As part of the government’s crackdown on cybercrime, India has introduced strict new rules on the handling of digital data by VPN operators in the territory. Among these measures, directive n° 20(3)/2022-CERT-In imposes the retention of personal information from June 27, 2022. Considering this decision as an invasion of privacy, the main VPN providers like Express VPN , and recently AIP formalized their withdrawal from the country.
Major VPN Providers Pull Out of India
On April 28, 2022, the Government of India’s Computer Emergency Response Team (CERT-In), released the new VPN Operating Policy. The directive implies the recording of a multitude of personal data over a period of at least 5 years.
The end of Internet Explorer disrupts Japan
To support this, the Minister of State for Electronics and Computers, Rajeev Chandrasekhar, has issued formal notice to operators who seek to circumvent the law. According to his statement, companies with physical servers in India must comply or leave India.
Since then, VPN companies active in the territory have successively rushed out. NordVPN was one of the first to announce its departure. ” Our Indian servers will remain until June 26, 2022. In order to ensure that our users are aware of this decision, we will send notifications with all the information via the NordVPN app from June 20. As advocates of digital privacy and security, we are concerned about the possible effect this regulation may have on people’s data. “, then confides Laura Tyrylyte, head of public relations for the company.
At the same time, Matt Fossen of Proton VPN claims to be monitoring the situation before specifying the company’s commitment to a policy of ” no logging “. Other companies have also followed suit, namely ExpressVPN, SurfShark, Hide.me and PIA (Private Internet Access).
The content of directive N°20(3)/2022-CERT-In includes an impressive list of measures on the storage of customer data.
The document details the information to be collected as follows:
- Validated names of subscribers/customers recruiting the services
- Rental period including dates
- IP assigned to/used by members
- Email address, IP address and timestamp used at the time of registration / onboarding
- Purpose of hiring services
- Validated address and contact numbers
- Ownership model of subscribers/customers hiring services
Through these “precautions”, the Indian government seeks in particular to strengthen digital security in the face of the resurgence of pirates, media poisoning and money laundering. However, this provision distorts the main function of a VPN which guarantees privacy. This was pointed out by Prateek Waghre, an activist in a digital citizens’ rights organization in Delhi.
” It is true that there is a clear need for better cybersecurity […] But if you demand large-scale data collection, everyone is at risk – and the risk increases even more for those who are already at risk, such as activists, journalists, dissidents and minorities. “, he explains.