Why does Government of India want to Monitor Virtual Private Network (VPN) service providers and also mandating them to collect user data

Come 28 June 2022, the Indian Government will ensure that Virtual Private Network (VPN) providers in India to register and preserve user information for at least five years of those subscribers who use these services. The Computer Emergency Response Team- India (CERT-In) in an eight-page directive has issued the said instructions under the provisions of sub-section (6) of section 70B of the Information Technology (IT) Act, 2000.  The instruction if not adhered to; can enable the Government to invoke “punitive action” under sub-section (7) of the section 70B of the IT Act, 2000 and other laws as applicable on the Service Provider. This law will be binding on VPN service providers and its allied data centres, virtual private server (VPS) providers, and cloud service providers other than the ISP if such services are provided by them.

The user information includes the valid names of subscribers, period of subscribing to the service, IPs allotted to and being used, email address and IP address as well as accurate time recorded during the registration, purpose of subscribing, validated address and contact numbers, and ownership pattern of the subscribers signing into the service.

The Governments, by means of this instruction and its implementation will be able to mandate Cyber Security with an aim to protect the Country through a well-planned Incident Response to Cyber Incidents and also can maintain surveillance over malicious actors who operate within India to perform Cyber Crime and Cyber Offences.

Its is a known fact that some countries with repressive governments have outlawed VPNs in an attempt to maintain control. Some countries like Belarus, China, Iraq, North Korea, Oman, Russia, Turkmenistan, Uganda, Turkey, UAE, Oman, etc; have either regulate or outright ban VPNs, this is done to mainly ensure Security and also ensure regulation of the internet and its censorship.

A few service providers who offer VPN Service in India are: ExpressVPN, Surfshark, NordVPN, ProtonVPN, IPVanish, etc. Apart from there are Enterprise VPNs, like: Airtel, Cisco, Fortinet, NIC, etc. These Enterprise VPNs, mushroomed during the pandemic period, when users were required to connect to Secured Enterprise Networks while Working from Home, via Commercial Internet. In this case, VPNs were seen as an effective tool to safely communicate and transfer files on the internet, and in some cases, as a workaround to location specific restriction to information imposed for specific reasons. 

It is otherwise a technology challenge that the VPN by its very nature offers anonymity to the user and using a VPN helps the user to evade all but the most sophisticated efforts to regulate the internet and censor information, by virtue of its service provider not providing any information or not maintaining any information of the users and their browsing history. The users were also at liberty to anonymise their internet activity and also hide themselves.

It was sometime in September of year 2021 that a petition by Parliamentary Standing Committee on Home Affairs, Government of India, had requested the Government to prohibit VPN services in India, citing reasons of overall National Security. The Committee stressed upon the “technological challenge” that such VPN services pose to the security of the nation and that such services allow unsolicited operations by cybercriminals and help them remain anonymous online. It also highlighted that such VPN services are easily available online for anyone’s use in India and the details of such subscribers were also not mandated by law to be maintained by these service providers.

The modalities of implementation of this new instruction will be a challenging issue, as the government mandate goes much against the principle of a VPN (by Definition), as claimed by many. “Prime purpose of getting a VPN service is to create a Private Network (with what ever it can offer) over the public network, and these are provided to the end customer to benefit from anonymity, trackability, traceability, surveillance, other than security of connection to an Enterprise Network”. Most VPN companies follow no-logs practices and often actively publicize that such logs are not maintained of the users’ activity data, though some of them collect anonymised analytics data to troubleshoot and fix connection failures, but was not binding on them to share it with Government. Hence, we may find many of the service providers walking out of India. Some service providers will now have to mandatorily establish infrastructure in India to ensure compliance and also open offices to service the request of the government. It is also sensitized that the Government of India in the same instruction has also made it mandatory for crypto exchanges to store user data for at least five years of all usages in India.