The order, issued by the Indian government’s Computer Emergency Response Team (CERT-In) on 28 April, could lead to VPN providers removing their presence from the country altogether.
It requires all VPN companies operating in the country to store user data for five years or longer and report cyber incidents within six hours to help investigate potential cyber crime.
The new rules are expected to take effect in two months.
VPNs encrypt user data while giving them access to an IP address on the internet in a country of their choice. They shield users’ identities by replacing their device IP address with a temporary one hosted on a remote server.
Under the new order, VPN providers will be required to register accurate and detailed information from all users in India.
Such information includes users’ valid names, period of use, IPs allotted to them, email addresses, time stamp at the time of registration, valid addresses and contact numbers for a minimum of five years, even if users cancel their subscriptions.
Non-compliance, the order suggests, may lead to VPN companies facing bans and even potentially a year of prison time for executives.
Experts have perceived the order to be a new blow to the rights to privacy and freedom of expression that are already at increasing risk in India.
NordVPN, one of the largest providers in the world, has said it may pull out of India, startup and tech news portal Entrackr reported on Thursday.
“We are committed to protecting the privacy of our customers therefore, we may remove our servers from India if no other options are left,” Patricija Cerniauskaite, a spokesperson for NordVPN’s parent company Nord Security, said.
Just IN: Indian executives of the VPN companies who don't comply could potentially face up to a year in prison under the the new directive.
— South Asia Index (@SouthAsiaIndex) May 4, 2022
Other service providers, including ExpressVPN and ProtonVPN, have also shared their concerns, adding that they may choose to not comply.
“The new Indian VPN regulations are an assault on privacy and threaten to put citizens under a microscope of surveillance. We remain committed to our no-logs policy,” ProtonVPN, tweeted on Thursday, sharing its guidelines for its users in “high-risk countries.”
Harold Li, vice president of ExpressVPN told Wired that the Indian government’s move “represents a worrying attempt” to infringe on the digital rights of its citizens, adding that the company would never log user information or activity.
He said the company would adjust its operations and infrastructure “to preserve this principle if and when necessary.”
The new Indian VPN regulations are an assault on #privacy and threaten to put citizens under a microscope of surveillance. We remain committed to our no-logs policy and recommend everyone using our servers in India to follow these guidelines: https://t.co/85WTkUJ5Z6. (1/2)
— ProtonVPN (@ProtonVPN) May 5, 2022
Human rights groups have also expressed concerns about the new move.
Amnesty International’s India branch tweeted its criticism of the law, saying VPNs provide “digital anonymity which has been instrumental in protecting the rights of journalists, activists and students who have faced a relentless crackdown for speaking truth to power.”
“Restrictions on digital anonymity must satisfy requirements of legality, necessity and proportionality, and legitimacy. This directive fails is in [sic] clear contravention with India’s obligations under international human rights law,” it added.
The Indian government’s latest directive asking VPN companies to collect and store users’ data for a period of five years or face ban and imprisonment is a new major blow to the rights to privacy and freedom of expression in India.
— Amnesty India (@AIIndia) May 5, 2022
Indian officials, however, said the directive is aimed not at stymying freedom of speech and privacy but to counter the growing threat of cyber crime faced by citizens.
Netherlands-based VPN provider Surfshark noted in a recent study, that about 675,000 Indian users faced breaches this quarter, while the data of 1.77 million users were stolen in the fourth quarter of 2021, with the country remaining among the top five nations targeted by hackers.
While the new order suggests government bodies would only demand these VPN logs when actually needed for an investigation, there are concerns about abuse of the rules.
Internet Freedom Foundation (IFF), a New Delhi-based nonprofit that conducts advocacy on digital rights and liberties, also tweeted that the new directions are “vague”, “undermine user privacy” and “information security.”
It said CERT-In “expanded its power” through the order that has “potential to be used for mass surveillance”.
Concerns people have on the new order being used for surveillance are “substantiated” by its direction for the maintenance of logs within “Indian jurisdiction”, it noted.
Concerns on surveillance are substantiated by a direction for the maintenance of logs, “of all ICT systems”, for a period of, “180 days” within, “Indian jurisdiction”. A double whammy of mandatory retention & data localisation on *all* entities. Without a data protection law. 7/n pic.twitter.com/zvqu2b6pST
— Internet Freedom Foundation (IFF) (@internetfreedom) May 4, 2022
“Mandatory collection and perpetual storage for large amounts of sensitive user data creates cyber security risks. Beyond surveillance, due to technical vulnerabilities, such data can and may be exposed,” the IFF explained.
The new order also seemingly signals India’s move away from a free and open democracy, where there have already been growing levels of crackdowns on nonprofits, journalists and activists.
The country had 106 deliberate internet shutdowns, the highest number in the world in 2021.
Recently, Reporters Without Borders noted India is now positioned at the 150 out of 189 countries in the Press Freedom Index, a slip by eight ranks in a year.