Over the past few years, the use of virtual private network (VPN) to access the internet has ballooned in India. According to a report by AtlasVPN, the number of VPN users grew by almost seven times during the first half of 2021, and continued to grow in the second half.
While there are many users who use VPN professionally, to connect to secure company servers, there are others who use it to access blocked websites and apps on their devices. There is also a growing number of those who use VPN to encrypt their internet usage, and protect their data from snooping eyes, which includes journalists and activists.
However, the latest directives by the Indian government is expected to put a serious dent on VPN usage - especially for those using it to strengthen their online privacy.
What Do The New Directives State?
As per the new directives, which were issued by the Indian Computer Emergency Response Team (CERT-In, part of the Ministry of Electronics and Information Technology of the Government of India) on April 28, 2022, VPN service providers will need to store validated names of customers, their addresses - physical and email, phone numbers, dates of VPN usage, along with the reason of using a VPN. It also instructs VPN service providers to store the 'ownership pattern'.
Furthermore, it also instructs VPN providers to store all the IP addresses that have been issued to a client, along with the IP addresses the client uses on a usual basis. All of this information is to be stored for a period of five years.
VPN service providers have another two months to start complying with the new directives.
According to CERT-In, the new directives were issued in the interest of cybersecurity, to allow speedier responses to cybersecurity issues.
What Are The Issues With The New Directives?
Prateek Waghre, Policy Director at Internet Freedom Foundation, feels that the directives have been worded vaguely, causing confusion among many VPN providers as to what they entail.
"Clause 4 of the CERT-In directives mentions that registration information of the customer has to be maintained for 5 years, as mandated by the law. But they don't mention which law," Waghre told BOOM. "They also instruct the storing of 'ownership patter' of the client - which is yet another unknown."
"But the big issue is, again, many VPN providers claim to not log any user data. It is now left to see how the VPN companies interpret these directives," he added.
Will VPN Companies Comply?
Indeed, many popular VPN companies like ExpressVPN, NordVPN, SurfShark and ProtonVPN owe their popularity to a highly advertised dedication to privacy, and to their policy of not logging any user data. If these companies were to follow the latest directives by CERT-In, they would directly infringe their agreement with their customers by having to log their user data. For many VPN providers, logging customer data is a no go, while some others like SurfShark do not have the technical means to comply.
Popular VPN providers such as SurfShark, ProtonVPN and NordVPN have stated that if they had to choose between running operations in India, or provide no-log service to their customers, they would choose the latter.
"ProtonVPN is monitoring the situation, but ultimately we remain committed to our no-logs policy and preserving our users' privacy," company spokesperson Matt Fossen told the media.
SurfShark, on the other hand, uses RAM-only servers which automatically overrides any user-related data, thus preventing the company from keeping logs. "We are still investigating the new regulation and its implications for us, but the overall aim is to continue providing no-logs services to all of our users," Gytis Malinauskas, head of Surfshark's legal department told Wired.
NordVPN also echoed a similar statement. In an email conversation with BOOM, Laura Tyrylyte, head of public relations at Nord Security, said, "At the moment, our team is investigating the new directive recently passed by the Indian government and exploring the best course of action. As there are still at least two months left until the law comes into effect, we are currently operating as usual. We are committed to protecting the privacy of our customers therefore, we may remove our servers from India if no other options are left."
Can Indians Still Connect To VPN Under The New Directives?
If you are an existing customer of any one of the VPN companies who might shut their operations in India, you might be wondering what happens to you subscription.
While the ambiguity of the directives may leave room for uncertainty, as of now only the Indian servers of the no-logging VPN companies have come under threat.
Can users still connect to servers from other countries, if the Indian servers were to shut down? Those at NordvVPN think its possible. "We can't comment on what could or couldn't be done until we properly familiarize ourselves with the law, but it is likely that such an option will remain," Tyrylyte weighed-in.
What Does This Affect Privacy Of Indian Internet Users?
VPNs are often considered a go-to measure for privacy, as it protects you from malicious websites who might try to steal your browsing data, or from snooping eyes such as hackers or governmental agencies trying to track your online moves.
It works by encrypting your data, by re-routing it through a different server, either inside the country, or abroad. Most paid VPN services allow users to choose a server from a country of their liking. In such a scenario, the website being visited will only see the IP address of the server being connected to, while ISPs or any attackers on the user's end will see encrypted browsing data.
The recent move to undermine the privacy aspects of VPN by CERT-In is not the first time that the Indian government has shown apprehension about the service. Last year, a Parliamentary Standing Committee on Home Affairs proposed ban on VPNs in India.
Furthermore, there has been an ongoing effort by the Narendra Modi-led administration to undermine digital privacy in the name of security.
The government had allegedly misled the Parliament last year about the use of Israeli-made spyware Pegasus, which can severely compromise user privacy using a vulnerability with WhatsApp. IT minister Ashwini Vaishnaw had stated that the government had not had any transactions with Pegasus maker NSO Group. However, an investigation by the New York Times revealed that the Indian government had in fact acquired Pegasus from Israel, way back in 2017.
An international collaborative reporting effort by 17 global media organisations, including The Wire, revealed that the target of Pegasus were journalists, lawyers, activists and ministers.
Experts fear that with the current CERT-In directives, privacy may yet worsen in the country, leading to further attacks on citizens - especially those who are critical of the government.