In-Depth

How India’s Guidelines For VPN Providers Will Kill User Privacy, Restrict Internet Freedom

CERT-In’s New VPN Rules To Not Be Applicable To Corporate Networks: Report
SUMMARY

Government’s new directions mandating all VPN providers and a few other entities to collect and hold user data for five years or more has sparked a debate in the cybersecurity community

The government should have had ensured a privacy law first and then come up with a law asking different private entities like the VPN service providers to hold public data: Anupam Shukla

The country also has data localisation requirements, which, when combined with these data retention guidelines, raises serious concerns of state-sponsored mass surveillance: Tejasi Panjiar

Inc42 Daily Brief

Stay Ahead With Daily News & Analysis on India’s Tech & Startup Economy

The Indian government’s new directions mandating all Virtual Private Network (VPN) service providers and a few other entities to collect and hold user data for five years or more has sparked a debate in the cybersecurity community, including lawyers and service providers, on the legality and feasibility of the new rules.

A large number of experts are of the opinion that such a law is not only detrimental to the security of internet users and their internet freedom but is also vague, with the potential to damage the growth of the sector in the country. In fact, a few VPN service providers are already mulling exiting India.

India is one of the largest VPN markets in the world. In fact, in the past few years, the VPN usage has grown significantly in the country. VPN installs exploded to a staggering 348.7 Mn in H1 2021, representing a growth of 671% over 2020, as per an Atlas VPN report

The report said that the increase can be attributed to the rapidly evolving digital ecosystem in the country, as India’s internet user base grew at a rate of 24% each year on average from 2015 through 2020.

According to the Global VPN Usage Report 2020, India was the second-largest market for VPN, with 45% of internet usage happening through VPN, up from 38% in 2018, based on a Statista report.

A few other top VPN service providers in India include Surfshark, NordVPN, ExpressVPN, PureVPN, CyberGhost and IPVanish.

User Privacy Issues With The New Rules

According to Anupam Shukla, Partner at Pioneer Legal, the government should have had ensured that the privacy law was enacted before coming up with a regulation requiring private entities like the VPN service providers to store data belonging to private individuals.

In fact, the new rules are not meant for VPN service providers alone.

As per the directions of the Indian Computer Emergency Response Team (CERT-In), which comes under the Ministry of Electronics and Information Technology (MeitY), the law also mandates data centres, Virtual Private Server (VPS) providers and cloud service providers to collect and hold data pertaining to validated names of subscribers/customers hiring the services, period of hire including dates, IPs allotted to/being used by the members, email addresses, IP addresses and time-stamps used at the time of registration/on-boarding and more.

Tejasi Panjiar, Capstone Fellow, Internet Freedom Foundation sees these directions as “very excessive”, especially given the absence of proper oversight mechanisms and a proper data protection framework in the country.

Issues Are Multifold 

Panjiar pointed out a few aspects of the guidelines such as timeframe and the categories of data that have no justification or explanation. According to her, it is not clear how the retention of such personally identifiable information of customers, that too for a time period of five years or more, would help the government in increasing cybersecurity.

“It’s very likely that these guidelines will be misused, while these requirements have the potential to enable mass surveillance, commercial profiling, censorship, and more,” said Panjiar.

She pointed out that many journalists, activists, and whistleblowers use VPNs. 

The country also has data localisation requirements, which, when combined with these data retention guidelines, raises serious concerns about state-sponsored mass surveillance, added Panjiar.

On the other hand, the Covid-19 pandemic-induced remote work has led to an increase in the adoption of VPNs by private companies who use them to secure their sensitive information. 

Panjiar said many companies are of the view that this move by the Indian government would be counterproductive and would seriously impact their Indian businesses using VPN services.

According to her, there is another aspect to this new law — the economic perspective. The new guidelines are also going to hinder many VPN service providers from entering the Indian market, which would be detrimental to the growth trajectory of the industry in India, said Panjiar.

After all, the VPN services are designed to build protected network connections when using public networks.

Foundation Of VPN Is Lost; What Next?

VPN services are used for online privacy and data protection on the internet. The information transferred over VPN servers remains encrypted, helping internet users to secure their confidential information and safeguard their identity. Hence, the new mandate hurts the basic foundation of VPNs, which are built for not holding, collecting, or recording any user data. 

According to Shukla, privacy is a cornerstone for several VPN providers. They charge a premium because they provide a strict no-log policy. Therefore, if these players are asked to store users’ data and record activity, they would rather choose to exit the Indian markets, he added.

In fact, NordVPN has already said that it may exit India. “We are committed to protecting the privacy of our customers therefore, we may remove our servers from India if no other options are left,” Patricija Cerniauskaite, a spokesperson for NordVPN’s parent Nord Security, told an Indian publication last week.

On the other hand, Gytis Malinauskas, head of legal department at Surfshark, said in a statement that the VPN company has a strict no-logs policy, which means that “we don’t collect or share our customer browsing data or any usage information”.

“Moreover, we operate only with RAM-only servers, which automatically overwrite user-related data. Thus at this moment, even technically, we would not be able to comply with the logging requirements. We are still investigating the new regulations and its implications for us, but the overall aim is to continue providing no-logs services to all of our users,” the statement read.

“The people who have drafted this law, in addition to the privacy issues, they have not completely thought through the technological implementation issue as well,” said Shukla, adding that to comply with these guidelines and log such data, the VPN service providers would have to modify the technology, which might be very difficult for some of them.

To make matters worse, the new directions have been issued under Section 70B of the Information Technology Act, 2000, and non-compliance with it can lead to up to a year in jail. 

These companies, headquartered in some foreign land, would be least interested in receiving an arrest warrant from an Indian court, and would rather prefer exiting the country, Shukla said. 

Data Privacy Concerns Are Real 

India currently doesn’t have any exclusive law for data privacy, and most of the decisions are made based on prior Supreme Court judgements.

The Personal Data Protection Bill, 2019, introduced by the government in Lok Sabha in December 2019, is yet to be passed. The Bill was first drafted by a panel led by retired Supreme Court Judge BN Srikrishna in 2017. After being presented in the Lok Sabha by the then Minister of Electronics and Information Technology Ravi Shankar Prasad, it was sent to a Joint Committee of the Parliament.

The Committee submitted its revised Bill only in November 2021, which is yet to be tabled in the Parliament. Meanwhile, efforts are also underway to introduce a new privacy bill that can comprehensively address the requirements of the country’s changing technology landscape.

The Supreme Court in 2017 declared privacy as a fundamental right on the basis of Article 21 of the Indian Constitution. However, the bench also clarified that a person’s fundamental right to privacy could be overridden by competing state and individual interests, or in other words, lawful interception.

Referring to the right to privacy, Shukla said that there needs to be a fairly high threshold of necessity where the government can invade the privacy of an individual. This has to be an exception and not a rule.

“Considering the rise in cyber incidents, it is understandable that the government may want to put in place mechanisms that make redressal of such incidents more effective. However, any action which adversely impacts the privacy of a large number of individuals without a suitably robust data protection mechanism could prove to be a recipe for a disaster,” he added.

Note: We at Inc42 take our ethics very seriously. More information about it can be found here.

Inc42 Daily Brief

Stay Ahead With Daily News & Analysis on India’s Tech & Startup Economy

Recommended Stories for You