Indian Government sued over VPN rules

Delhi High Court sign on gate

The Indian Government’s controversial VPN rules are set to be challenged in court after an Indian hosting company sued the authorities over their legality.

SnTHostings, which is based in the western city of Pune, petitioned the Delhi High Court on Wednesday with the support of the Internet Freedom Foundation.

The case is now scheduled to be heard on December 9th, and Justice Yashwant Varma has directed CERT-In (the Indian Computer Emergency Response Team), the body which has introduced the new regulations, to submit its reply within four weeks.

The suit comes after a previous legal notice sent to the Government on June 10th on behalf of SnTHostings was ignored.

SnTHostings provides hosting, Virtual Private Network and Virtual Private Server services as well as Remote Desktop Protocol and Dedicated Root Services to more than 15,000 customers and has therefore seen its business directly impacted by the crass new regulations.

What the lawsuit claims

In the lawsuit, which stretches to 33 pages in length, lawyers representing SnTHostings ask for the section of the new regulations enforced by CERT-In from May of this year that requires VPN companies to retain user data be set aside.

They make the case that this rule undermines the very purpose of having a VPN and that the right to enjoy online anonymity is already established by precedent. The inevitable conclusion is, therefore, that this new regulation is a violation of Indian citizens’ right to privacy.

It goes on to argue that the regulations undermine the constitutional right to do business and cannot, therefore, be classed as ‘reasonable restrictions.’

The lawsuit also argues that the new regulations are beyond the remit of CERT-In as they are empowered to ask for data routinely collected by companies but not to demand the collection of data.

In making this case, the suit cites the letter sent to the Indian Government by a range of big tech companies, including the likes of Microsoft and Apple, claiming that this retained data could be vulnerable to cyberattack.

Some inaccuracies in the lawsuit

We will have to wait until December to find out if this lawsuit is successful, but there has to be some doubt, given several inaccuracies that have been spotted by keen-eyed observers.

For example, the lawsuit states that, “during June 2022, ExpressVPN, Surfshark VPN, and NordVPN – all global leaders in the market – suspended India operations indefinitely.”

This is not correct. ExpressVPN, NordVPN, and Surfshark VPN all stopped operating India-based servers, which would have been required to comply with the new regulations. But all three VPNs still work in India and are in constant use by people right across the country.

That’s not to say the regulations might not be the first step on the road towards seeking to block access to such VPNs in India. Indeed, the Indian government has already stated on record that “the directions apply to any VPN Service provider offering services to the users in India”, not just to VPN servers.

Such a move would be almost impossible to enforce but could nonetheless provide real inconvenience to Indian VPN users if the Government in their country decides to begin a game of cat and mouse with VPN companies.

This sort of mistake could be as a result of bad phrasing or translation, but if it is a basic factual error, it has to raise concerns about the rest of the suit.

The impact of the draconian new regulation

One thing that cannot be argued with is the negative impact that the new regulations have had on the Indian economy.

As Richa Babbar, Director of Edge & Ecosystem Development at Web Werks told Entrackr, some firms that have contracts with major VPNs may well choose to offshore business and “this way the data centres hosting these servers will lose business.”

The article goes on to cite one Indian company, Edgoo Networks which worked with NordVPN to facilitate connectivity to Indian servers but which has lost this business as a direct result of the new regulations.

SnTHostings argued in a letter that the new regulations had been introduced “without any consultation with stakeholders.”

“This demonstrates how detrimental these Directions could be for investment in India and our business reputation internationally,” they continued.

Aside from the minor inaccuracies, it is difficult to disagree with too much of the case that SnTHostings and its lawyers have made.

However, things in India rarely run quite so simply. Last month, there was a law case over a 25-cent train fare that finally concluded after 22 years.

It might therefore be a bit longer than December before SnTHostings’s lawsuit reaches its conclusion. But it is great to see a business and the Internet Freedom Foundation standing up for online freedoms in the most populous country on the planet.

Author: David Spencer

Cyber-security & Technology Reporter, David, monitors everything going on in the privacy world. Fighting for a less restricted internet as a member of the VPNCompare team for over 7 years.

Away from writing, he enjoys reading and politics. He is currently learning Mandarin too... slowly.

Leave a Reply

Your email address will not be published. Required fields are marked *