How the Indian Government CERT VPN Guidelines Impacts Users
CERT's 28th April guidelines have led to a lot of concerns in the cyber security agency. We discuss what are these concerns, if they are really valid and how does the future of online privacy looks like in India.
There is a hullabaloo everywhere about the newly launched CERT Virtual Private Network guidelines mandating the service providers to retain user data. The guidelines are facing criticism from various sections of society as it directs the VPN provider companies to record and store the details of their users.
India's cyber watchdog-the Indian Computer Emergency Response Team (Cert-In) has issued the directives under the new cybersecurity policy from the Ministry of Electronics and Information Technology to be implemented around June end. The guidelines apply not only to VPN companies, but to cloud service providers, data centers, and crypto exchanges, to collect extensive and specific customer data even if the users delete their account or cancel their subscription.
Once implemented, this is simply going to affect how VPN services are offered and used in the country. What does the directive say?
The directives ask VPN providers to store the accurate and detailed information of users under the know your customer (KYC) policy for five years. The information includes users' valid names, IPs allotted to them, email addresses, the timestamp at the time of registration, period of use, valid addresses, and contact numbers for a minimum of five years, even if users cancel their subscriptions.Impact on Users
Users usually use VPNs to hide their IP addresses from Internet Service Providers and third parties. Such directives will not only impact the VPN service providers but also the VPN users because it is surely going to harm their liberty and privacy. It's all because of the privacy feature that people buy premium subscription plans from VPN providers. People working from home due to the pandemic is also a major reason behind the increase in VPN users in the country. Most techies, business persons, investigative journalists, and students use VPNs to protect their data but once the directives come into effect their data will become vulnerable. Moreover, the users like investigative journalists are at the risk of being targets of surveillance and loss of privacy. How will the new policy affect providers?
The government has left no choice for VPN providers but to leave the country if they are not ready to follow the guidelines. The VPN companies are sternly against the government directives as storing the user data is against their main principles of protecting user privacy. NordVPN, one of the largest VPN service providers in the world, has made it clear that they cannot make any compromise on user privacy. In an official statement, the company has stated that they can remove their servers from India if no other options are left. Moreover, the companies may incur major losses at the same time all because of the government guidelines.
It is important to mention here that Over 270 million VPN users were recorded in India in 2021, which is around 20% of the population. This number must have increased by now.
According to the regulations, the government can anytime ask VPN companies to furnish the users' data, and failing to do so will result in punitive action under the IT Act, 2000 with other applicable laws. Non-compliance, the order suggests, may even lead to potentially a year of prison time for executives.
Opposing the new guidelines from the Indian government, VPN providers like Surfshark, a Netherlands-based VPN provider, have claimed that the guidelines do not apply to them as they do not come under the jurisdiction of Indian laws. Surfshark insisted in a statement that they are operating under the jurisdiction of the Netherlands but there are no such laws asking them to log user activity.
However, it will be too early to predict the exact amount the mandate would have on the VPN providers, it's rather safe to say that some impact is expected.Corporate, Enterprise VPNs Will Not Require To Maintain Logs
In much-awaited clarifications on its new cybersecurity directions released in the form of FAQs, the Indian Computer Emergency Response Team (CERT-In) has maintained that the rules maintaining customer log is not applicable to corporate and enterprise Virtual Private Network. With respect to this, the government clarifies that for the motive of the guidelines, VPN service providers will only include entities that provide "Internet proxy like services" to general internet users or subscribers. Corporates that use VPNs to enable their employees and other stakeholders to access their IT systems will benefit from this. However, it will be mandatory to maintain ICT logs.
Not to forget that Indian corporate businesses are a major source of income for a number of VPN and cloud service providers and letting them go off is not a viable option.The Repercussions of the Government move
The important thing to think about is how the government may use this data. However it's still unclear, but it is most likely that there will be more accountability and stability in the sectors like banking following a dip in cases of bank frauds and scams due to the regulations. It will also become easier for law enforcement agencies to track criminals who use VPNs to hide their internet footprint.
Some dubious VPNs, on the other hand, help their users to access the content blocked in the country. Like, a few VPNs were offering access to the 59 Chinese apps even after India banned their use within the country. The government's specific move will also help track down the anti-social elements and cybercriminals indulging in various heinous activities online. The fact remains that the VPNs are playing a pivotal role in opening rooms for illegal activities like money laundering with the rise in digital laundering but the regulations will shut the doors for such online crimes. Countries that have banned VPNs
Once the order takes effect, India could join the list of countries like China, North Korea, Russia, China, etc who have banned the use of VPNs citing 'security' reasons. Partial regulations or complete bans are often considered by countries and ISPs because they find it difficult to track and monitor the activities of VPN users.
While Russia enacted a law banning VPNs in the country in 2017, China too made the use of all VPNs illegal except for government-approved service providers. The tightened rules of course made the VPN companies remove their physical services from China and Russia. India will soon follow suit with Belarus, China, Iraq, North Korea, Oman, Turkey, Turkmenistan, etc. who have banned VPNs completely. UAE has partially regulated it while VPNs are still legal in countries like the USA, Australia, UK, Japan, etc.
Final Thoughts: Indian officials, however, have made it clear that directives are aimed not at stymying freedom of speech and privacy but to counter the growing threat of cybercrime faced by citizens.
Surfshark revealed in a recent study, India remains among the top five nations targeted by hackers after about 675,000 Indian users faced breaches this quarter, while in the fourth quarter of 2021, the data of 1.77 million users were stolen.
But, ignoring all the facts, a large number of experts have raised questions about the legality of the new rules in the absence of a robust data protection law in the country.
While there have already been growing levels of crackdowns on nonprofits, journalists, and activists, the new order also seemingly signals India's move away from a free and open democracy. Not to forget India had 106 deliberate internet shutdowns, the highest number in the world in 2021. In the 2022 edition of the Press Freedom Index published by Reporters Without Borders, India fell eight places down to 150 out of 180 countries.
Now, it remains to be seen how things shape up when the rules come into effect in June end.