- VPN providers in India ordered to block access to unlawful websites
- The MeitY's request is intended to protect Indian citizens' personal data
- Obligations could clash with how no-log VPN services operate
VPN providers operating in India have been directed to block access to websites that unlawfully disclose citizens' personal details, following an advisory from India's Ministry of Electronics and Information Technology (MeitY).
The directive, which was issued on December 11, warns that these websites "pose a significant risk to Indian users."
Authorities highlighted several specific sites that allegedly reveal sensitive personal data, including full names, addresses, mobile numbers, and email addresses. According to the advisory, these platforms remain accessible to users connecting via a virtual private network (VPN).
Under the IT Act 2000 and IT Rules 2021, VPN providers must "make reasonable efforts" to prevent access to websites that operate in violation of the law. The directive also explicitly reminds providers of their obligation to assist authorities by providing information needed to verify identities or investigate cybercrimes.
What's this mean for VPN users?
While MeitY's request aims to protect Indian citizens' personal data, it fundamentally conflicts with the way the best VPN apps work.
Privacy-first providers operate under a strict no-log policy. This means that the service doesn't collect any identifiable information about what users do online when connected with the VPN.
TechRadar has contacted several popular VPN providers to clarify if and how they intend to comply with these obligations, and we will update this page when we receive a response.
Many companies, including NordVPN, Proton VPN, ExpressVPN, and Surfshark, decided to remove their physical servers from India back in 2022. This move was a direct reaction to CERT-In rules requiring VPN and security software providers to store user data – such as IP addresses, real names, and usage patterns – and hand it over to authorities upon request.
Unsurprisingly, these requirements were deemed incompatible with the core purpose of a VPN by the industry.
The latest advisory threatens to revive the debate between protecting user anonymity and law enforcement's need for data access to combat crime. However, if the industry's response three years ago is any indication, we expect most VPN companies will prioritize their privacy promises to users and refuse to collect or share data with anyone – including the police.
We test and review VPN services in the context of legal recreational uses. For example: 1. Accessing a service from another country (subject to the terms and conditions of that service). 2. Protecting your online security and strengthening your online privacy when abroad. We do not support or condone using a VPN service to break the law or conduct illegal activities. Consuming pirated content that is paid-for is neither endorsed nor approved by Future Publishing.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.