India’s Cert-IN (computer emergency response team) is forcing data centres (Virtual Private Server Provider, Cloud Service Provider, and Virtual Provider) to collect and store users’ information. These are only reaffirmed for general/regular users; they are not reaffirmed for enterprise or corporate users.

New cybersecurity regulations require a complete database of users’ IP addresses, names, subscription period, registered email addresses, contact information, and validated addresses to be kept for at least five years.

Rather than following such guidelines, which undermine the basic foundation of using a VPN, well-known VPN service providers pack and NordVPN along other VPNs may exit India. We have seen NordVPN and Express VPN remove their physical services from countries like Russia after similar issues.

In fact, these rules are not meant for VPN service providers alone, in which Amazon, like cloud service providers. Who don’t comply the rules could potentially face up to  a year in Prison, Fined up to 100,000 INR or both.

India is the second largest marketplace of internet users, and growth in adopting VPN in recent years has increased significantly, with a rate of 371% in 2020 and more than 348.7Mn in H1 2021. According to reports, VPN adoption is increasing at a rate of 24% per year.

Some experts say that by combining these data retention guidelines, they raise serious concerns about state-spondered mass surveillance (Tejasi Panjiar). Before coming up with some guidance, GOI should ask different private entities, like VPN Service Providers, to hold public data while ensuring the privacy law (Anupam Shukla).

Whereas the biggest VPN companies like NordVPN and ExpressVPN do collect minimal data about their users, which remains private. and enhanced privacy and security by using the cryptocurrency payment method to keep their data anonymous.

In addition to this, Express VPN and Surfshark operate with RAM-Disk server and other long-less technology to offer a no-loggin policy which makes them incapble of monitoring URLs and reporting usage. Lastly, India is accountable for 60% (106 of a global total of 182 government-imposed) of the international shutdown.

India defends move to seek VPN user info / Courtesy: The Economic Times/ AndroidGreek

Where a VPN uses no-log, an IT Ministry directive requires that user data be logged. But they don’t use them to collect data like IP addresses and other things that are necessary to protect the users’ data. These will enforced from the end of June.

“The nature of user harms and risks in 2022 are different from what it used to be a decade back … Rapid and mandatory reporting of incidents is a must and a primary requirement for remedial action for ensuring stability and resilience of cyber space,” said Chandrasekhar.

“For the purpose of this direction, VPN Service provider refers to an entity that provides “Internet proxy like services” through the use of VPN technologies, standard or proprietary, to general Internet subscribers/users,” CERT-In  FAQ Doc.

“At the moment, our team is investigating the new directive recently passed by the Indian government and exploring the best course of action. As there are still at least two months left until the law comes into effect, we are currently operating as usual,” NordVPN spokesperson Patricija Cerniauskaite.

“means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes;” IT Act.