“The government has very clearly said repeatedly on all issues relating to rule-making: there is no opportunity for somebody to say, we will not follow the laws and rules of India. If you don’t have the logs, start maintaining the logs. If you’re a VPN that wants to hide and be anonymous about those who use VPNs and you don’t want to go by these rules, then if you want to pull out (from the country), frankly, that is the only opportunity you have. You have to pull out,” the Minister of State for Electronics and Information Technology Rajeev Chandrasekhar said on May 18 while releasing the FAQs document on the new cybersecurity directive.
Chandrasekhar’s comments come after VPN providers objected to the cybersecurity directive’s requirement to maintain detailed information on customers such as their names, contact details, the purpose of usage, IP address, etc. Many of the popular VPN providers made it clear that they will not comply with the new privacy-invasive directions either because it is technically not feasible for them to or because they will pull out of the country to avoid compliance. Windscribe even criticised the rules for being more stringent than those of “dictatorships” like China and Russia.
“You have an obligation to know who’s using your VPN infrastructure, who’s using your cloud, who’s using a data centre. Why do you have an obligation to know it? If there is a detected cyber incident or cyber breach from one of the people using your VPN or your cloud or your data centre, it is your obligation to produce data. Now, you can’t at that point stand and say no, but it’s our rule that we will not maintain logs. If you don’t maintain all logs, this is not a good place to do business,” Chandrasekhar remarked.
What have VPN companies said in response to Chandrasekhar’s comments?
- Surfshark might legally challenge the directive: Gytis Malinauskas, Head of Legal at Surfshark, said: “As the new regulation goes against the nature of the VPNs industry – which seeks to protect users’ privacy – we remain committed to providing no-logs services to our users, including those living in India. Currently, we are investigating the new regulation with Indian lawyers before deciding on the best course of action. Surfshark is considering all the options, including the possibility of challenging the validity of this new regulation. Overall, making such a radical action that highly impacts the privacy of millions of Indians without robust data protection mechanisms will most likely turn out to be counterproductive and strongly damage the sector’s growth in the country.”
- Windscribe will not compromise privacy for ridiculous requirements from one country: “Windscribe does not collect or store the origin country of any customer. We have no idea where a person is from when they use our service, so Rajeev Chandrasekhar’s requirements are impossible to implement. Our service is free and available to anyone. We will not compromise the privacy of all our users to comply with these ridiculous requirements originating from a single country.”
- Mullvad says it’s impossible: “It is impossible for a privacy-focused VPN to legally operate in India under that laws.”
- Nord VPN still exploring options: “We are still exploring the best course of action and will update you ASAP on the NordVPN decision.”
What is the new cybersecurity directive?
The new cybersecurity directive was issued by the Indian government’s Computer Emergency Response Team (CERT-In) on April 28 and covers aspects related to the timeframe for reporting cybersecurity incidents, synchronisation of system clocks, maintenance of logs, maintenance of KYC and transaction information for crypto exchanges, and maintenance of detailed customer information for VPN, cloud service, data centre providers. Cybersecurity and privacy experts, VPN providers, and tech companies have all criticised the directive for a long list of reasons.
The FAQs document clarified that corporate and enterprise VPNs are not subject to the directive, but the document failed to clarify one of the most important questions: does the government want VPN providers to maintain logs of their users’ web activity?
- VPN Providers Call India’s New Rules Worse Than China, Russia
- Why India’s New Cybersecurity Directive Is A Bad Joke
- Do VPN Providers Have To Store Web Activity Logs Of Users? Yes And No
- Corporate VPNs Not Subject To Cybersecurity Directive, Govt Clarifies
- Why India Should Not (Yet) Mandate Companies To Adopt A Specific Time Source
Have something to add? Post your comment and gift someone a MediaNama subscription.