The Centre on Wednesday gave Virtual Private Network (VPN) service providers an ultimatum — abide by the law of the land, or stop doing business in India. But it is easier said than done as some operators claim they are covered by laws of other countries and India may find it hard to ensure compliance from them.
"There is no opportunity for somebody to say they will not follow the rules and laws of India ... if you are a VPN and want to be anonymous and hide ... and you don't want to (abide) by these rules, then frankly, to pull out (of India) is the only (option) you have," Minister of State for Electronics and Information Technology Rajeev Chandrasekhar said while addressing a press conference on Wesdnesday. "If you can't maintain (user data), then (India) is not a good place to do business," Chandrasekhar said.
The ministry on Wednesday issued a booklet of frequently asked questions on the cybersecurity directions issued on April 28 by the Indian Computer Emergency Response Team (CERT-In) — the cybersecurity watchdog under the Ministry of Electronics and Information Technology.
The minister was responding to a question on VPN operators expressing concerns about the April 28 directions, under which, VPN service providers, among others, must maintain a database of customers or users for a rolling period of 180 days — up to five years in some cases — and share the data with the government as and when asked.
This spread a sense of disquiet among VPN providers and users, who feel that the whole point of a VPN service is lost if a database is maintained and shared with the government. As per a report by The Economic Times, there are 270 million active VPN users in India, while a 2021 analysis
by global VPN provider Atlas showed that VPN installs reached 348.7 million in the first half of 2021.
Nord VPN said it would rather pull out of India than compromise its users' privacy, while Surfshark VPN said it was evaulating its options as it has a strict no-logs policy.
“We are committed to protecting the privacy of our customers therefore, we may remove our servers from India if no other options are left,” Patricija Cerniauskaite, spokesperson for Nord VPN’s parent company, Nord Security, was quoted in media reports.
Meanwhile, in an email response to a query sent by CNBC-TV18, Gytis Malinauskas, the head of Surfshark's legal department, said, "Surfshark has a strict no-logs policy, which means that we don’t collect or share our customer browsing data or any usage information."
Surfshark operates only with RAM-only servers, which do not have the capacity to store data, and automatically overwrite user-related data with fresh information. "... at this moment, even technically, we would not be able to comply with the logging requirements," Malinauskas said in the same email.
Chandrasekhar said the government's aim is a "safe and trusted internet".
"If you don't have logs, start maintaining logs. If you are a VPN ... you have an obligation to know who is using your VPN infrastructure. If there is a detected cyber incident or cyber breach from one of the people using your VPN ... it is your obligation to produce the data. Now you can't, at that point, stand and say, 'No, it is our rule that we don't maintain logs'."
In an updated response on Wednesday, Surfshark's Malinauskas added that they were evaluating the implications of the new rule with Indian lawyers and did not rule out challenging its validity. "Until further clarity on the law by the Indian government, it would be difficult to predict the impact and scope new regulations could have on the VPN industry. Nevertheless, Surfshark remains committed to providing no-logs services to its users, including those living in India."
Furthermore, Surfshark is sharing this message through its customer service to assuage the privacy concerns of its users. "In this case, we should still work in India properly, because we operate under the Netherlands law, so the strict no-logs policy will remain. In other words, you'll be completely safe!"
Users of VPN services, however, remain concerned about their privacy.
"I started using a VPN in early 2021 because of privacy concerns — I hadn’t realised just how much information was being collected by an action as simple as browsing the web, without the users’ knowledge. The new government order comes as a security concern. If you want to go after illegal activity, surely this is not the way to go about it," said Divya, a VPN user.
Vishal, another VPN user, said, "If the government's stance is so inflexible, then VPN companies will definitely start pulling out as, if they make an exception for India — a massive market for them — then it sets a precedent for other countries to do the same. What then? Do VPNs shut shop altogether or offer a joke of a service that is in no way private or secure?"
As things stand, VPN service providers in India appear to be in a state of flux. They have 60 days to comply with the order, and, going by Chandrasekhar, there is abolutely no extension to that deadline.