Last month, the Indian Computer Emergency Response Team (CERT-In) proposed a set of cybersecurity regulations obliging VPN and cloud service providers to keep track of customers’ names and IP addresses. Indian authorities suggested providers who refuse to comply with the new rules pull out of the Indian market.
The new set of rules, called the Cyber Security Directions, requires concerned parties to collect and store customers’ names, IP addresses, email addresses, financial transactions, and know-your-customer (KYC) records for five years.
In an FAQ document, the government agency said the Cyber Security Directions of 28.04.2022 apply to “service providers, intermediaries, data centers, body corporate, Virtual Private Server (VPS) providers, cloud service providers, VPN Service providers, virtual asset service providers, virtual asset exchange providers, custodian wallet providers, and Government organizations.”
The document says the regulations won’t affect individual citizens, and won’t apply to enterprise and corporate VPNs.
Several VPN providers, including NordVPN, ExpressVPN and ProtonVPN, expressed concerns. The consensus seems to be that the new regulations are “an assault on privacy,” and they “threaten to put citizens under a microscope of surveillance.” ProtonVPN stated it will remain committed to its no-logs policy, while NordVPN said it might pull out of India if it has “no other options.”
Rajeev Chandrasekhar, India’s junior IT minister, said VPN providers who want to cloak the identity of their customers “will have to pull out.” He added that no public consultation will be held on the new regulations.
These regulations were adopted in the wake of several large-scale data breaches that hit Indian companies. However, leaving VPN providers unable to conceal the identity of their customers runs counter to their very purpose. VPN services exist to offer customers peace of mind and safe keep their privacy against any form of violation, including governmental surveillance.