Authorities have ordered VPN providers to collect user data and share it with officials. Some have said they will leave India for good, some will ignore the requirements.
In late April, India’s Ministry of Electronics and Information Technology announced that under a new national directive, companies providing virtual private network services will be required to collect massive amounts of customer data and store it for five years or more. VPN providers have two months to adopt the rules and start collecting data, Wired writes.
The rationale from the country’s Computer Emergency Response Team (CERT-In) is that it should be able to investigate potential cybercrimes. But that doesn’t sit well with VPN providers, with some saying they will ignore the requirements.
This latest move by the Indian government to require VPN companies to hand over users personal data is an alarming attempt to infringe on the digital rights of its citizens.
Harold Lee, vice president of ExpressVPN
He adds that the company will never record user information or actions and that it will adjust its operations and infrastructure to preserve this principle if and when necessary.
Gitis Malinauskas, Surfshark’s head of legal affairs, says the company cannot comply with India’s logging requirements because it uses RAM-only servers that automatically overwrite data related to users.
We are still studying the new regulation and its implications, but the overall goal is to continue to provide a log-free service for all of our users.
Gitis Malinauskas
ProtonVPN also calls the move an erosion of civil liberties.
Nord Security, a NordVPN provider, is ready to remove servers from India if no other options remain.
The tough response from VPN providers shows how much is at stake. India has quickly moved away from free and open democracy and has launched a crackdown on NGO’s, journalists, and activists, many of whom use VPNs to communicate.
Human Rights Watch recently warned that the country’s media freedom is under attack as a series of legislative and policy changes threaten the rights of its minority citizens. Over the past year, India has fallen eight places on Reporters Without Borders (Press Freedom Index) and now ranks 150th out of 180 countries. Authorities have allegedly harassed journalists by fomenting nationalist dissent and encouraging the harassment of reporters who criticize Indian Prime Minister Narendra Modi. By collecting and storing data on all VPN users in India, it may be easier for authorities to see who journalists using VPNs are communicating with.
Officials in India say that the new rules for VPN providers are not aimed at further restricting press freedom, but are an attempt to control cybercrime. India has suffered a number of serious data breaches in recent years, making it the third most affected country in the world in 2021. In May 2021, the names, email addresses, locations and phone numbers of more than 1 million Domino’s Pizza customers were stolen and posted online. Also, in 2021, the personal information of 110 million users of digital payment platform MobiKwik ended up on the internet, darknet more precisely. Now, with the number of major incidents steadily increasing, Indian officials are beginning to go after VPNs in an attempt to curb the surge in cybercrime.
The other reason why Indians use VPNs every day is the deployment of a nationwide identification database. The identification system known as Aadhaar, which was launched in 2009 assigns citizens a 12-digit identification code based on their biometric and demographic data. Supporters of the ID say Aadhaar is part of a plan to digitize the Indian economy and make it easier to access government services. Opponents argue that it is an attempt to create a surveillance state under the guise of making life easier for citizens.
According to data collected by service provider Atlas VPN, one in five Indians will use a VPN in 2021, while in 2020 only a few percent of residents used VPN services.