Virtual private network (VPN) service providers are raising concerns over a government order directing them to keep user data for at least five years and share records with authorities if required. Some major VPN companies, including NordVPN, are ready to leave the country if the government does not provide them with room to serve their customers in a private manner. Also, legal advocacy groups are suggesting the government to remove requirements that violate user privacy.
order, which was pass Agency of Ministry of Electronics and Information Technology CERT-In The instructions are applicable from last week and 28 June. vpn Service Providers to protect their users’ data, including valid names, email IDs and IP addresses, for five years or more as “mandated by law” or even after their registration is withdrawn.
It also says that “all service providers” should “compulsory enable logs” of their systems and securely maintain them for a rolling period of 180 days and that “the same shall be maintained in Indian jurisdiction.” The directive prohibits the service providers to provide logs to CERT-In when ordered or directed by the agency.
As per the order, it aims to help in limiting the incidence of cyber crime and cyber security in the country. The government agency said that failure to provide information or non-compliance with the directions may invite “punitive action” under sub-section (7) of section 70B of the IT Act, 2000 and other applicable laws.
However, VPN service providers – as their default model – offer user privacy paramount to attracting customers.
,surfshark We have a strict no-logs policy, which means we don’t collect or share our customer browsing data or any usage information,” Surfshark’s head of legal department, Gatis Malinouskas, said in a statement to Gadgets 360. “In addition, we only work with RAM-only servers, which automatically overwrite user-related data. Thus, at this point in time, even technically, we will not be able to comply with the logging requirements.”
Malinouskas added that Surfshark is still investigating the new rules and its implications, but has no plans to compromise user privacy and aims to continue providing no-logs services to all of its users.
Similar to Surfshark, parent company of Nord Security — NordVPN Presently probing the order passed by CERT-In in a surprise move.
Nord Security head of public relations Laura Tyrelite told Gadgets 360 it was exploring the best course of action and is currently acting as usual with “at least two months left” until the order takes effect.
“We are committed to protecting the privacy of our customers, so we can remove our servers from India if there is no other option left,” Tyrylyte said.
India is one of the biggest markets for VPNs – given the internet censorship in the country which is on the rise and implemented Using a variety of technical methods, including DNS blocking and TCP/IP blocking. In many cases, users have reported restrictions that are limited to certain Internet Service Providers (ISPs), which can be overcome by using a VPN service. 2020 lockdown in the country too resulting in a significant increase VPN services including ExpressVPN,
according to a report good By UK-based VPN review website Top10VPN.com, India has been the second largest market for VPNs globally, with up to 45 percent of its total Internet user base relying on VPNs, as of 2020.
Simon Migliano, head of research at Top10VPN.com, said, “Although India has a significant number of VPN users, few VPN providers have a direct physical presence in the country, which will make it difficult for authorities to enforce the new law.” ,
Service providers like NordVPN have their servers in India description The Panama-headquartered VPN is available on the company’s site.
But even so, Migliano said there will be little impact on customers because they can connect to a VPN service based in another country.
“Overall, it is highly unlikely that any legitimate VPN provider would comply with the CERT-in law because it is not only difficult to enforce, but goes against everything they stand for,” the researcher said.
The order also directs service providers, data centers and organizations report cyber incidents within six hours of their notice to CERT-In. This has been considered a positive step by legal advocacy groups including SFLC.in – given the fact that the country seeing a number Of cyber security issues,
However, technology advocate and SFLC.in founder Mishi Choudhary said the requirements to register VPN users and link identities to IP addresses raised serious privacy concerns and should be removed.
“CERT-In cannot take away the right to use certain devices under the guise of cyber security,” she told Gadgets 360.
Prashant Sugathan, legal director of SFLC.in, said the collection of excessive data about consumers is against the policy of most VPN providers and has resulted in some of them being forced out of the country instead of complying with the “cumbersome provisions” given in the order. Might have to go ,
Legal experts find the directive vague in nature as it does not clearly detail the implications for service providers.
“These directions have come without any public consultation,” said Prateek Waghre, policy director, Internet Freedom Foundation (IFF).
He said the order does not give any clarity on what the rules mean for VPN service providers and their operations in India.
“It is also not clear whether VPN service providers who are not operating Indian IPs will still be liable under the provisions of the directive,” he said, adding that if any of these service providers are employees then the development will certainly Will add a layer of worry. in country.
In recent times, there were restrictions focusing on VPN services suggested by legislators. Telecom operators including Reliance Jio Seen as limiting access For some VPN services. Nevertheless, VPN users in the country have continued to grow so far.