Explainer: New VPN rules, why companies are upset and what they mean for you

Some of the leading virtual private network (VPN) service providers have recently announced that they will remove servers from India. Companies including Surfshark and ExpressVPN and NordVPN have said that they are shutting their servers in India over the April 28 directive from India’s cyber agency Computer Emergency Response Team (CERT-In). According to AtlasVPN’s global index, India ranks among the top 20 countries in VPN adoption with 270 million users. Here’s why VPN service providers are upset, what the new rules say, do they make using VPNs illegal in India and more. What does government’s new VPN rules sayThe new cybersecurity norms have asked VPN service providers along with data centres and cloud service providers to store information such as names, email IDs, contact numbers, and IP addresses (among other things) of their customers for a period of five years. This is exactly what the rules say: Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (VPN Service) providers, shall be required to register the following accurate information which must be maintained by them for a period of 5 years or longer duration as mandated by the law after any cancellation or withdrawal of the registration as the case may be: * Validated names of subscribers/customers hiring the services * Period of hire including dates * IPs allotted to / being used by the members * Email address and IP address and time stamp used at the time of registration / on-boarding * Purpose for hiring services * Validated address and contact numbers * Ownership pattern of the subscribers / customers hiring services Who all does the new VPN rules apply to and notThe new directions apply to “all service providers, intermediaries, data centers, body corporate and government organizations”. CERT-In, however, clarified on May 12 that the rules of maintaining customer logs would apply only for individual VPN customers and not to enterprise or corporate VPNs. What are these VPN service providers saying about shutting India severs”As one of the industry leaders, we adhere to strict privacy policies, which means we don’t collect or store customer data. No-logging features are embedded in our server architecture and are at the core of our principles and standards,” a NordVPN spokesperson said in a statement. “Moreover, we are committed to protecting the privacy of our customers. Therefore, we are no longer able to keep servers in India,” the company added. ExpressVPN termed the CERT-In norms as “incompatible with the purpose of VPNs, which are designed to keep users’ online activity private”. Another player Proton VPN said in a tweet that the new CERT-In norms are “an assault on privacy, and that it will continue maintaining its no-log policy”. Surfshark has said that it “proudly operates” under a strict ‘no logs’ policy and that since the Cert-In’s directions “go against the core ethos of the company”, it would shut down its physical servers in India before the new law comes into effect. Do the new rules make ban VPNs in IndiaNo, the new rules do not make using VPNs illegal in India. There is no ban on them. The government has introduced some restrictions for users and more compliance rules for VPN companies. This, as per the government, has been done to fight cybercrime and in the interest of national security. How will the new rules affect VPN users in IndiaWith the new rules, VPN users in India may face strict know-your-customer (KYC) verification process when signing up for a VPN service. This may include stating their reasons for using it. Internet freedom activist claim that this will potentially lead to users privacy data exposed to the government. Does this mean that these VPN service providers will not serve users in IndiaThere is no clarity on this yet. None of these companies have so far said said anything on this clearly. ExpressVPN said that its users will still be able to use the service to connect to servers that will give them Indian IP addresses and allow them to access the internet as if they were located in India. It said these ‘virtual’ India servers would be physically located in Singapore and the UK. What is government saying on VPN companies removing severs from IndiaDespite industry pressure, the governmernt stand on the issue so far is firm. MoS Electronics and Information Technology, Rajeev Chandrasekhar has said that VPN companies who do not adhere to the cyber-security guidelines are “free to leave India” if they do not comply with the rules. “If you don’t have the logs, start maintaining the logs. If you are a VPN that wants to hide and be anonymous about those who use VPNs to do business in India and do not want to go by these rules, then frankly pull out of India. That is the only opportunity you have,” Chandrasekhar said. Government is seeking global action against VPNs (among other tools) to curb cybercrimeIndia is reportedly seeking global action to counter the use of technologies including virtual private networks (VPNs), end-to-end encrypted messaging services and blockchain-based technologies such as cryptocurrency by terrorists. In suggestions to members of an Ad Hoc committee of the United Nations debating a comprehensive international convention on countering the use of information and communications technologies for criminal purposes, Indian officials said, “the anonymity, scale, speed and scope offered to ( terrorists) and the increasing the possibility of their remaining untraceable to law enforcement agencies” by using these technologies remains one of the major challenges before the world. Which countries have banned VPNsCurrently, while some governments have regulated VPNs others have outright ban on them. The countries where VPN is banned include China, Belarus, Iraq, North Korea, Oman, Russia and the UAE. Other countries have internet censorship laws, which make using a VPN risky. What about Europe, UK and the USThere are no British laws that prevent people in the country from using a VPN. However, the country’s Investigatory Powers Act 2016 gives power to UK intelligence agencies to carry out the bulk collection of communication data. There are similarly no restrictions on VPNs in EU and USA, but yes they do have free run and do come under government ambit in certain cases related to national security and law and order. FOLLOW US ON SOCIAL MEDIAFacebookTwitterInstagramKOO APPYOUTUBE