You are here: Home » Technology » News
Business Standard

How will the new rules for VPN providers threaten user privacy?

The govt has come up with regulations requiring VPN service providers to collect and store a host of personal information from their subscribers. Can the new rules undermine your privacy?

Online privacy | India data privacy | cyber security

Krishna Veera Vanamali  |  New Delhi 

The Indian government has recently asked VPN service providers to register and record certain information about its users for a period of at least 5 years.

This was one among the several new directives issued by CERT-In, or Central Emergency Response Team, which is India’s national agency that looks into matters of cybersecurity.

The new directives are slated to come into effect from June 27 this year. However, experts say that these rules raise serious privacy concerns, especially the ones about VPN service providers

But before moving ahead, let’s understand what a VPN really is. VPN or a Virtual Private Network establishes a secure and encrypted connection between a user and the internet.

VPN helps users hide their browsing history, IP address and geographical location, as well as their web activities and the devices being used.

In a connected world, it’s of immense use to journalists, whistleblowers and activists.

Now let’s understand how the new rules pose challenges to a VPN user’s privacy?

CERT-In’s new rules require VPN service providers to collect and store certain ‘accurate’ information for a period of at least five years, even after a customer has cancelled his/her subscription.

The ‘personal’ information to be collected and stored includes names, IP addresses, emails, contact numbers and purpose for using the VPN service.

Data centres and cloud service providers will also have to abide by these directives

Non-compliance of these norms can attract a jail term of up to one year.

Many VPN service providers offer a no-log policy, where they promise to not collect or log traffic that passes through their servers and users’ online activities. But the new government directives ask the service providers to store information that is sensitive, personal and identifiable in nature.

Another provision raises the possibility of VPN providers being made to store usage logs, which include a person’s browsing activity, for a rolling period of 180 days.

All organisations are mandated to maintain logs of their ICT or Information and Communication Technology systems in India according to the new regulations.

The Internet Freedom Foundation said that the ambiguity over what is covered under “all their ICT systems” leads to concerns such as the government or private enterprises having access to more data than necessary.

Talking to Business Standard, Apar Gupta, Executive Director, Internet Freedom Foundation, says ‘No-logs’ VPN providers will be forced to exit the Indian market. The 180-day log retention rule on ICT systems is ambiguous and the new rules will end up undermining cybersecurity, he says. This puts personal data is put at risk of leak and data collection requirement is counterintuitive, he says adding that no data protection authority to ensure data is used for cybersecurity purpose.

Three VPN service providers, Surfshark, ProtonVPN and ExpressVPN, have told a US tech publication that they don’t plan to follow India’s new rules on data collection. All three reportedly expressed intention to continue with their no-logs policy.

The US tech magazine quotes ProtonVPN saying India’s new requirements will erode civil liberties and make it harder for people to protect their data online.

Experts also questioned how these data collection and retention requirements will help in improving cybersecurity. Moreover, localisation requirements also raise concerns about surveillance, especially in the absence of a dedicated data protection authority.

Dear Reader,

Business Standard has always strived hard to provide up-to-date information and commentary on developments that are of interest to you and have wider political and economic implications for the country and the world. Your encouragement and constant feedback on how to improve our offering have only made our resolve and commitment to these ideals stronger. Even during these difficult times arising out of Covid-19, we continue to remain committed to keeping you informed and updated with credible news, authoritative views and incisive commentary on topical issues of relevance.
We, however, have a request.

As we battle the economic impact of the pandemic, we need your support even more, so that we can continue to offer you more quality content. Our subscription model has seen an encouraging response from many of you, who have subscribed to our online content. More subscription to our online content can only help us achieve the goals of offering you even better and more relevant content. We believe in free, fair and credible journalism. Your support through more subscriptions can help us practise the journalism to which we are committed.

Support quality journalism and subscribe to Business Standard.

Digital Editor

First Published: Fri, May 06 2022. 07:00 IST