India’s New VPN Policy Explained (2022)
What is India’s New VPN Policy?
According to the Computer Emergency Response Team (CERT-In), the new VPN policy in India aims to improve the process of monitoring cybercrimes in the country. It involves storing data of VPN users in India and collecting personal data, including names, IP addresses, physical addresses, phone numbers, and more. Check out the breakdown of all the data collection requirements for VPN companies in the next section below.
What is India Asking VPN Companies to Save?
According to CERT-In’s directions, VPN companies should store the following data of users. Notably, these directives are applicable not only to VPN companies but also to data centers, virtual private server providers, and cloud service providers.
Data Logging – Should mandatorily enable logs for a rolling period of 180 daysData Localization – Should maintain the logs within IndiaSave the following details of customers for 5 years:Validated names of subscribers/customers hiring the servicesPeriod of hire including datesIPs allotted to / being used by the members Email address, IP address, and time stamp used at the time of registration / on-boardingPurpose for hiring servicesValidated address and contact numbersOwnership pattern of the subscribers/customers hiring services
Other than these highlights, VPN companies are liable to report cyber incidents within 6 hours of noticing the breach. They are also directed to sync system clocks to the Network Time Protocol (NTP) server of the National Informatics Centre (NIC), the National Physical Laboratory (NPL), or with NTP servers traceable to these NTP servers.
How Did VPN Companies React to the Order?
Over the past few days, leading VPN providers have issued statements expressing their stance on the VPN policy in India. Here’s a quick look at the official statements:
ProtonVPN: “ProtonVPN is monitoring the situation, but ultimately we remain committed to our no-logs policy and preserving our users’ privacy,” spokesperson Matt Fossen told Wired.
Express VPN: “This latest move by the Indian government to require VPN companies to hand over user personal data represents a worrying attempt to infringe on the digital rights of its citizens,” said Harold Li, vice president of ExpressVPN.
Surfshark: “We operate only with RAM-only servers, which automatically overwrite user-related data. We are still investigating the new regulation and its implications for us, but the overall aim is to continue providing no-logs services to all of our users,” said Surfshark’s Gytis Malinauskas.
Nord VPN: “Our team is investigating the new directive and exploring the best course of action. We may remove our servers from India if no other options are left,” Nord Security’s Laura Tyrylyte told Wired.
Why is the Indian Government Doing This?
The Indian government justifies its policy as a move to improve the cybersecurity of the country. According to the government’s press release, the directions are to “address certain gaps causing hindrance in incident analysis” while handling cyber incidents. “Most of the frauds were happening through VPNs. We are just saying you keep the records for five years…we are not saying give it to us. Keep the records – if required, then any law enforcement agency can ask. I think that’s a very fair ask. It’s an evolution. All the countries are moving in that direction… Police has the right to ask the criminal to remove the mask or not – same is the case here,” a senior government official was quoted as saying by the Economic Times.
Will India Entirely Ban VPNs?
No, at least not yet. The new VPN policy is applicable to VPN companies with servers in India. Given the intrusive nature of the directive, VPN providers with servers in India are even considering the possibility of shutting down their servers in the country. However, that doesn’t mean you can’t access the service. As per the current policy, you can likely still connect to the same VPN provider’s servers located in other countries. It remains to be seen if the government is planning to crack down that route too in the future.
Besides, privacy-focused VPNs are built with a no-logs policy in mind and use RAM-only servers, which makes it technically infeasible to collect logs. To comply with the new directive and operate in the country, they will have to rethink their infrastructure and put the privacy of users at risk in the process. Since the promise of offering privacy is a key selling point for most VPNs, we don’t think most VPN providers would be willing to make such changes to continue operating in the country.
What’s Changing for VPN Users in India?
To understand what’s changing for an average VPN user in India, let’s analyze three possible scenarios. These are – companies that comply with the new VPN policy, companies that won’t comply with the directive despite having servers, and companies that don’t have a server in India or choose to shut down servers in the country.
Companies That Comply with the New Policy
If a VPN provider chooses to comply with the new policy, it has to collect and maintain logs in the country for 180 days. It should also store the aforesaid personal data of the user for five years. You should keep an eye on your VPN provider’s stance on the policy when it comes into effect next month.
Companies That Won’t Comply with the Directive Despite Having Indian Servers
If a VPN provider continues to operate as usual even after June 28 without following the policy, it may invite punitive action under sub-section (7) of section 70B of the IT Act, 2000. According to the act, that accounts for one year of imprisonment, a fine which may extend to one lakh rupees, or both.
Companies That Don’t Have a Server in India or Choose to Shut down India Servers
Companies that don’t operate a server in India seem currently immune to the directives. The government may make it harder to discover or subscribe to these VPN providers. But as things stand now, it looks like you can continue using your VPN as long as it doesn’t have a server in India.
A blanket ban on all VPNs that don’t have a server in India seems unlikely. However, considering India’s aggressive crackdown on Chinese apps, it’s not a possibility we can entirely rule out. We will have to wait until the policy comes into effect late next month to know for sure.
Having said that, to truly mitigate cyber incidents — as is the apparent intention of the policy, banning VPNs without Indian servers seems like the next best move from the government’s perspective. That’s because popular VPN makers who are planning to exit India account for the majority of the VPN user base in the country. Well, letting them operate without any restrictions would make this whole saga of events a futile attempt.
However, doing so comes at the risk of compromising the privacy of users. This is also a rather aggressive stance, one that draws natural comparisons to VPN policies of authoritarian regimes like North Korea and China. We hope CERT-In reviews its policy and comes up with a solution that doesn’t involve logging VPN users in India.
Future of VPNs in India Explained
Uncertain times are ahead for VPN users and providers in India. It will be interesting to see whether the companies are willing to comply with the policy or not. And how other privacy-focused VPN services approach the situation is also something to look out for. So, will you consider using a VPN that maintains logs and saves your data for 5 years? Share your thoughts with us in the comments. And if you are looking for a new VPN, feel free to head to our linked roundups of the best VPNs for Windows and best VPNs for Android and iOS.