VPN companies are arguing with the Indian government over new rules designed to change the way it operates in the country. On April 28, officials announced that virtual private network companies would be required to collect a lot of customer data — and maintain it for five years or more — under a new national directive. VPN providers have two months to comply with the rules and start collecting data.
The justification from the country’s Computer Emergency Response Team (CERT-In) is that it needs to be able to investigate potential cybercrime. But that doesn’t work with VPN providers, some of whom have said they can ignore requests. Harold Li, vice president of ExpressVPN, said: “This latest move by the Indian government to require VPN companies to hand over users’ personal data represents a disturbing attempt to infringe on technical rights. digital assets of its citizens,” said Harold Li, vice president of ExpressVPN. He added that the company will never record user information or activities, and that it will adjust “its operations and infrastructure to uphold this principle if and when necessary.”
Other VPN providers are also looking at their options. Gytis Malinauskas, Surfshark’s head of legal, said the VPN provider is currently unable to comply with India’s logging requirements because it uses a RAM-only server that automatically overwrites associated data. regarding users. “We are still investigating the new regulation and its impact on us, but the overall aim is to continue to provide a no-logs service to all our users,” he said. ProtonVPN is similarly concerned, calling the move an erosion of civil liberties. Spokesman Matt Fossen said: “ProtonVPN is monitoring the situation, but ultimately we remain committed to a no-logs policy and protecting user privacy. “Our team is investigating the new directive and discovering the best course of action,” said Laura Tyrylyte, head of public relations at Nord Security, the company that developed Nord VPN. “We may remove our servers from India if there are no other options.”
The tough response from VPN providers shows how much money is at stake. India has rapidly moved away from free and open democracy, and has launched crackdowns on NGOs, journalists and activists, many of whom use VPNs to communicate. lost. Human Rights Watch recent warning that media freedom is under attack in the country, with a number of law and policy changes threatening the rights of minority citizens in the country. India fell eight steps in Reporters Without Borders’ Press Freedom Index last year and now ranks 150th out of 180 countries worldwide. Authorities are accused of targeting journalists, inciting nationalist divisions and encouraging harassment of reporters critical of Indian prime minister Narendra Modi. By collecting and storing data on all VPN users in India, authorities may find it easier to see who journalists using VPNs are contacting and why.
Officials in India have stated that the new rules for VPN providers are not part of a data grab aimed at further inhibiting press freedom, but an attempt to improve police cybercrime. India has been affected by a number of significant data breaches in recent years and is third most affected “Data breaches have become commonplace in India,” said Mishi Choudhary, a technology lawyer and founder of the Software Freedom Law Center, a technology legal aid service provider. To the point where they don’t even put it on the front page anymore.” in India. In May 2021, the names, email addresses, locations and phone numbers of more than 1 million Domino’s Pizza customers were stolen and posted online; in the same year, the personal information of 110 million users of the MobiKwik digital payment platform ended up on the dark web. Now, as major incidents pile up, Indian officials are monitoring VPNs in an apparent attempt to dominate the cybercrime wave.
“CERT-In has an obligation to respond to any cybersecurity incident,” said Srinivas Kodali, a researcher focusing on digitization in India from the Free Software Movement of India. Theoretically, having this information would allow CERT-In to investigate any incident after the fact more quickly. But many people don’t believe that’s the whole story. “CERT-In doesn’t really have a clean past and they have never really protected the privacy of citizens,” stated Kodali. “According to the rules, they will only ask for these logs when they really need them for part of the investigation. But in India, you never know how they will be abused.”
