Volume IconHow will the new rules for VPN providers threaten user privacy?

The govt has come up with regulations requiring VPN service providers to collect and store a host of personal information from their subscribers. Can the new rules undermine your privacy?

Representational image

The Indian government has recently asked VPN service providers to register and record certain information about its users for a period of at least 5 years.

Click here to follow our WhatsApp channel

This was one among the several new directives issued by CERT-In, or Central Emergency Response Team, which is India’s national agency that looks into matters of cybersecurity.
The new directives are slated to come into effect from June 27 this year. However, experts say that these rules raise serious privacy concerns, especially the ones about VPN service providers

But before moving ahead, let’s understand what a VPN really is. VPN or a Virtual Private Network establishes a secure and encrypted connection between a user and the internet.
VPN helps users hide their browsing history, IP address and geographical location, as well as their web activities and the devices being used.
In a connected world, it’s of immense use to journalists, whistleblowers and activists.

Now let’s understand how the new rules pose challenges to a VPN user’s privacy?
CERT-In’s new rules require VPN service providers to collect and store certain ‘accurate’ information for a period of at least five years, even after a customer has cancelled his/her subscription.

The ‘personal’ information to be collected and stored includes names, IP addresses, emails, contact numbers and purpose for using the VPN service.
Data centres and cloud service providers will also have to abide by these directives

Non-compliance of these norms can attract a jail term of up to one year.
Many VPN service providers offer a no-log policy, where they promise to not collect or log traffic that passes through their servers and users’ online activities. But the new government directives ask the service providers to store information that is sensitive, personal and identifiable in nature.
Another provision raises the possibility of VPN providers being made to store usage logs, which include a person’s browsing activity, for a rolling period of 180 days.

All organisations are mandated to maintain logs of their ICT or Information and Communication Technology systems in India according to the new regulations.

The Internet Freedom Foundation said that the ambiguity over what is covered under “all their ICT systems” leads to concerns such as the government or private enterprises having access to more data than necessary.
Talking to Business Standard, Apar Gupta, Executive Director, Internet Freedom Foundation, says ‘No-logs’ VPN providers will be forced to exit the Indian market. The 180-day log retention rule on ICT systems is ambiguous and the new rules will end up undermining cybersecurity, he says. This puts personal data is put at risk of leak and data collection requirement is counterintuitive, he says adding that no data protection authority to ensure data is used for cybersecurity purpose. 
Three VPN service providers, Surfshark, ProtonVPN and ExpressVPN, have told a US tech publication that they don’t plan to follow India’s new rules on data collection. All three reportedly expressed intention to continue with their no-logs policy.

The US tech magazine quotes ProtonVPN saying India’s new requirements will erode civil liberties and make it harder for people to protect their data online.

Experts also questioned how these data collection and retention requirements will help in improving cybersecurity. Moreover, localisation requirements also raise concerns about surveillance, especially in the absence of a dedicated data protection authority.

Don't miss the most important news and views of the day. Get them on our Telegram channel

First Published: May 06 2022 | 7:00 AM IST

Explore News