Virtual private network (VPN) service providers are raising concerns over the government's order under which it directed them to keep user data for at least five years and share records with authorities when required. Some of the major VPN companies including NordVPN are set to leave the country if the government does not provide them the room to serve their customers in a private manner. At the same time, legal advocacy groups are suggesting the government remove the requirements violating user privacy.
The order, which was passed by the Ministry of Electronics and Information Technology's agency CERT-In last week and is coming into force from June 28, directs VPN service providers to preserve data including the validated names, email IDs, and IP addresses of their users for five years or longer "as mandated by the law" even after cancellation or withdrawal of their registration.
It also says that "all service providers" should "mandatorily enable logs" of their systems and maintain them securely for a rolling period of 180 days and the "same shall be maintained within the Indian jurisdiction." The directive restricts service providers to provide the logs to CERT-In when ordered or directed by the agency.
According to the order, it is aimed to help limit cybercrime and cybersecurity incidents in the country. Failing to furnish the information or non-compliance with the directions may invite "punitive action" under sub-section (7) of the section 70B of the IT Act, 2000, and other laws as applicable, the government agency said.
However, VPN service providers — as their default model — offer paramount user privacy to attract customers.
"Surfshark has a strict no-logs policy, which means that we don't collect or share our customer browsing data or any usage information," said Gytis Malinauskas, Head of Legal department at Surfshark, in a statement to Gadgets 360. "Moreover, we operate only with RAM-only servers, which automatically overwrite user-related data. Thus, at this moment, even technically, we would not be able to comply with the logging requirements."
Malinauskas added by saying that Surfshark is still investigating the new regulations and its implications but has no plans to compromise on user privacy and is aimed to continue providing no-logs services to all of its users.
Similar to Surfshark, Nord Security — the parent company of NordVPN — is currently investigating the order passed by CERT-In in a surprise move.
Laura Tyrylyte, Head of Public Relations at Nord Security, told Gadgets 360 that it was exploring the best course of action and is currently operating as usual as there are still "at least two months left" until the order comes into effect.
"We are committed to protecting the privacy of our customers therefore, we may remove our servers from India if no other options are left," Tyrylyte said.
ProtonVPN also told Gadgets 360 that it was monitoring the situation and remained committed to its no-logs policy and preserving its users' privacy.
The VPN service provider added, "India's new VPN regulations will erode civil liberties and make it harder for people to protect their data online."
India is one of the biggest markets for VPNs — considering the Internet censorship in the country that is growing and is implemented using various technological methodologies, including DNS restrictions and TCP/IP blocking. In many cases, users have reported certain restrictions that are limited to some Internet service providers (ISPs), which can be overcome using an VPN service. The 2020 lockdown in the country also resulted in a significant growth of VPN services including ExpressVPN.
According to a report by UK-based VPN review website Top10VPN.com, India has been the second biggest market for VPNs globally, with as much as 45 percent of its total Internet user base relying on a VPN, as of 2020.
"While there are a huge number of VPN users in India, few VPN providers have a direct physical presence in the country, which will make it hard for authorities to enforce the new legislation," said Simon Migliano, Head of Research at Top10VPN.com.
Service providers such as NordVPN do have their servers in India, per the details available on Panama-headquartered VPN company's site.
But nonetheless, Migliano said that there would be little impact on customers as they could simply connect to a VPN service based in another country.
"All in all, it seems highly unlikely that any legitimate VPN provider will comply with the CERT-In legislation as it is not only hard to enforce but goes against everything that they stand for," the researcher said.
The order also directs service providers, data centres, and organisations to report cyber incidents within six hours of their notice to CERT-In. This has been considered as a positive move by legal advocacy groups including SFLC.in — given the fact that the country is seeing a number of cybersecurity cases.
However, Mishi Choudhary, Technology Lawyer and Founder of SFLC.in, said that the requirements to register VPN users and linking of identification to IP addresses raised serious privacy concerns and should be removed.
"CERT-In cannot take away the right to use certain tools in the garb of cybersecurity," she told Gadgets 360.
Prasanth Sugathan, Legal Director at SFLC.in, said that collection of excessive data about consumers went against the policy of most VPN providers and might result in some of them to exit the country rather than complying with "the cumbersome provisions" given in the order.
Legal experts find the directive of an ambiguous nature as it does not clearly detail the implications for service providers.
"These directions came without any sort of public consultation," said Prateek Waghre, Policy Director at the Internet Freedom Foundation (IFF).
He added that the order does not give any clarity on what the rules mean for VPN service providers and their operations in India.
"It's also unclear whether the VPN service providers who are not operating an Indian IP will still be liable under the provisions of the directive," he said, adding that the development would certainly add a layer of concern if any of these service providers have employees in the country.
In the recent past, restrictions focussing on VPN services were suggested by legislators. Telecom operators including Reliance Jio were also seen limiting access to some VPN services. Nevertheless, VPN users in the country have continued to grow so far.