Indian Minister of State for Electronics and Information Technology, Rajeev Chandrasekhar, has issued a thinly veiled threat to VPN companies that if they fail to abide by the country’s laws, they will not be welcome to operate in the country.
Chandrasekhar’s comments referred to the new directive issued by the Indian Computer Emergency Response Team (CERT-In), which we reported on last month.
The new directive requires all VPN companies to log user data and retain it for a minimum of five years, making all the information available to the authorities upon request.
The data that they will be collecting includes records of users’ names, their physical address, their phone number, their real IP Address, time stamps, their user data, and various other bits of personally identifiable data.
Chandrasekhar data retention requirements
Chandrasekhar was speaking at a press conference outlining the new directives and he was nothing if not blunt in his comments:
“If you don’t have the logs, start maintaining the logs,” he stated. “If you’re a VPN that wants to hide and be anonymous about those who use VPNs and you don’t want to go by these rules, then if you want to pull out (from the country), frankly, that is the only opportunity you will have. You will have to pull out.”
He went on to insist that VPNs, as well as all cloud providers and data centre operators, have an obligation to know who is using their service.
When challenged about why this was the case, Chandrasekhar doubled down on his comments, saying, “Because, if there is a detected cyber incident or cyber breach, from one of the people using your VPN or your cloud or your data centre, it is your obligation to produce the data.”
He was asked if VPNs and other data centres would be required to maintain a database of this information and exclaimed, “Of course they do.”
CERT-In Directive clarifications
The Chandrasekhar press conference came in the wake of CERT-In’s clarifications about what this controversial directive will mean for VPN providers.
CERT-In has clarified that the rules will not apply to corporate VPNs but instead to any service that offers an internet proxy through VPN technology to general internet users.
In other words, the directive is targeted at individual internet users rather than businesses operating in India. However, when challenged on the lack of a public consultation on the new directive, Chandrasekhar bizarrely said this was because the public was not impacted by the new rules.
The new directive also includes a 6-hour reporting time for cybersecurity incidents which many people have observed is a very short timeframe. But Chandrasekhar insisted this was actually very generous, pointing to France, which has a 4-hour rule and Indonesia, with a 1-hour rule, as justification.
Sixty-day compliance deadline
It has also been announced that VPNs have a 60-day compliance deadline. After that time, all companies operating in India will be required to provide customer data upon request from the authorities.
Again, Chandrasekhar defended this short timeframe by saying that there are no real infrastructure requirements needed to comply with the new requirements.
This is patently not the case for most premium VPNs. Most do not have any provisions in place to collect the sort of user data. But even more, many would not be able to connect such user data even if they wanted to.
The best VPNs have set up their systems to ensure that user data remains private and cannot be logged, even if they wanted to.
Those companies now face a dilemma when it comes to doing business in India since changing their infrastructure to comply with this new directive will not be an option for them.
One top provider, NordVPN, has already indicated that it is considering pulling its India servers unless it can find a way around the new directive.
NordVPN’s stablemate, Surfshark is another that is considering its options, with Surfshark’s legal department head Gytis Malinauskas telling Moneycontrol that they would ‘aim’ to continue not collecting user data.
What the new directive means for VPN users in India
That comment was concerningly vague, but we are confident that the overwhelming majority of VPNs will not comply with the new Indian directive and will continue to commit to being a “no logs” VPN.
What does that mean for them? Rajeev Chandrasekhar is pretty clear that companies that refuse to comply will not be able to operate in India. It, therefore, seems likely that NordVPN will not be the only provider to consider pulling its Indian servers.
It is also possible that the apps of VPNs that fail to comply may start to disappear from app stores, and their websites could also be blocked.
This is not great news for Indian VPN users or for online privacy in India, more generally. But it is not all bad news.
While it may become harder to access VPNs in India, services will continue to work there for users who have apps in place or who can find them through other means – such as proxy sites, downloading while abroad or mirror app sites.
For all of Minister Chandrasekhar’s bluster about VPNs not operating in India, he will know as well as anyone else that the Indian authorities do not have the resources or technological capabilities to block VPNs entirely, particularly those that don’t want to be blocked.
If even Communist China, with its seemingly bottomless pit of resources, is unable to achieve this, it is impossible for India to manage.
The new CERT-In directive is bad for online privacy in India and will make using a VPN less convenient. But it will not stop people from using VPNs in India. In fact, it is more likely to have the opposite effect.
It will be interesting to see what Rajeev Chandrasekhar has to say about that!