India’s New VPN Policy Explained (2024)
What is India’s New VPN Policy?
What is India Asking VPN Companies to Save?
According to CERT-In’s directions, VPN companies should store the following data of users. Notably, these directives are applicable not only to VPN companies but also to data centers, virtual private server providers, and cloud service providers.
- Data Logging – Should mandatorily enable logs for a rolling period of 180 days
- Data Localization – Should maintain the logs within India
- Save the following details of customers for 5 years:
- Validated names of subscribers/customers hiring the services
- Period of hire including dates
- IPs allotted to / being used by the members
- Email address, IP address, and time stamp used at the time of registration / on-boarding
- Purpose for hiring services
- Validated address and contact numbers
- Ownership pattern of the subscribers/customers hiring services
Other than these highlights, VPN companies are liable to report cyber incidents within 6 hours of noticing the breach. They are also directed to sync system clocks to the Network Time Protocol (NTP) server of the National Informatics Centre (NIC), the National Physical Laboratory (NPL), or with NTP servers traceable to these NTP servers.
How Did VPN Companies React to the Order?
ProtonVPN: “ProtonVPN is monitoring the situation, but ultimately we remain committed to our no-logs policy and preserving our users’ privacy,” spokesperson Matt Fossen told Wired.
Surfshark: “We operate only with RAM-only servers, which automatically overwrite user-related data. We are still investigating the new regulation and its implications for us, but the overall aim is to continue providing no-logs services to all of our users,” said Surfshark’s Gytis Malinauskas.
Why is the Indian Government Doing This?
“Most of the frauds were happening through VPNs. We are just saying you keep the records for five years…we are not saying give it to us. Keep the records – if required, then any law enforcement agency can ask. I think that’s a very fair ask. It’s an evolution. All the countries are moving in that direction… Police has the right to ask the criminal to remove the mask or not – same is the case here,” a senior government official was quoted as saying by the Economic Times.
Will India Entirely Ban VPNs?
Besides, privacy-focused VPNs are built with a no-logs policy in mind and use RAM-only servers, which makes it technically infeasible to collect logs. To comply with the new directive and operate in the country, they will have to rethink their infrastructure and put the privacy of users at risk in the process. Since the promise of offering privacy is a key selling point for most VPNs, we don’t think most VPN providers would be willing to make such changes to continue operating in the country.
What’s Changing for VPN Users in India?
Companies That Comply with the New Policy
If a VPN provider chooses to comply with the new policy, it has to collect and maintain logs in the country for 180 days. It should also store the aforesaid personal data of the user for five years. You should keep an eye on your VPN provider’s stance on the policy when it comes into effect next month.
Companies That Won’t Comply with the Directive Despite Having Indian Servers
If a VPN provider continues to operate as usual even after June 28 without following the policy, it may invite punitive action under sub-section (7) of section 70B of the IT Act, 2000. According to the act, that accounts for one year of imprisonment, a fine which may extend to one lakh rupees, or both.