A new directive issued by an Indian Government body requires that VPN companies operating in the country to store user data and make it available to the authorities there.
The directive, which is scheduled to come into force on 27th June, although there are already some doubts about that date, will also apply to other data centres operating in the country.
It is the latest in a series of overbearing online regulations issued by the Indian authorities but the good news for VPN users in India is that while the regulation is law, it is practically unenforceable.
What the directive says
The directive has been issued by India’s Computer Emergency Response Team, known as CERT-in.
CERT-in is a body that operates under the authority of the Ministry of Electronics and IT and has the power to issue directives to all technology companies operating in India.
Under the directive, which was first reported by Entrackr, VPNs in India will have to log records of users’ names, their physical address, their phone number, their real IP Address, time stamps, their user data, and various other bits of personally identifiable data.
They will be required to hold this data for a minimum of five years and the VPN companies affected will also have to keep customer information on record even after a customer has terminated their subscription or account.
Anyone that doesn’t comply could face as much as a year in prison under the terms of the law.
According to the Ministry of Electronics and IT, this new directive is necessary in order to deal with “certain gaps” that make it harder for the Indian authorities to respond to “cyber incidents and interactions with the constituency.”
As justifications go, this is about as vague as it gets. Not only are the incidents that have triggered this move not specified, but the gaps in existing legislation that need plugging by this new directive are not identified either.
It is hard not to reach the conclusion that this new directive is motivated either by political considerations or by law enforcement agencies too lazy or ineffective to investigate whatever ‘incidents’ they are referring to properly.
India’s shocking online freedom track record
This latest move will not come as a big surprise to observers of online rights in India which have been systematically undermined in recent years.
Access Now, the digital rights campaign group, publishes a regular report on internet shutdowns around the world. Its latest report found that of 182 internet shutdowns that were imposed by governments around the world, India was responsible for 106 of them.
In other words, the Indian Government enforces nearly 60% of global internet shutdowns. These shutdowns are thought to have affected almost 60 million people.
We have reported several times before on the ongoing internet shutdowns in Kashmir. These have resulted in a spike in VPN demand in the region which could be a factor in this latest directive (At least it is better than the torture which some VPN users in Kashmir faced at the height of the situation there).
Censorship and online control is also commonplace in India. In 2020, the government arbitrarily banned more than 200 Chinese apps, including Tik Tok as well as almost 10,000 social media URLs.
More recently, last year Facebook, Twitter, and Google were pressured into accepting greater state control over social media content in India while only last month 22 separate YouTube channels were blocked with spurious ‘national security concerns’ cited as the reason.
VPN directive totally unenforceable
VPN users in India will doubtless be concerned about this latest directive. But the truth is that they have nothing to fear.
The majority of premium VPNs offer a no user logs guarantee which means that they do not collect any (or little) of the user data this new directive requires them to hold. Many have had these claims independently verified by third-party data security experts.
Not only do most VPNs not collect this data but some are physically incapable of doing so. VPN providers like ExpressVPN and Surfshark use RAM-disk server technology which is automatically wiped and means they couldn’t store this data even if they wanted to (which they don’t).
All of these VPNs are global companies and are highly unlikely to change their policies to keep any one individual Government happy.
Another key point to stress is that no premium VPNs are based in India. This means that they are not formally subject to Indian law and it is highly unlikely that the company or any individual working for it will face legal consequences as a result of this new directive.
It is possible that the Indian Government may try and make it harder for these VPNs to operate inside India if and when they inevitably fail to abide by this new directive.
However, the likelihood of India being able to successfully block and ban premium VPN companies is remote given their resources. If the Chinese Communist Party cannot do it with their near-bottomless pit of cash and human resources, what chances does India realistically have?
It is possible that life could get harder for VPN users and we could even see this directive as a step towards an outright ban on VPNs in India. But as we have seen in Kashmir, the Indian people certainly have the ingenuity and common sense to avoid this ban and keep enjoying the online freedoms they value so highly and which a VPN can help them enjoy.
This new directive is undeniably another step towards digital authoritarianism in India. But the blunt truth the Indian authorities have to face up to is that in reality, it is going to change very little.
