if no other options are left.
The same report revealed that Surfshark said that its technology does not allow users to log in user’s information. “We don’t collect or share our customer browsing data or any usage information,” said Gytis Malinauskas, head of the company’s legal department.
Yegor Sak, founder of Canada-based VPN company Windscribe, told MoneyControl that Windscribe does not collect or store the origin country of any customer. The company has no idea where a person is from when they use the firm’s service. Rajeev Chandrasekhar’s requirements are impossible to implement, Yegor added.
India often features at the top of VPN markets
A Surfshark 2022 report shows India has the biggest VPN market, followed by China and Indonesia. The US and Brazil take the fourth and fifth positions, respectively. The global VPN market was valued at USD 25.41 billion in 2019 and is projected to reach USD 75.59 billion by 2027, as per a report.
Surfshark also says that the interest in VPNs peaked twice in the last two decades – in 2004 and 2019 (if we look at Google search volumes).
Image: Global VPN Adoption Index | Atlas VPN
Countries and their VPN status
In the US, using a VPN is completely legal. Obviously, if VPNs are used for non-legal online activities, like accessing child pornography, cybercrimes, accessing the dark web, etc., it will attract strict punishment.
This has been an area of interest and debate for quite some time now.
Even though VPNs are technically legal in China, their use is heavily restricted, and most VPN services are blocked. The government licenses only VPN providers that comply with its stringent terms of service. Besides, the government frequently bans unlicensed VPNs.
In 2017, Russia came down heavily on the use of VPNs and banned them.
It was aimed at VPN providers who denied submitting data to the Russian government. A wave of bans came in 2021 as well. As per the Moscow Times, Russia’s communications regulator Roskomnadzor said that it had blocked access to some of the world’s largest VPN providers, which include Nord VPN and Express VPN, following an investigation.