The Indian government clarified that corporate and enterprise VPN services are not subject to its new cybersecurity directive, which requires VPN providers to maintain detailed information about their customers. The directive only applies to services catering to the general Internet users, the government said.
“For the purpose of this direction, VPN service provider refers to an entity that provides ‘Internet proxy like services’ through the use of VPN technologies, standard or proprietary, to general Internet subscribers/users,” the Ministry of Electronics and Information Technology (MeitY) said in its FAQs document on the directive issued by the Indian Computer Emergency Response Team (CERT-In).
Companies use VPN services to allow employees to connect to the office network and access company files from outside of the office premises. This clarification will be a relief to a large number of these companies who had been left wondering how they can comply with the new directive.
What are the rules for VPN providers?
The new directions issued by CERT-In on April 28 contain provisions that extend beyond VPN providers, and cybersecurity experts have spared no time in criticising them for a long list of reasons. However, the provisions pertaining to VPN providers have garnered extra attention because the proposal by CERT goes against the very selling point of VPN companies: privacy. Starting 28 June 2022, VPN providers are required to:
- Maintain detailed customer information: Data Centres, Virtual Private Server (VPS) providers, cloud service providers, and Virtual Private Network Service (VPN Service) providers, are required to register the following accurate information about customers and subscribers for a period of 5 years or longer duration after any cancellation or withdrawal of the registration:
- Validated names of subscribers or customers hiring the services
- Period of hire including dates
- IPs allotted to or being used by the members
- Email address and IP address and time stamp used at the time of registration
- The purpose of hiring services
- Validated address and contact numbers
- Ownership pattern of the subscribers or customers hiring services
- Maintain logs for 180 days on Indian servers: Separately, all entities (not just VPN providers) must mandatorily enable logs of all their systems and maintain them securely for a rolling period of 180 days and the same should be maintained within Indian jurisdiction.
- Face fine of jail term for failure to comply: Failure to comply with these rules can result in imprisonment for up to one year or with a fine of up to one lakh rupees or both. It is not entirely clear who will be subject to the jail term if dealt out.
There are more directions that apply to VPN service providers as well as other companies. You can access a copy of the full directions here and read our summary.
What has been the reaction from VPN services?
Nord, Proton, Express, Surfshark, Windscribe, and Mullvad, which are some of the popular Virtual Private Network (VPN) service providers, objected to the new rules on privacy and surveillance grounds. All of these providers made it clear that they will not comply with the new directions either because it is technically not feasible for them to or because they will pull out of the country to avoid compliance or because they don’t have any structural presence in India for the government to go after them. Windscribe criticised the rules for being more stringent than those of “dictatorships” like China and Russia.
Also Read:
- India’s Cybersecurity Directive Goes Against Security, Tech Companies Argue
- Why India Should Not (Yet) Mandate Companies To Adopt A Specific Time Source
- Why India’s New Cybersecurity Directive Is A Bad Joke
- VPN Providers Call India’s New Rules Worse Than China, Russia
Have something to add? Post your comment and gift someone a MediaNama subscription.
