Virtual private networks (VPN) have become the talk of the town in the past few months. The focus on VPN started in April 2022 when the Indian Co­m­puter Emergency Response Team (CERT-In) issued a cybersecurity directive mandating VPN service providers, data centres and cloud service providers to preserve client information such as names, em­ail addresses, phone numbers and internet protocol (IP) addresses (among other things) for a period of five years within the In­dian jurisdiction. The directive stirred a huge debate in the industry.

A look at the key developments in this regard…

VPN coverage in India

VPN is an internet tool that is used to create a private network. It encrypts data wh­ile online and hides the user’s IP add­re­ss. It lets users access sites that are blo­ck­ed. Additionally, the service treats users’ on­li­ne identities anonymously even when they are using public Wi-Fi networks. Mo­st companies in India utilise VPN services to protect their networks and digital assets from hackers. VPN also helps surpass re­gi­onal restrictions impos­ed by websites or content unavailable in the­ir country.

VPN services have found many takers in India. According to AtlasVPN’s global in­dex, India ranks among the top 20 na­tions in terms of VPN usage with about 270 million users. In fact, a large number of users shifted to VPN services ever since the work-from-home norm kicked in post the Covid-19 pandemic. During lockdo­wn, when em­pl­oyees were forced to wo­rk from home using their unsecured ho­­me internet connections, VPN tools became all the more valuable.

The beginning

The government’s focus on tightening its stance on VPNs started in September 2021 when the Parliamentary Standing Com­mittee on Home Affairs reportedly proposed banning VPN services in India due to cybersecurity concerns. The committee labeled VPNs as cyberthreats, paving the way for the dark web to surpass cybersecurity set-ups by websites. Therefore, the co­m­mittee proposed the regulation of VPN use and the dark web. As per the panel, dark web technology and VPN services allow cri­minals to bypass cybersecurity measures and remain anonymous online. Moreover, the panel recommended that the home mi­nistry and the Ministry of Electronics and In­formation Technology (MeitY) work together to identify and block such VPNs.

The new mandate

Following the committee’s proposal, CERT-In released a cybersecurity directive mandating cloud service providers, VPN service providers, data centre companies and virtual private server (VPS) providers to store users’ data for at least five years. According to the new directive, VPN service provi­ders, as well as data centres and cloud service providers, must preserve client infor­ma­tion such as na­mes, email addresses, ph­one numbers and IP addresses (among ot­her things) for a period of five years within the Indian jurisdiction. On May 12, 2022, CERT-In emphasised that the restrictions for keeping customer logs wo­uld only apply to individual VPN clients, not business or corporate VPNs.

CERT-In’s directive also states that all government and private agencies, including internet service providers, social media pl­at­­­forms and data centres should mandatorily report cyber security breach incidents to it within six hours of noticing them.

According to MeitY, VPN service pro­vi­ders that are not ready to comply with the new guidelines only have the option to exit from India. MeitY also released a frequently asked questions (FAQ) list to specify the new directive and stated that every well-mea­ning company or entity should understand that a safe and trusted internet is going to help it.

Later, in June 2022, the government is­s­u­ed cybersecurity guidelines for its em­plo­yees prohibiting them from using third-party VPN and anonymisation services.

Impact on stakeholders

The CERT-In’s new mandate will impact a number of companies and users of VPN services in India. Since VPN services encr­y­pt users’ data and hide IP addresses, they help a lot of people stay safe on the internet. This comes in handy while using public Wi-Fi networks as it helps avoid hacks and data thefts. Therefore, the new mandate would have a major impact on companies and users utilising VPNs regularly and not maliciously.

Further, some VPN companies claim­ed that the new rule may lead to cybersecurity loopholes in the system. US-based technology industry body ITI, whose me­mbers comprise global tech firms such as Google, Facebook, IBM and Cisco had also sought a revision in the government’s di­rective on reporting of cybersecurity bre­ach incidents. ITI said that the provisi­ons under the new mandate may adversely impact organisations and undermine cy­ber­security in the country.

ITI also raised concerns over the ma­ndatory reporting of breach incidents within six hours of noticing, enabling logs of all ICT systems and maintaining them within the Indian jurisdiction for 180 days, the overbroad definition of reportable in­cidents and the requirement that companies connect to the servers of Indian government entities.

However, the new regulations do not prohibit the use of VPNs in India. The go­vernment has imposed some limitations on users and increased compliance requirements for VPN providers to combat cy­be­r­crime and protect national security. After the new legislation comes into effect, Indi­an VPN users may face a severe know-yo­ur-customer verification process when signing up for a VPN service.

VPN players’ plan of action

After CERT-In’s directive, a number of world-renowned VPN service providers op­­­erating in India have declared that they will be pulling their servers out of India. Th­ese include companies such as Nord­VPN, Surfshark and ExpressVPN.

According to NordVPN, the company follows stringent privacy standards, which means that it does not collect or store client data. Further, it’s server architecture includes no-logging capabilities and it is dedicated to safeguarding its custo­m­e­­rs’ privacy. As a result, the company de­cided to no longer maintain servers in India and announced that it will close its servers on June 26, 2022 stating that it wo­uld be un­able to guarantee privacy to the users. Ho­w­ever, NordVPN has laun­ch­ed a new feature called Meshnet that all­ows users to connect directly to other de­vices instead of routing their traffic th­rough a VPN server.

Further, ExpressVPN stated that the CERT-IN directive was incompatible with the objective of VPNs, which are supposed to keep users’ online behaviour private. Me­­anwhile, Surfshark stated that it works under a rigorous no logs policy and that the directive runs against the core ethos of the company.  It plans to shut down its ph­ysical servers in India before the new law takes effect.

Global scenario

The need to regulate VPN service pro­viders has also been driven by similar moves being undertaken across the globe. Russia had banned several VPN services in 2021. Further, countries such as China, Belarus, Iraq, North Korea, Oman and the United Arab Emirates prohibit the use of VPNs.

Meanwhile, the European Union (EU), the UK and the USA are some re­gions that do not have laws prohibiting the use of VPN. However, the UK’s In­ves­ti­gatory Powers Act 2016 does give UK in­telligence services the authority to acquire communication data in bulk. Similarly, the EU and the USA have provisions for prosecution by the government in certain circumstances involving national security, and law and order.

Recently, the USA’s lawmakers asked the Federal Trade Commission (FTC) to ad­dress deceptive data practices being followed by numerous VPN services provi­de­rs in the region.

Moving ahead

Net, net, the CERT-In directive has created a huge stir in the VPN market. Foll­ow­ing the resistance from leading VPN pro­vi­ders, the government has now ex­ten­ded the deadline for compliance with the new guidelines to September 25, 2022. The ne­ar 60-day extension has be­en provided to mi­cro, small and medium enterprises, data centres, VPN and VPS providers, and cloud service providers. Ac­cording to MeitY, the move has been undertaken to allow these entities to bui­ld the capacity required for implementing the new guidelines.

The extension of the deadline comes as a much-needed breather for VPN and ot­h­er stakeholders. This will allow both the government as well as VPN, VPS and oth­er service providers to devise a mutually ag­reeable framework that takes into ac­count the needs of VPN providers while me­eting the government’s objective of ad­dressing cybersecurity concerns.

Kuhu Singh Abbhi