VPN companies are are preparing for a battle with the Indian government over new rules designed to change the way they operate in the country. On April 28, officials announced that virtual private network companies will be required to collect pieces of customer data — and keep it for five years or more — under a new national directive. VPN providers have two months to join the rules and start collecting data.
The rationale behind the National Computer Emergency Response Team (CERT-In) is that it should be able to investigate potential cybercrimes. But that doesn’t affect VPN providers, some of whom have said they may ignore the requirements. “The Indian government’s latest move to require VPN companies to hand over users’ personal data is a disturbing attempt to infringe on the digital rights of its citizens,” said Harold Li, Vice President of ExpressVPN. It adds that the company will never log user information or activity and that it will adjust its “operations and infrastructure to maintain this principle if and when necessary.”
Other VPN providers are also considering their options. Gitis Malinauskas, Surfshark’s head of legal, says the VPN provider is currently unable to comply with India’s logging requirements because it uses RAM-only servers that automatically overwrite user-related data. “We are still studying the new regulation and its implications for us, but the overall goal is to continue to provide services without registration to all our users,” he says. ProtonVPN is similarly concerned, calling the move an erosion of civil liberties. “ProtonVPN is monitoring the situation, but ultimately we remain committed to our no-logs policy and preserving the privacy of our users,” said spokesperson Matt Fossen. “Our team is studying the new directive and exploring the best course of action,” said Laura Tirilight, head of public relations at Nord Security, which develops Nord VPN. “We may remove our servers from India if there are no other options left.”
The strong response from VPN providers shows how much is at stake. India quickly moved away from a free and open democracy and began cracking down on NGOs, journalists and activists, many of whom use VPNs to communicate. Human Rights Watch recently warned that media freedom is under attack in the country, with a number of legal and policy changes threatening the rights of the country’s minority citizens. India has fallen eight places in Reporters Without Borders’ Press Freedom Index over the past year, and is now ranked 150th out of 180 countries worldwide. Authorities have allegedly attacked journalists, fueling nationalist divisions and encouraging harassment of reporters critical of Indian Prime Minister Narendra Modi. By collecting and storing data on all VPN users in India, authorities may find it easier to see who journalists using VPNs are connecting with and why.
Officials in India say the new rules on VPN providers are not part of a data mining drive aimed at further curtailing press freedoms, but rather an attempt to better police cybercrime. India has been affected by a number of significant data breaches in recent years and was the third most affected country in the world in 2021. “Data breaches have become so common in India that they no longer make front-page news like they used to,” says Mishi Choudhary, a technology attorney and founder of the Software Freedom Law Center, a provider of technology legal support services in India. In May 2021 the names, email addresses, locations and phone numbers of more than 1 million Domino’s Pizza customers were stolen and posted online; that same year, the personal information of 110 million users of digital payments platform MobiKwik ended up on the dark web. Now, as major incidents pile up, Indian officials are cracking down on VPNs in an apparent bid to manage the surge in cybercrime.
“CERT-In is required to respond to any cyber security incident,” says Srinivas Kodali, a researcher focusing on digitization in India at the Free Software Movement of India – although he disputes its efficacy in this regard. Having this information should in theory allow CERT-In to more quickly investigate any incidents after the fact. But many don’t believe that’s the whole story. “CERT-In doesn’t really have a clean record and they have never protected the privacy of citizens,” Kodali claimed. “Under the rules, they will only request these logs when they really need them for part of an investigation. But in India you never know how they will be abused.
