top of page

The mandate on VPN and its implications on Data Privacy and User Safety

It was last year when the Government of India reported that they were working on a measure to prohibit the use of all types of VPNs (Virtual Private Networks) in the country. Regarding the same, the Indian Government has now mandated all the VPN providers to collect and store data of their users for five years. Although they stated that this is being done amid security concerns, the impact it can have on all parties involved is alarming, to say the least.

As per a new directive issued by CERT-IN (Indian Computer Emergency Response Team), companies will now be required to store user data, including their IP addresses, emails, names, contact numbers, and addresses, for up to five years even after a user has terminated their service. Furthermore, the ministry can request this information at any moment, and VPN providers will be required to cooperate under the new regulation. As a result, there are growing tensions among the service providers as well as users.

The ministry said the move was an effort to “coordinate response activities as well as emergency measures with respect to cyber security incidents” and help it fill “certain gaps” that cause hindrance in handling cyber threats.

What are VPN services?

Simply put, Virtual Private Network (VPN) allows the users to establish a secure network connection. This way, the service protects a user's identity by hiding their device's IP address, encrypting their data, and routing it through secure networks.There are more than 270 million Indians who use virtual private networks (VPNs). People use VPNs to get access to websites that might have been restricted by the government and browse the internet safely, without being monitored at all. Additionally, it can also be used to browse internet content accessible in other states or countries or utilise it for privacy on the internet, which is rife with marketing tracking.

Another common use for VPN is to protect oneself when connecting to a public network. When connected to a public Wi-Fi, users often expose themselves to the risk of security breaches and data theft. VPN enables the user to establish a secure network connection. It encrypts internet traffic and conceals a user's identity, making it difficult for third parties to track and steal user data. However, these regulations will simply contradict the established intent of using VPNs. If there is no data privacy and user data are not protected, users will be hesitant to use VPN services, affecting the businesses of these service providers.

The use of VPNs in corporations

Additionally, VPNs are also used by organisations for data protection. Many companies and enterprises instruct their employees to use an internal VPN to access the office network. However, their use of VPN differs significantly from that of the general public. A business VPN, as it is called, is uninterested in surfing restricted content, but rather it is used to track its employee’s digital footprint. In some ways, this is what the government intends to achieve with the country's new VPN mandate. The new regulation will most likely not affect enterprises or private VPNs since they already collect user data and information for so-called “data and user safety”. However, it will be interesting to see the impact of this regulation on major public VPN service providers.

Overall Impact

According to several reports, as soon as the new regulation surfaced, major VPN service providers in India, like Nord and Surfshark have stated that they will relocate their servers from India instead of complying with the new rules. This was expected since most of these services prioritise data privacy and user safety. More importantly, these service providers offer a no-log policy, which means they don't keep track of what users do with their VPN. As a result, they won't be able to assist the ministry with any data they might request, and thus, it seems difficult if they will be able to comply with these regulations.

Only if these VPN services adjust their practices in a way that makes them less secure can they comply with Indian regulations. However, this will simply go against their promise of securing the user data and providing data privacy. As a result, other VPN providers are likely to dismiss their operations in the country. VPNs that do not comply with Indian regulations will be temporarily blocked.

In Conclusion

VPNs indeed allow users to cloak themselves, allowing them to engage in malicious activities which could be a concern. However, many experts consider these measures to be excessive. These rules are likely intended for state-sponsored surveillance and defeat the purpose of user privacy. They have been designed such that, to drive all VPN services that provide privacy and anti-censorship out of the nation. By the looks of it, it appears that the government has taken the first step in achieving its initial goal of outright banning VPN services. Whether VPNs comply with the new rule or not, it is the user's privacy that will be put at risk.

The new VPN rules in India will take effect in June. For the time being, this will be strictly enforced.

Interesting fact: Many countries that either ban or regulate VPNs include China, Russia, Iraq, North Korea, Belarus, the United Arab Emirates, and Oman.



Get Started with Listing of your Bug Bounty Program

  • Black LinkedIn Icon
  • Black Twitter Icon
bottom of page