Companies are also required to report cybersecurity incidents to CERT-In within six hours of becoming aware of them.
On May 12 we reported that CERT-In issued some clarifications to the rules, saying they would apply only to individual VPN customers and not to enterprise or corporate VPNs.
Set to go into effect at the end of June, the rules have triggered privacy concerns, and many top VPN providers have threatened to leave the country if forced to comply.
But what is a VPN, and how will the new rules affect you?
What is a VPN?
Discover the stories of your interest
A VPN is a service that protects users online by preventing their IP address from being tracked by websites, law enforcement agencies, cybercriminals and others. Corporate employees are the most frequent VPN users, mainly for securely accessing company networks.
How will the new rules affect VPN companies and users?
With the new rules, VPN companies will be forced to switch to storage servers, which will inflate their costs and eliminate their core function — user privacy.
Failure to follow the rules will attract penalties for VPN providers. If they all refuse to comply, VPN services will effectively become illegal in India.
Users, apart from potentially having their privacy data exposed to the government (not to mention hackers), will also face a stringent know-your-customer (KYC) verification process when signing up for a VPN service, and will have to state their reasons for using it.
What has the reaction been?
Top VPN providers NordVPN and Netherlands-based Surfshark have refused to comply with the government order so far, with Nord suggesting it might leave the country.
“At the moment, our team is investigating the new directive recently passed by the Indian government and exploring the best course of action. As there are still at least two months left until the law comes into effect, we are currently operating as usual. We are committed to protecting the privacy of our customers, therefore, we may remove our servers from India if no other options are left,” said Laura Tyrylyte, head of public relations at Nord Security.
Surfshark claimed its technology does not allow the logging of users’ information. “Surfshark has a strict no-logs policy, which means that we don’t collect or share our customer browsing data or any usage information,” said Gytis Malinauskas, head of the company’s legal department.
CERT-In for its part said the “right to informational privacy of individuals” is not affected by these rules since the agency does not envisage seeking of information “on continuing basis” and expects to do so only in case of cybersecurity incidents.
However, the obligation of reporting cyber security incidents to CERT-In overrides any “contractual obligation of not disclosing any details with the customer,” the agency noted.
Industry experts have said there is a need for wider consultations on the issue.
What’s at stake?
India has over 270 million VPN users, about 20% of the country’s population, who use them to access company networks securely, remain anonymous, access geo-restricted content, stay safe on public Wi-Fi networks, and get around internet curbs, among other things. The CERT-In mandate could render VPN services illegal in India if providers don’t comply with it, but corporate VPNs will remain unaffected.
Which countries have banned VPNs?
Currently, a handful of governments either regulate or outright ban VPNs. These include China, Belarus, Iraq, North Korea, Oman, Russia, and the UAE. Other countries have internet censorship laws, which make using a VPN risky.