Explainer: New VPN rules, why VPN companies are upset and what they mean for you – Times of India

Some of the leading virtual private network (VPN) service providers have recently announced that they will remove servers from India. Companies including Surfshark and ExpressVPN and NordVPN have said that they are shutting their servers in India over the April 28 directive from India’s cyber agency Computer Emergency Response Team (CERT-In). According to AtlasVPN’s global index, India ranks among the top 20 countries in VPN adoption with 270 million users. Here’s why VPN service providers are upset, what the new rules say, do they make using VPNs illegal in India and more.
What does government’s new VPN rules say
The new cybersecurity norms have asked VPN service providers along with data centres and cloud service providers to store information such as names, email IDs, contact numbers, and IP addresses (among other things) of their customers for a period of five years. This is what the rules say: Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (VPN Service) providers, shall be required to register the following accurate information which must be maintained by them for a period of 5 years or longer duration as mandated by the law after any cancellation or withdrawal of the registration as the case may be:
a. Validated names of subscribers/customers hiring the services
b. Period of hire including dates
c. IPs allotted to / being used by the members
d. Email address and IP address and time stamp used at the time of
registration / on-boarding
e. Purpose for hiring services
f. Validated address and contact numbers
g. Ownership pattern of the subscribers / customers hiring services
Who all does the new VPN rules apply to and not
The directions apply to “all service providers, intermediaries, data centers, body corporate and government organizations”. CERT-In has, however, clarified that the rules of maintaining customer logs would apply only for individual VPN customers and not to enterprise or corporate VPNs.
What are these VPN service providers saying about shutting India severs
“As one of the industry leaders, we adhere to strict privacy policies, which means we don’t collect or store customer data. No-logging features are embedded in our server architecture and are at the core of our principles and standards,” a NordVPN spokesperson said in a statement. “Moreover, we are committed to protecting the privacy of our customers. Therefore, we are no longer able to keep servers in India,” the company added.
ExpressVPN termed the CERT-In norms as “incompatible with the purpose of VPNs, which are designed to keep users’ online activity private”. Another player Proton VPN said in a tweet that the new CERT-In norms are “an assault on privacy, and that it will continue maintaining its no-log policy”. Surfshark has said that it “proudly operates” under a strict ‘no logs’ policy and that since the Cert-In’s directions “go against the core ethos of the company”, it would shut down its physical servers in India before the new law comes into effect.
Do the new rules make VPNs illegal in India
No, the new rules do not make VPNs illegal in India. They bring some restrictions for users and more compliance rules for VPN companies.
How will the new rules affect VPN users in India
With the new rules, users may face a stringent know-your-customer (KYC) verification process when signing up for a VPN service, and will have to state their reasons for using it. Internet freedom activist also claim that this will potentially lead to users privacy data exposed to the government. The new rules, however, will in no way make using VPNs illegal in India.
Does this mean that these service providers will not serve users in India
There is no clarity on this. No these companies have per se not said clearly said anything on this. ExpressVPN said that its users will still be able to use the service to connect to servers that will give them Indian IP addresses and allow them to access the internet as if they were located in India. It said these ‘virtual’ India servers would be physically located in Singapore and the UK.
What is government saying on VPN companies removing severs from India
MoS Electronics and Information Technology, Rajeev Chandrasekhar has said that VPN companies who do not adhere to the cyber-security guidelines are “free to leave India” if they do not comply with the rules. “If you don’t have the logs, start maintaining the logs. If you are a VPN that wants to hide and be anonymous about those who use VPNs to do business in India and do not want to go by these rules, then frankly pull out of India. That is the only opportunity you have,” Chandrasekhar said.
Government is seeking global action against VPNs to curb cybercrime
India is reportedly seeking global action to counter the use of technologies including virtual private networks (VPNs), end-to-end encrypted messaging services and blockchain-based technologies such as cryptocurrency by terrorists. In suggestions to members of an Ad Hoc committee of the United Nations debating a comprehensive international convention on countering the use of information and communications technologies for criminal purposes, Indian officials said, “the anonymity, scale, speed and scope offered to ( terrorists) and the increasing the possibility of their remaining untraceable to law enforcement agencies” by using these technologies remains one of the major challenges before the world.
Which countries have banned VPNs
Currently, while some governments have regulated VPNs others have outright ban on them. The countries where VPN is banned include China, Belarus, Iraq, North Korea, Oman, Russia and the UAE. Other countries have internet censorship laws, which make using a VPN risky.
What about Europe, UK and the US
There are no British laws that prevent people in the country from using a VPN. However, the country’s Investigatory Powers Act 2016 gives power to UK intelligence agencies to carry out the bulk collection of communication data. There are similarly no restrictions on VPNs in EU and USA, but yes they do have free run and do come under government ambit in certain cases related to national security and law and order.