India defends move to seeking VPN user info

The government has the right to seek records related to virtual private network (VPN) users in order to combat cybercrimes, said a senior government official.

ET had reported Tuesday that VPN providers such as Surfshark and NordVPN are unlikely to be able to adhere to a new security directive from Indian Computer Emergency Response Team (CERT-In). This mandates maintaining the personal data of users for five years or longer and handing them over to the government when sought or face punitive action. The directive is scheduled to take effect by June-end.

“Most of the frauds were happening through VPNs,” the official said. “We are just saying you keep the records for five years… we are not saying give it to us. We are saying keep the records – if required, then any law enforcement agency can ask. I think that’s a very fair ask. It’s an evolution. All the countries are moving in that direction… Police has the right to ask the criminal to remove the mask or not – same is the case here.”

India has more than 270 million VPN users, who use them to access company networks securely, remain anonymous, access geo-restricted content, stay safe on public Wi-Fi networks and get around internet curbs, among other things. The move could render VPN services illegal in India if providers don’t comply.

‘Some Provisions may Hit Enterprises’

The parliamentary standing committee of home affairs had called for a ban on VPNs last year, citing cybersecurity threats.

Top VPN companies told ET that logging sensitive user data would go against the nature of their services, which are designed to protect user privacy. Netherlands based-Surfshark, a popular VPN service in India, said that it doesn’t even have the technical means to comply with the order.


As per the new rules, which will come into effect within 60 days of being notified, all enterprises will have to report any cybersecurity incident to CERT-In within six hours and store all data for a stipulated period of time.

Security experts point out that it currently takes days or even months before some enterprises realise that they have been compromised.

In a letter to the cybersecurity agency, the Information Technology Industry (ITI) Council asked for a delay in implementation and opening the matter up to a wider stakeholder consultation.

“The directive has the potential to improve India’s cybersecurity posture if appropriately developed and implemented,” said Kumar Deep, country manager at the ITI Council. “However, certain provisions, including counterproductive incident reporting requirements, may negatively impact Indian and global enterprises and undermine cybersecurity.”


Leave a Reply

This website uses cookies. By continuing to use this site, you accept our use of cookies.