Virtual Private Networks (VPNs)

In News

• Recently, India’s cyber security watchdog CERT-In issued new rules regarding virtual private networks (VPNs). 

What is a VPN?

• A VPN is a service that protects users online by preventing their IP address from being tracked by websites, law enforcement agencies, cybercriminals and others.
• Corporate employees are the most frequent VPN users, mainly for securely accessing company networks.

About the new rules

• Storing Data: preserving a wide range of data on their customers, including their contact numbers, email IDs and IP addresses, for five years.
  • It also mandates VPN providers to record and keep their customers’ logs for 180 days.
• Reporting an incident: Companies are also required to report cyber security incidents to CERT-In within six hours of becoming aware of them.
• Application: they would apply only to individual VPN customers and not to enterprise or corporate VPNs.
  • They will be also applicable to data centres, virtual private server (VPS) providers, cloud service providers, virtual asset service providers, virtual asset exchange providers, custodian wallet providers and Government organisations.
• Penalty: Failure to follow the rules will attract penalties for VPN providers. If they all refuse to comply, VPN services will effectively become illegal in India.
• KYC verification process: Users apart from potentially having their privacy data exposed to the government will also face a stringent know-your-customer verification process when signing up for a VPN service, and will have to state their reasons for using it.

Implications of the new rules

• VPN companies will be forced to switch to storage servers: which will inflate their costs and eliminate their core function of user privacy.
• Privacy concerns: the rules have triggered privacy concerns, and many top VPN providers have threatened to leave the country if forced to comply.
  • Top VPN providers NordVPN and Netherlands-based Surfshark have refused to comply with the government order so far, with Nord suggesting it might leave the country.
• Damaging the IT sector’s growth: taking such radical action that highly impacts the privacy of millions of people in India will most likely be counterproductive and strongly damage the IT sector’s growth in the country.
• Breach of account: It has raised the concern that collecting excessive amounts of data within Indian jurisdiction without robust protection mechanisms could lead to even more breaches.

Global scenario

• Currently, a handful of governments either regulate or outright ban VPNs.
• These include China, Belarus, Iraq, North Korea, Oman, Russia, and the UAE.
  • In China though not all VPNs are officially banned only government-approved VPNs are officially permitted to function.
• Other countries have internet censorship laws, which make using a VPN risky.

Way forward/ Government’s stand

• Not a breach of privacy: CERT-In says that the right to informational privacy of individuals is not affected by these rules since the agency does not envisage seeking of information on a continuing basis and expects to do so only in case of cybersecurity incidents.
• Contractual obligation: the obligation of reporting cyber security incidents to CERT-In overrides any contractual obligation of not disclosing any details with the customer.
• Corporate VPNs will remain unaffected: The CERT-In mandate could render VPN services illegal in India if providers don’t comply with it, but corporate VPNs will remain unaffected.
• VPNs are also used by journalists, activists and whistleblowers for their work.
• Tracking criminals: the move would make it easier for the law enforcement agencies to track criminals who use VPNs to hide their internet footprint.

Source: TH