Virtual private networks (VPN) have become the talk of the town in the past few months. The focus on VPN started in April 2022 when the Indian Computer Emergency Response Team (CERT-In) issued a cybersecurity directive mandating VPN service providers, data centres and cloud service providers to preserve client information such as names, email addresses, phone numbers and internet protocol (IP) addresses (among other things) for a period of five years within the Indian jurisdiction. The directive stirred a huge debate in the industry.
A look at the key developments in this regard…
VPN coverage in India
VPN is an internet tool that is used to create a private network. It encrypts data while online and hides the user’s IP address. It lets users access sites that are blocked. Additionally, the service treats users’ online identities anonymously even when they are using public Wi-Fi networks. Most companies in India utilise VPN services to protect their networks and digital assets from hackers. VPN also helps surpass regional restrictions imposed by websites or content unavailable in their country.
VPN services have found many takers in India. According to AtlasVPN’s global index, India ranks among the top 20 nations in terms of VPN usage with about 270 million users. In fact, a large number of users shifted to VPN services ever since the work-from-home norm kicked in post the Covid-19 pandemic. During lockdown, when employees were forced to work from home using their unsecured home internet connections, VPN tools became all the more valuable.
The beginning
The government’s focus on tightening its stance on VPNs started in September 2021 when the Parliamentary Standing Committee on Home Affairs reportedly proposed banning VPN services in India due to cybersecurity concerns. The committee labeled VPNs as cyberthreats, paving the way for the dark web to surpass cybersecurity set-ups by websites. Therefore, the committee proposed the regulation of VPN use and the dark web. As per the panel, dark web technology and VPN services allow criminals to bypass cybersecurity measures and remain anonymous online. Moreover, the panel recommended that the home ministry and the Ministry of Electronics and Information Technology (MeitY) work together to identify and block such VPNs.
The new mandate
Following the committee’s proposal, CERT-In released a cybersecurity directive mandating cloud service providers, VPN service providers, data centre companies and virtual private server (VPS) providers to store users’ data for at least five years. According to the new directive, VPN service providers, as well as data centres and cloud service providers, must preserve client information such as names, email addresses, phone numbers and IP addresses (among other things) for a period of five years within the Indian jurisdiction. On May 12, 2022, CERT-In emphasised that the restrictions for keeping customer logs would only apply to individual VPN clients, not business or corporate VPNs.
CERT-In’s directive also states that all government and private agencies, including internet service providers, social media platforms and data centres should mandatorily report cyber security breach incidents to it within six hours of noticing them.
According to MeitY, VPN service providers that are not ready to comply with the new guidelines only have the option to exit from India. MeitY also released a frequently asked questions (FAQ) list to specify the new directive and stated that every well-meaning company or entity should understand that a safe and trusted internet is going to help it.
Later, in June 2022, the government issued cybersecurity guidelines for its employees prohibiting them from using third-party VPN and anonymisation services.
Impact on stakeholders
The CERT-In’s new mandate will impact a number of companies and users of VPN services in India. Since VPN services encrypt users’ data and hide IP addresses, they help a lot of people stay safe on the internet. This comes in handy while using public Wi-Fi networks as it helps avoid hacks and data thefts. Therefore, the new mandate would have a major impact on companies and users utilising VPNs regularly and not maliciously.
Further, some VPN companies claimed that the new rule may lead to cybersecurity loopholes in the system. US-based technology industry body ITI, whose members comprise global tech firms such as Google, Facebook, IBM and Cisco had also sought a revision in the government’s directive on reporting of cybersecurity breach incidents. ITI said that the provisions under the new mandate may adversely impact organisations and undermine cybersecurity in the country.
ITI also raised concerns over the mandatory reporting of breach incidents within six hours of noticing, enabling logs of all ICT systems and maintaining them within the Indian jurisdiction for 180 days, the overbroad definition of reportable incidents and the requirement that companies connect to the servers of Indian government entities.
However, the new regulations do not prohibit the use of VPNs in India. The government has imposed some limitations on users and increased compliance requirements for VPN providers to combat cybercrime and protect national security. After the new legislation comes into effect, Indian VPN users may face a severe know-your-customer verification process when signing up for a VPN service.
VPN players’ plan of action
After CERT-In’s directive, a number of world-renowned VPN service providers operating in India have declared that they will be pulling their servers out of India. These include companies such as NordVPN, Surfshark and ExpressVPN.
According to NordVPN, the company follows stringent privacy standards, which means that it does not collect or store client data. Further, it’s server architecture includes no-logging capabilities and it is dedicated to safeguarding its customers’ privacy. As a result, the company decided to no longer maintain servers in India and announced that it will close its servers on June 26, 2022 stating that it would be unable to guarantee privacy to the users. However, NordVPN has launched a new feature called Meshnet that allows users to connect directly to other devices instead of routing their traffic through a VPN server.
Further, ExpressVPN stated that the CERT-IN directive was incompatible with the objective of VPNs, which are supposed to keep users’ online behaviour private. Meanwhile, Surfshark stated that it works under a rigorous no logs policy and that the directive runs against the core ethos of the company. It plans to shut down its physical servers in India before the new law takes effect.
Global scenario
The need to regulate VPN service providers has also been driven by similar moves being undertaken across the globe. Russia had banned several VPN services in 2021. Further, countries such as China, Belarus, Iraq, North Korea, Oman and the United Arab Emirates prohibit the use of VPNs.
Meanwhile, the European Union (EU), the UK and the USA are some regions that do not have laws prohibiting the use of VPN. However, the UK’s Investigatory Powers Act 2016 does give UK intelligence services the authority to acquire communication data in bulk. Similarly, the EU and the USA have provisions for prosecution by the government in certain circumstances involving national security, and law and order.
Recently, the USA’s lawmakers asked the Federal Trade Commission (FTC) to address deceptive data practices being followed by numerous VPN services providers in the region.
Moving ahead
Net, net, the CERT-In directive has created a huge stir in the VPN market. Following the resistance from leading VPN providers, the government has now extended the deadline for compliance with the new guidelines to September 25, 2022. The near 60-day extension has been provided to micro, small and medium enterprises, data centres, VPN and VPS providers, and cloud service providers. According to MeitY, the move has been undertaken to allow these entities to build the capacity required for implementing the new guidelines.
The extension of the deadline comes as a much-needed breather for VPN and other stakeholders. This will allow both the government as well as VPN, VPS and other service providers to devise a mutually agreeable framework that takes into account the needs of VPN providers while meeting the government’s objective of addressing cybersecurity concerns.
Kuhu Singh Abbhi
