Update: Indian authorities extended the deadline for VPNs that leave or modify logging practices from June 28 to September 25 (opens in new tab; link heads to The Indian Express).
All VPN servers that are located in India now must comply with the new data law.
Security software companies are legally required to keep users’ data for up to five year according to the new CERT-In regulations. This includes IP addresses and real names as well as usage patterns. This information will be given to authorities on request.
Privacy advocates and cybersecurity experts expressed concern about the potential negative effects of these regulations on privacy since the April 28 government announcement. Some of the most trusted VPN services have taken drastic measures to ensure privacy values are maintained and users’ anonymity. Is India’s new data retention legislation controversial?
A VPN, short for virtual private network is security software that masks the IP address of users and secures their data in an encrypted tunnel.
The most private VPN services all have strict no-log policies to protect users’ anonymity. This means that user data cannot be shared, leaked, or shared. This is why customers are not allowed to store, leak, or share their logs. ExpressVPN stated that this obligation is’incompatible’ with VPNs (opens in new window).
India’s data retention law does not only affect VPNs. Cloud storage services and virtual private servers ( Virtual Private Servers), as well as data centers and cryptocurrency exchanges, are all subject to the new CERT In regulations.
This is in response to the increasing incidence of cybercrime. India, which had more than 86,000,000 data breaches in 2021 (opens in new window) was the third most affected country last year.
However, Surfshark stated in a statement (opens in new tab: “Collecting excessive data within Indian jurisdiction without robust security mechanisms could lead to further breaches nationwide.”
Access Now, a digital rights activist, has also found India responsible for 106 of 180 internet shut downs that were carried out in 2021 (opens in new tab). There is also backsliding in media freedom, and allegations that the Indian government used Pegasus technology for spying on activists and politicians.
This track record makes it easy to see why experts and citizens fear that the authorities will misuse this data-grab in order to encourage intrusive mass surveillance practices, and to undermine civil liberties.
Privacy is not the only thing at risk. India’s new data law could harm the IT sector’s growth. Future Market Insights COO, Sudip Saha stated to TechRadar that bans on VPNs will primarily harm corporate interests and act as a disincentive for investments and doing business here.
What VPN providers plan to do to protect privacy of users
Many VPN providers took a stand against Indian government’s decision and expressed their belief in the company’s values.
Some have chosen to Go Virtual to Protect the Privacy of Users. How? To allow people from India to connect to a fake Indian IP, they set up virtual addresses. They offer the same functionality but users’ data is protected as they are rerouted to servers located outside of the country.
ExpressVPN and Surfshark offer virtual India locations.
Some, such as IPVanish are considering offering something similar in future. At the time of writing however, Indian virtual locations are still not announced.
Others claim that they have no plans to create fake locations, even though they shut down Indian servers. These include NordVPN , Hide.me , and AtlasVPN.
NordVPN’s Laura Tyrylyte told us that she believes they can meet all customers’ needs, regardless of where they are located.
ProtonVPN also voiced disapproval over the new CERT-In regulations. It suggested secure ways to connect to VPN servers located in high-risk areas (opens in a new tab). To benefit from an additional layer of encryption, you can use one of its Secure Core servers.
Windscribe stated that it plans to keep its Indian servers ‘unless our Indian hosting provider forces us to leave.
