industry

UnCERT-in times for VPN services providers in India


Users of virtual private networks (VPNs) in India face disruptions, with providers such as Surfshark and NordVPN saying they are unlikely to be able to adhere to a new security directive from the government due to privacy policy concerns. India has more than 270 million VPN users, who use them to access company networks securely, remain anonymous, access geo-restricted content, stay safe on public Wi-Fi networks and get around internet restrictions among other things.

The directive from Indian Computer Emergency Response Team (CERT-In), India’s top cybersecurity agency, is set to take effect at the end of June. That mandates VPN services, among others, to maintain the personal data of users for five years or longer and hand them over to the government when asked or face punitive action.

House Panel Had Sought Ban

The move, aimed at preventing cybersecurity breaches, may end up making VPN services illegal in India if providers don’t comply. The parliamentary standing committee of home affairs had called for a ban on VPNs last year, citing threats.

Top VPN companies told ET that logging sensitive user data would go against the nature of their services, which are designed to protect user privacy. Netherlands based-Surfshark, a popular VPN service in India, said that it doesn’t even have the technical means to comply with the order.

“We operate only with RAM-only servers, which means that at this moment, even technically, we would not be able to comply with the logging requirements,” Gytis Malinauskas, Surfshark’s legal head, told ET.

NordVPN, based in Panama, said it’s currently operating as usual but may have to reassess the situation if and when the order goes into effect two months from now. “We are committed to protecting the privacy of our customers, therefore, we may remove our servers from India if no other options are left,” said Laura Tyrylyte, NordVPN’s security spokesperson, told ET.

ExpressVPN, registered in the British Virgin Islands and another popular VPN service that claims to bypass even China’s strict Great Firewall, said it’s aware of the directive and is monitoring developments.

“VPNs are critical for user safety and the preservation of user’s right to online privacy and are fundamentally opposed to any efforts to undermine such technologies,” ExpressVPN said in a statement to ET.

The company states in its privacy policy that it does not “collect logs of your activity, including no logging of browsing history, traffic destination, data content, or DNS queries. We also never store connection logs, meaning no logs of your IP address, your outgoing VPN IP address, connection timestamp, or session duration.”

Experts say services such as NordVPN, Surfshark, ExpressVPN and the like pride themselves on no-logs systems that assure users of privacy, going as far as getting themselves audited by firms like PwC to confirm compliance with their privacy policies.

Some VPN providers also said they are governed by laws of the countries they are based in and may not necessarily come under the jurisdiction of Indian laws.

“We are operating under the jurisdiction of the Netherlands, and there are no laws requiring us to log user activity,” Surfshark said. Similarly, ExpressVPN said it’s governed by laws of the British Virgin Islands, which too doesn’t require VPN services to maintain user logs.

The VPN user base in India has been surging over the past two years, owing to a rise in remote working due to the pandemic.

VPN penetration in India in 2021 spiked to 20% of the population, from a mere 3.28% in 2020, according to an adoption tracker maintained by AtlasVPN.



READ SOURCE

Leave a Reply

This website uses cookies. By continuing to use this site, you accept our use of cookies.