India's new VPN rules spark fresh fears over online privacy
Now, some VPN providers are leaving India while others are considering doing so ahead of new rules that the government says are aimed at improving cybersecurity, but that the firms argue are vulnerable to abuse and could put users' data at risk
Virtual private networks (VPNs) that encrypt data and provide users with anonymity online have seen a surge in use in India in recent years as the government tightened its grip on the internet to curb dissent, and as more people worked from home.
Now, some VPN providers are leaving India while others are considering doing so ahead of new rules that the government says are aimed at improving cybersecurity, but that the firms argue are vulnerable to abuse and could put users' data at risk.
Under legislation scheduled to take effect this month, VPN providers are required to retain user data and IP addresses for at least five years - even after clients stop using the service.
"VPNs are central to online privacy, anonymity, and freedom of speech, so these restrictions represent an attack on digital rights," Harold Li, vice president of ExpressVPN, told the Thomson Reuters Foundation.
"The new laws are overreaching and are so broad as to open up the window for potential abuse. We refuse to put our users' data at risk ... as such, we have made the very straightforward decision to remove our India-based VPN servers," he said.
India ranks among the top 20 countries in VPN adoption, according to AtlasVPN's global index, with users surging in 2020 and 2021 - as they did worldwide - as companies secured their networks with more people working from home amid the pandemic.
Many are corporate users but there are also, activists, journalists, lawyers and whistleblowers who use them to access blocked websites, secure their data and protect their identity.
With increasing digitisation of data and services, security is a major issue: India ranked third among countries with the most data breaches last year, according to estimates by Surfshark VPN, with nearly 87 million users affected.
The new order, issued by the Indian Computer Emergency Response Team (CERT-In) in April, also requires companies to report data breaches within six hours of noticing them, and maintain IT and communications logs for six months.
Failing to do so could be punishable with prison sentences.
Tech firms and digital rights organisations have raised concerns about the compliance burden and reporting timeline, but officials have said there will be no changes to the rules.
"If you don't want to go by these rules, and if you want to pull out, then frankly ... you have to pull out," India's junior IT minister Rajeev Chandrasekhar told reporters last month.
Microscope of surveillance
Governments worldwide are imposing greater control on the flow of information online with a slew of regulations, as well as firewalls, internet shutdowns and social media blocks.
India has tightened regulation of Big Tech firms in recent years, and ordered content takedowns. Dozens of lawyers, journalists and activists were also found to have been hacked by the Pegasus spyware last year.
Indian authorities have declined to say whether the government had purchased Pegasus spyware for surveillance.
Now, the new CERT-In rules can be used to keep close tabs on more citizens, said Ranjana Kumari, an activist and director of the Centre for Social Research in New Delhi.
"The government has already been increasing its control of the internet to clamp down on any dissent, and people are already under increasing surveillance," she said.
"These new rules make it even worse."
While authorities have clarified that the rules do not apply to corporate VPNs, ProtonVPN said they are "are an assault on privacy and threaten to put citizens under a microscope of surveillance," adding that it would maintain its no-logs policy.
Surfshark also has a "strict no-logs policy, which means that we don't collect or share our customer browsing data or any usage information," said Gytis Malinauskas, its legal head.
"Even technically, we would not be able to comply with the logging requirements," he added.
A spokesperson for NordVPN, one of the world's largest providers, said that while they welcomed the government's "intentions to improve the state of cybersecurity ... we believe that the discussion period should be extended".
"If it comes to it - we will consider removing (our) presence from India."
The Information Technology Industry Council, a global coalition, said the new directives - including the "overbroad" definition of reportable incidents and six-hour reporting timeline - could "actually undermine cybersecurity".
The risk of surveillance for millions of people is exacerbated by the data retention mandate in CERT-In's directive, said Raman Jit Singh Chima, Asia Pacific policy director at Access Now, in an open letter on Jun. 1.
"Requiring service providers, including VPN providers, to log information that they may otherwise not collect, for five years or more, violates the right to privacy protected by the Indian Constitution," he said.
India's information technology ministry could not be reached for comment.
Authorities have declined requests from tech firms and digital rights groups to delay implementation, and have said the reporting timeline is "very generous."
Everyone at risk
India is not the only country cracking down on VPNs.
Russia banned several VPN services last year as part of a wider campaign that critics say curbs internet freedom, although it has failed to block them entirely.
Russia's moves to block global news sites and social media platforms after its invasion of Ukraine - similar to China's "Great Firewall" - have led to concerns that the internet is splitting along geopolitical lines, digitally isolating people.
India's new directive was drawn up with little consultation with the tech industry or with civil society organisations, said Prateek Waghre, policy director at Internet Freedom Foundation, a digital rights advocacy group in Delhi.
"Because of that there are now a bunch of directions that are ambiguous, with a tremendous compliance burden, including potential imprisonment for non-compliance," he said.
The rules have the potential to cause a great deal of harm, particularly in the absence of a data protection law, he added.
"While there is a clear need for enhanced cybersecurity, when you ask for indiscriminate data collection, everyone is at risk - and there is greater risk for people already at risk, such as activists, journalists, dissenters, minorities."