Indian Computer Emergency Response Team (CERT-In), India’s cybersecurity watchdog, has issued new directives for companies offering Virtual Private networks (VPN). Under the new directive, VPN provider companies are required to store user data for at least five years, amongst other rules. These companies are now mandated to collect specific customer data even if the users delete their accounts or cancel their subscriptions. Non-compliance with the directive can lead to prison for up to a year. The mandate is effective from June 27, 2022. The new directives by the Government are a concern not only for the VPN companies but also to the cloud service providers, data centres and crypto exchanges who are also covered by these directives. According to CERT-in, the directive is aimed at maintaining information on customer registration. The government believes that criminals routinely use VPNs and hide their online activity, getting away with the most heinous crimes. However, only a handful of countries across the globe including Russia, China, Belarus, Oman, UAE, and the United Kingdom have imposed such restrictions on the use of VPNs for national security reasons. Meanwhile, the users of VPN services who have so far enjoyed online privacy are now vulnerable, as their online activity is no longer foolproof and secure.

What is VPN?

A Virtual Private Network (VPN) is a service that protects internet users by preventing their IP addresses from being tracked by websites, law enforcement agencies, cybercriminals and others. It is a private internet connection that is invisible to most people. It also conceals the IP address. Surfshark, NordVPN, ExpressVPN, Atlas VPN, CyberGhost, TorGuard and IPVanish are some of the top VPN service providers in India. India ranks amongst the top 20 countries adopting VPN, according to AtlasVPN’s global index. Most corporations where data privacy and security are paramount, deploy VPNs to safeguard the company networks from hackers and other cybercriminals.

Many VPN service providers offer a no-log policy i.e. they do not collect or log any of the traffic that passes through their servers and thus, the users’ activities online remain to themselves. Apart from providing privacy VPN also has many other benefits:

  • Helps in avoiding bandwidth throttling techniques (reducing internet speeds) used by internet service providers who reduce the bandwidth of the internet when they notice a particular IP with heavy usage. The heavy usage may be due to online gaming or streaming.
  • Remote access of personal documents and files using a VPN is safe as the connection is encrypted and thus, the files can be safely accessed from anywhere in the world.
  • By leveraging currencies and points of sale, one can get the best deals for online travel, hotel, car rentals, and other bookings by appearing to be a customer from another country. VPN covers your IP address which reveals your geographical location.
  • Online payments become more secure with VPN, even on public wifi. All activities are encrypted and thus, secure when through a VPN.
  • Almost all booking and shopping websites deploy cookies and other tracking methods to change their prices dynamically based on your searches and location. VPN helps in protecting oneself from price discrimination tactics that the websites deploy.

What are the new VPN rules?

The Indian government has mandated all VPN service providers operating in the country keep a record of their users for five years. The new mandate requires service providers to store information that is sensitive, personal, and identifiable. While the move will significantly make it easier for law enforcement to track criminals who use VPNs to hide their footprint, experts believe that the same can also be easily misused by the government and its agencies. The information required to be maintained includes – Period of hire, IPs allotted to the user, email address, IP address, timestamp used at the time of registration, the purpose of hiring services, validated address and contact numbers, and ownership pattern of the subscribers. Service providers are also required to report cybersecurity incidents to CERT-In within six hours of becoming aware of them. At the moment, most providers lack access to the infrastructure required to comply with the government’s directive. However, many service providers have outrightly rejected to comply with the new directives and even opted to shut down their services. ExpressVPN and Surfshark have already announced their exit from India, following the new directives. NordVPN and PureVPN have said that they can’t comply with the government’s guidelines and are contemplating the removal of their servers from the country.

Impact of new VPN rules

Money laundering to become tough – The new VPN rules will help government and law enforcement agencies to trace anti-social elements and cyber criminals involved in heinous activities online. Money launderers usually use multiple bank accounts, paper companies and other means to launder money. With new VPN rules, the details of where such accounts were accessed and the related online activity can be traced using the IP address and other details to be stored by the services providers.

Bank frauds and scams to reduce – The new VPN rules will help in reducing banking frauds and scams as the fraudsters and scammers will not be able to mask their IP addresses and thus, will be exposed and traced by the law enforcement agencies.

Users’ privacy at higher risk – The VPN service providers will maintain five years of usage data. This means any hack that occurs in such databases can expose the people’s IP address, thereby location, along with email id and contact details which are going to be validated by the service providers under the new rules. Thus, security breaches owing to new VPN rules are much higher compared to the benefits of the new rules.

Surveillance threat to increase – The government has already failed to address the concerns surrounding the usage of Pegasus spyware software. With new VPN rules, the threat of surveillance becomes more real as people cannot hide their activity. Many claims that the government can restrict people’s freedoms, especially journalists and whistle-blowers who seek anonymity.

Stricter KYC verification – The users will have to face a stricter KYC verification process and have to provide reasons for hiring services. This would mean more data being exposed and stored in the process, and also more compliance costs for the service providers. This may, in turn, result in higher pricing for such services.