In the last week of April, the Indian government’s Computer Emergency Response Team (CERT-In) agency issued a new directive that will fundamentally change how we use VPNs in the country. The policy comes into effect on June 28, 60 days after the announcement. If you have heard about the new VPN policy in India and are confused what is it all about, we have you covered. In this article, we have explained everything you need to know about the new VPN policy in India and how it will impact you.
What is India’s New VPN Policy?
According to the Computer Emergency Response Team (CERT-In), the new VPN policy in India aims to improve the process of monitoring cybercrimes in the country. It involves storing data of VPN users in India and collecting personal data, including names, IP addresses, physical addresses, phone numbers, and more. Check out the breakdown of all the data collection requirements for VPN companies in the next section below.
What is India’s New VPN Policy?What is India Asking VPN Companies to Save?How Did VPN Companies React to the Order?Why is the Indian Government Doing This?Will India Entirely Ban VPNs?What’s Changing for VPN Users in India?
Companies That Comply with the New PolicyCompanies That Won’t Comply with the Directive Despite Having Indian ServersCompanies That Don’t Have a Server in India or Choose to Shut down India Servers
Companies That Comply with the New PolicyCompanies That Won’t Comply with the Directive Despite Having Indian ServersCompanies That Don’t Have a Server in India or Choose to Shut down India Servers
According to CERT-In’s directions, VPN companies should store the following data of users. Notably, these directives are applicable not only to VPN companies but also to data centers, virtual private server providers, and cloud service providers.
- Validated names of subscribers/customers hiring the servicesPeriod of hire including datesIPs allotted to / being used by the members Email address, IP address, and time stamp used at the time of registration / on-boardingPurpose for hiring servicesValidated address and contact numbersOwnership pattern of the subscribers/customers hiring services
Other than these highlights, VPN companies are liable to report cyber incidents within 6 hours of noticing the breach. They are also directed to sync system clocks to the Network Time Protocol (NTP) server of the National Informatics Centre (NIC), the National Physical Laboratory (NPL), or with NTP servers traceable to these NTP servers.
Over the past few days, leading VPN providers have issued statements expressing their stance on the VPN policy in India. Here’s a quick look at the official statements:
ProtonVPN: “ProtonVPN is monitoring the situation, but ultimately we remain committed to our no-logs policy and preserving our users’ privacy,” spokesperson Matt Fossen told Wired.
The Indian government justifies its policy as a move to improve the cybersecurity of the country. According to the government’s press release, the directions are to “address certain gaps causing hindrance in incident analysis” while handling cyber incidents.
“Most of the frauds were happening through VPNs. We are just saying you keep the records for five years…we are not saying give it to us. Keep the records – if required, then any law enforcement agency can ask. I think that’s a very fair ask. It’s an evolution. All the countries are moving in that direction… Police has the right to ask the criminal to remove the mask or not – same is the case here,” a senior government official was quoted as saying by the Economic Times.
No, at least not yet. The new VPN policy is applicable to VPN companies with servers in India. Given the intrusive nature of the directive, VPN providers with servers in India are even considering the possibility of shutting down their servers in the country. However, that doesn’t mean you can’t access the service. As per the current policy, you can likely still connect to the same VPN provider’s servers located in other countries. It remains to be seen if the government is planning to crack down that route too in the future.
To understand what’s changing for an average VPN user in India, let’s analyze three possible scenarios. These are – companies that comply with the new VPN policy, companies that won’t comply with the directive despite having servers, and companies that don’t have a server in India or choose to shut down servers in the country.
If a VPN provider chooses to comply with the new policy, it has to collect and maintain logs in the country for 180 days. It should also store the aforesaid personal data of the user for five years. You should keep an eye on your VPN provider’s stance on the policy when it comes into effect next month.
Companies That Won’t Comply with the Directive Despite Having Indian Servers
If a VPN provider continues to operate as usual even after June 28 without following the policy, it may invite punitive action under sub-section (7) of section 70B of the IT Act, 2000. According to the act, that accounts for one year of imprisonment, a fine which may extend to one lakh rupees, or both.
Companies that don’t operate a server in India seem currently immune to the directives. The government may make it harder to discover or subscribe to these VPN providers. But as things stand now, it looks like you can continue using your VPN as long as it doesn’t have a server in India.
