In April, the Indian government dropped a hard pill to swallow for VPN services and their users.
According to India's new data retention law, security software firms will be forced to keep users' data for up to five years. What's more, providers will need to be ready to hand over this information to authorities upon request, too.
The news sparked a chasm of discontent across the VPN industry, privacy advocates groups and internet users.
"One way or another, it will have a negative impact on people’s privacy and digital security," Laura Tyrell, Head of PR at Nord Security - the company behind the popular NordVPN - told us.
While, in a tweet, digital rights NGO Access Now wrote: "VPNs are necessary in a country with rampant shutdowns and surveillance, and no data protection law. Authorities must stop what they’re doing, and consult with security researchers, civil society, and cybersecurity experts on what to do instead."
So, what's at stake for Indian internet users' privacy?
VPNs forced to keep users logs
On April 28, the Indian Computer Emergency Response Team (CERT-In) announced that - among other directives, like the obligation to report a cyber attack within six hours - virtual private network (VPN) providers will soon be required to retain users' logs for at least five years. Companies will be also forced to hand over this data to authorities upon request.
And it's not just VPNs that are the subject of the new data retention law which will come into effect from late June. Virtual private servers (VPS), cloud service providers, data centers and crypto exchanges all will have to follow the new directive.
Specifically, the pieces of information that will need to be collected and stored are:
- Validated names of subscribers/customers hiring the services
- Period of hire including dates
- IPs allotted to/being used by the members
- Email address and IP address and time stamp used at the time of registration/on-boarding
- Purpose for hiring services
- Validated address and contact numbers
- Ownership pattern of the subscribers/customers hiring services
Statement: We call on @IndianCERT to recall Directions on Information Security Practices issued on April 28 that go into effect on June 27. These directions are vague. They undermine user privacy and information security, contrary to CERT's mandate. 1/n pic.twitter.com/okzMhgIG0yMay 4, 2022
While cybersecurity experts are lamenting its vagueness, lack of feasibility and worrying privacy implications, the CERT-in justifies the decision as needed to better police cybercrime.
With a total of 86.63 million data breaches in 2021, Surfshark found India to be the third most affected nation worldwide. "Most of the frauds were happening through VPNs," an Indian government official said to The Economic Times.
At the same time, India also gained the gold medal for the number of internet shutdowns executed. Digital rights campaigner group Access Now found the country to be responsible for 106 out of the 182 incidents documented in 2021. Not to mention the allegations that the Indian government used Pegasus technology to spy on activists, politicians and lawyers.
With such a track record, it's no great surprise that many are worried that authorities might abuse this data grab to implement mass surveillance.
VPN companies respond
The news fueled anger across the tech world as these requests run roughshod over the principles and policies upon which virtual private networks and other security software are based.
VPNs are technology aimed to protect users' internet privacy and secure their data inside an encrypted tunnel. They aim to prevent third parties from tracking users' activities as well as accessing their sensitive information.
It might not only affect people’s privacy, but also freedom of speech.
Laura Tyrell, Head of PR, Nord Security
A strict no-logging policy - meaning that, beside some functional logs, the service doesn't retain any information about you and your activities - is, therefore, a guarantee that most private VPN services offer to their subscribers. Something that providers are not eager to negotiate.
"It is premature to say if we will launch a legal challenge, but Proton has taken measures like that in the past and routinely appeals invasive law enforcement requests. Regardless, we remain absolutely committed to our no-logs policy and preserving our users’ privacy,” a spokesperson from ProtonVPN told TechRadar.
Commenting on this point, Laura Tyrell at NordVPN said: "In the past, similar regulations were mostly introduced by authoritarian governments in order to gain more control over their citizens. If democracies are going to follow the same path, it might not only affect people’s privacy, but also freedom of speech."
The new Indian VPN regulations are an assault on #privacy and threaten to put citizens under a microscope of surveillance. We remain committed to our no-logs policy and recommend everyone using our servers in India to follow these guidelines: https://t.co/85WTkUJ5Z6. (1/2)May 5, 2022
First steps towards a VPN ban?
With most VPN providers vocally defending their no-logs policies and some others even threatening to pull their servers out of the country, the government might decide to go further and ban all the services that don't comply with its demands.
On the other hand, it was less than a year ago when the Parliamentary Standing Committee on Home Affairs proposed the banning of VPN service in India to counter cybersecurity threats.
Although, Tyrell thinks that there is still a concrete possibility that the directive would change: "It is difficult to imagine a scenario in which all local companies are able to adjust their infrastructure and operations in time, therefore there is still a chance that the proposed wording and timeline of the regulation may not be final."
What's at stake for users' privacy?
According to the latest statistics from AtlasVPN, India has more than 270 million active VPN users who enjoy a better network security, online anonymity and geo-restricted content.
Furthermore, ProtonVPN told TechRadar: "The rules would not only make it harder for people to protect their data online but also give the government more tools to monitor people’s locations and identities while eroding civil liberties more generally."
That's especially worrying in a country where many journalists using this software to cope with a media freedom under attack - India just dropped to 150th out of 180 countries in the 2022 Reporters Without Borders’ Press Freedom Index.
And it's not just privacy that's a concern, as the change could also mean higher fees for India VPN users.
As Tyrell from NordVPN explains: "From what it seems, the new law will definitely create additional difficulties for the internet infrastructure providers and their operations. Overhead in operation costs may translate into increased costs to end users which for some people might complicate internet access in general."
