Implications of India’s new VPN rules
June 27, 2022

In News:

  • Recently, India’s cybersecurity watchdog Indian Computer Emergency Response Team (CERT-In) issued new rules for companies offering virtual private networks (VPNs).
  • The new rules require VPN providers to keep a wide range of data on their customers, including contact numbers, email addresses and IP addresses, for five years. 

What’s in today’s article:

  • About VPN and implications of new VPN rules
    • What is a VPN?
    • About the new rules
    • Rationale behind issuing these rules
    • Implications of new rules for VPN providers and their customers
    • Government’s response 

About VPN and implications of new VPN rules:

  • What is a VPN?
    • A VPN is a service that protects users online by preventing their IP address from being tracked by websites, law enforcement agencies, cybercriminals and others.
    • Corporate employees are the most frequent VPN users, mainly for securely accessing company networks.
    • A VPN's primary benefit is that it ensures privacy and creates a safe and secure connection while using a public network such as the internet.
    • Simply put, they mask online id, making it difficult for third parties to track, steal and store data.
  • About the new rules:
    • These are drafted by the Ministry of Electronics and Information Technology (MeitY), Government of India.
    • It mandates VPN companies to record personal information of their users including names, email id, phone number and IP address for a period of five years and to record and keep their customers’ logs for 180 days.
    • The VPN providers also have to record usage patterns, purpose of hiring services and various other information.
    • Apart from VPN companies, the new norms are also applicable to data centres, virtual private server (VPS) providers, cloud service providers, Government organisations, etc. However, the corporate entities are not under the scanner.
      • A virtual server is a simulated server environment built on an actual physical server.
      • It recreates the functionality of a dedicated physical server, but offers higher security than the latter.
      • Service providers who do not have a physical presence in India but offer services to the users in the country, have to designate a point of contact to liaise with CERT-In.
    • It further mandated that any cybercrime recorded must be reported to the CERT-In within 6 hours of the crime.
    • The directives will take effect at the end of June (2022) and if the data is not handed over to the government by then, the entities would face punitive action.
  • Rationale behind issuing these rules:
    • The CERT-In, which acts as a safeguard against cyber-attacks, has identified "gaps" in the way it analyses online threats.
      • For example, non-availability of data hampers analysis and investigation.
    • In a report (2021) to the Rajya Sabha, a Parliamentary Standing Committee requested the MeitY to block VPNs with the assistance of internet service providers.
    • Hence, the new rules will enhance overall cyber security posture and ensure safe and trusted internet in the country.
  • Implications of new rules for VPN providers and their customers:
    • With the new rules, the government will have access to customers' personal information, violating privacy and rendering VPN use obsolete.
      • Customers will be required to go through a rigorous KYC process when signing up to use a VPN and will be required to state the reason for using the services.
    • In response to CERT-In rules, several VPN providers (like NordVPN), have said that they will either move their servers out of the country or will shut down their physical servers in India and cater to users in India through virtual servers located abroad.
  • Government’s response:
    • According to the CERT-In, various stakeholders were consulted before notifying the new rules.
    • According to the MeitY, the new rules are the need of the hour to ensure stability and resilience of cyber space and there will be no changes to the rules despite pushback from various stakeholders.

Enquire Now