The Indian government’s Computer Emergency Response Team (CERT-In) agency released a new guideline in the final week of April that would radically alter how we utilize VPNs in the nation. The policy takes effect 60 days after it is announced, on June 28. If you’ve heard about India’s new VPN policy and aren’t sure what it means, we’ve got you covered. We’ve covered all you need to know about India’s new VPN policy and how it will affect you in this post.
India’s New VPN Policy Explained (2022)
What is India’s New VPN Policy?
According to the Computer Emergency Response Team (CERT-In), India’s new VPN regulation intends to strengthen the country’s cybercrime monitoring mechanism. It entails keeping and collecting personal data from VPN users in India, such as names, IP addresses, physical addresses, phone numbers, and more. In the next part, we’ll lay out all of the data gathering rules for VPN firms.
What is India Asking VPN Companies to Save?
VPN firms should store the following user data, according to CERT- directions. In’s These regulations affect not just VPN providers, but also data centers, virtual private server providers, and cloud service providers.
Data logging – Logging should be required for a duration of 180 days.
Data localization – Logs should be kept in India.
Save the following client information for five years:
Names of subscribers/customers who have hired the services that have been verified
Hire period, including dates
IP addresses assigned to and used by members
At the moment of registration / onboarding, the email address, IP address, and time stamp were utilised.
Why are you hiring services?
Validated contact information and addresses
Subscriber/customer ownership patterns when employing services
Apart from these features, VPN providers are required to notify cyber events within six hours of becoming aware of the breach. They’re also told to sync system clocks with the National Informatics Centre’s (NIC) or National Physical Laboratory’s (NPL) Network Time Protocol (NTP) servers, or with NTP servers traceable to these NTP servers.
How Did VPN Companies React to the Order?
Leading VPN providers have published statements in the last few days expressing their views on India’s VPN policy. Here are the official statements in brief:
“ProtonVPN is watching the situation, but we remain dedicated to our no-logs policy and protecting our users’ privacy,” said the company. Matt Fossen, spokesman told Wired.
“We only utilize RAM-only servers, which automatically erase user-related data,” says Surfshark. “We’re still looking at the new rule and its consequences for us, but our overarching goal is to continue to provide no-logs services to all of our users,” said Gytis Malinauskas of Surfs hark.
“Our staff is examining the new directive and determining the best course of action,” says Nord VPN. If there are no other options, we may withdraw our servers from India,” Laura Tyrylyte of Nord Security told Wired.
Why is the Indian Government Doing This?
The Indian government defends its policy as a move to boost the country’s cybersecurity. The directives intended to “address various gaps causing difficulty in event analysis” while dealing with cyber incidents, according to the government’s press statement.
“Vpns were used in the majority of the frauds.” We’re only asking that you maintain the documents for five years, not that you hand them over to us. Keep the records; any law enforcement agency can request them if necessary. That, I believe, is a reasonable request. It’s a natural progression. All the countries are moving in that direction… Police has the right to ask the criminal to remove the mask or not – same is the case here,” a senior government official was quoted as saying by the Economic Times.
Will India Entirely Ban VPNs?
No, not just now. VPN firms having servers in India are subject to the new legislation. Because of the directive’s invasive character, VPN companies having servers in India are considering shutting down their operations in the country. That does not rule out the possibility of using the service. According to the current rules, you should still be able to connect to the same VPN provider’s servers in other countries. It’s unclear whether the government intends to target that path as well in the future.
Furthermore, privacy-focused VPNs are designed with a no-logs policy in mind and employ RAM-only servers, making log collection technically impossible. They will have to rethink their infrastructure to comply with the new law and function in the nation, putting consumers’ privacy at risk in the process. We don’t believe most VPN companies would be prepared to make such modifications to continue operating in the nation because anonymity is a significant selling element for most VPNs.
What’s Changing for VPN Users in India?
Let’s look at three different scenarios to see what’s changing for an ordinary VPN user in India. Firms that comply with the new VPN regulation, organizations who refuse to comply despite having servers, and companies that do not have a server in India or opt to shut down servers in the nation are all included.
Companies That Comply with the New Policy
If a VPN service chooses to follow the new policy, it must collect and keep logs for 180 days in the country. It should also keep the user’s personal data for a period of five years. When the policy takes effect next month, keep a watch on your VPN provider’s position on it.
Companies That Won’t Comply with the Directive Despite Having Indian Servers
If a VPN provider continues to operate as usual after June 28 without adhering to the rules, it may face penalties under section 70B(7) of the Information Technology Act of 2000. According to the statute, this is punishable by a year in prison, a fine of up to one lakh rupees, or both.