The Indian Government has issued a decree that has the right to seek records related to virtual private network (VPN) users in order to combat cybercrimes. The directive on VPNs comes after the investigation that revealed that most of the cybercrime in India is happening through VPNs.
Un-CERT In Times
The directive was issued by the country’s cyber watchdog – the Indian Computer Emergency Response Team (CERT-In). It is expected to come into effect after 60 days of issue, tentatively around June end.
India currently has over 270 million VPN users, most of whom use it to connect to their company network. Prominent VPN providers Surfshark and NordVPN said they might not be able to comply with the new directives of storing the personal data of users — names, addresses, contact numbers, email, and IP addresses — for up to five years.
“We are just asking the companies to maintain records and not to hand them over to us,” a government spokesperson said. The records will only be required if any law enforcement agency demands them.
VPN service providers may leave India as it’s impossible to comply with the government’s directive.
Govt. vs. User Privacy
This directive does not only defeat the purpose of VPNs but is also possibly aimed at state-sponsored surveillance (particularly journalists, lawyers, and activists) – according to cybersecurity experts. Is the government trying to pussyfoot around citizen data?
Well, cybersecurity experts and digital rights expressed concern over data security and how it may be misused under the new directive and in the absence of a data protection framework.
Too long? Here’s a one-liner: Indian government issues a new directive that makes user data collection mandatory for VPN providers who may not be able to comply; guideline to come into effect from June end.