The story so far: The new rules issued by the Indian Computer Emergency Response Team (CERT-In) for Virtual Private Network providers could spell doom for the privacy of Indian internet users. Amidst strong pushback from various corners, the Central government tells the companies to either comply with rules or exit from India.
What are the new rules?
The Union Ministry of Electronics and Information Technology, on April 28 issued new norms for VPN companies to record personal information of their users including names, email id, phone number and IP address for a period of five years. They also have to record usage patterns, purpose of hiring services and various other information.
Apart from VPN companies, data centers, virtual service network providers, cloud service providers have also been asked to record and maintain similar data. In the form of Know Your Customer (KYC), virtual asset service providers, virtual asset exchange providers and custodian wallet providers would also be recording information for the same period along with records of financial transactions.
The directives will take effect the end of June. And if the data is not handed over to the government by then, the entities would face punitive action.
Why has the government issued these rules?
The Centre said these rules will “enhance overall cyber security posture and ensure safe & trusted internet in the country”. It noted that the Indian Computer Emergency Response Team (CERT-In), which serves as a safeguard against cyber attacks, has identified “gaps” in the way it analyses online threats due to which it has issued the new norms for reporting cyber incidents.
CERT-In said non-availability of data hampers analysis and investigation, and added that various stakeholders were consulted before notifying the new rules.
Prior to this notification, the government had expressed concern over VPNs in the country. In 2021, a Parliamentary Standing Committee, in a report to the Rajya Sabha, wanted the Ministry to block VPNs with assistance from internet service providers.
What does this mean for VPN users?
The fundamental USP of a VPN is that it ensures privacy. VPNs basically create a safe and secure connection while using a public network like the internet. In simple terms, they mask your online id which makes it difficult for third parties to track, steal and store your data. VPNs are also used by journalists, activists and whistleblowers for their work.
The tagline of a popular VPN company is “browse like nobody’s watching”. So you can understand how the new rules could be problematic for VPN providers and their customers. Customers will have to go through a stringent KYC process while signing up to use a VPN and will have to state the purpose of using the services. With the new rules the government will basically have access to the personal information of the customers which makes the use of a VPN redundant.
This becomes relevant in the light of the ever-growing number of VPN users in India as the digital presence of the country swells.
How are VPN providers reacting to the norms?
Many VPN providers are mulling the implications of the new rules and some have even threatened to pull back their service from the country.
Replying to a query on Twitter, one of top VPN providers in the world, NordVPN, said “ Our team is investigating the new directive recently passed by the Indian government and exploring the best course of action. There are still at least two months left until the law comes into effect, so right now nothing has changed in the way we operate.” Media houses have reported that Nord might pull out of India in a bid to stay committed to protecting its privacy.
Surfshark told Moneycontrol that, “We are still investigating the new regulations and its implications for us, but the overall aim is to continue providing no-logs services to all of our users.”
In a tweet, reiterating their commitment to no-logs policy, ProtonVPN said, “The new Indian VPN regulations are an assault on privacy and threaten to put citizens under a microscope of surveillance.”
What is the government’s stance?
The Centre doubled down on the new rules issued and defended them as the need of the hour to “ensure stability and resilience of Cyber Space”. On May 18, the Ministry released a Frequently Asked Questions (FAQ) document explaining the nuances of the rules in detail. At a press conference, Rajeev Chandrasekhar, Union Minister of State for Electronics and Information Technology, said there will be no changes to the rules despite pushback from various stakeholders.
He also said the companies will have to comply with the norms, adding that, “If you don’t want to go by these rules, and if you want to pull out, then frankly ... you have to pull out.”
