VPN providers call India’s new rules worse than China, Russia

Nord, Proton, Express, Surfshark, Windscribe, and Mullvad, which are some of the popular Virtual Private Network (VPN) service providers, objected to India’s new rules asking them to maintain detailed information on their customers such as their names, contact details, the purpose of usage, IP address, etc.

All of these providers made it clear that they will not comply with the new directions either because it is technically not feasible for them to or because they will pull out of the country to avoid compliance or because they don’t have any structural presence in India for the government to go after them. Windscribe criticised the rules for being more stringent than those of “dictatorships” like China and Russia.

The new rules were issued by the Indian government’s Computer Emergency Response Team (CERT-In) on April 28 as part of its cybersecurity directions for all companies operating in India. These directions contain provisions that extend beyond VPN providers, and cybersecurity experts spared no time in criticising them for a long list of reasons However, the provisions pertaining to VPN providers have garnered extra attention because the proposal by CERT-In goes against the very selling point of VPN companies: privacy.

We reached out to all the top VPN providers with a list of questions on the impact of the new rules by the Indian government on them, and here’s what they had to say.

Dear reader, we urgently need to build capacity to cover the fast-moving tech policy space. For that, our independent newsroom is counting on you. Subscribe to MediaNama today, and help us report on the policies that govern the internet.

What does your company think of these new directions?

• Nord: At the moment, our team is investigating the new directive recently passed by the Indian government and exploring the best course of action. As there are still at least two months left until the law comes into effect, we are currently operating as usual. Overall we believe that limiting people’s right to privacy limits the freedom of speech and regulators should look for better ways to achieve their goals, without putting the rights of their citizens at risk.
• Proton VPN: India’s new VPN regulations will erode civil liberties and make it harder for people to protect their data online. The new Indian VPN regulations are an assault on privacy and threaten to put citizens under a microscope of surveillance, the company also tweeted, while sharing its guidelines for users in “high-risk countries.”
• Windscribe: This is a massive overreach on behalf of a so-called democratic government. Not only are the requirements dangerous, most are impossible to implement for a privacy-oriented service such as Windscribe.
• Mullvad: We think this is bad for privacy and the right to free speech. A log is required of who uses an IP address, i.e. the core features of not disclosing your private IP are ruined.
• Express VPN: “This latest move by the Indian government to require VPN companies to hand over user personal data represents a worrying attempt to infringe on the digital rights of its citizens,” a spokesperson for Express VPN told Wired.

Will you comply with these new directions?

• Nord: Our customers’ privacy is a key value for us, therefore we may remove our servers from India if no other options are left.
• Mullvad: Since we do not have any VPN servers, no staff, and no infrastructure in India, this does not apply for Mullvad–so, no.
• Windscribe: No, Windscribe will not comply.

Is it technically feasible to comply with these requirements?

• Nord: We are still looking into the new law to better understand what’s required, but so far it seems that we don’t have the means to comply.
• Windscribe: Some of the requirements are possible to implement, while others clearly demonstrate that whoever wrote these requirements has zero technical knowledge or any shred of common sense. China and Russia have less stringent requirements for VPNs, and those are dictatorships. It’s highly unfortunate that India decided to go down this route while being the “biggest democracy in the world”.
• Mullvad: Not if you run a privacy-focused VPN.
• Surfshark: Surfshark has a strict no-logs policy, which means that we don’t collect or share our customer browsing data or any usage information. Moreover, we operate only with RAM-only servers, which automatically overwrite user-related data. Thus at this moment, even technically, we would not be able to comply with the logging requirements. We are still investigating the new regulations and its implications for us, but the overall aim is to continue providing no-logs services to all of our users.

How does it bode with your company’s no-logs policy?

• Nord: We are committed to protecting the privacy of our customers therefore, we may remove our servers from India if no other options are left.
• Proton VPN: We are still assessing the situation, but we remain committed to our no-logs policy in India.
• Windscribe: Nothing changes for Windscribe. We will continue offering our free and paid services for anyone who wants them, in any country, as we don’t collect the country of origin when someone registers for our service. In many cases, registration itself is optional.
• Mullvad: It does not work with ANY privacy-focused VPN’s privacy policy
• Express VPN: The company would never log user information or activity and will adjust its “operations and infrastructure to preserve this principle if and when necessary,” a spokesperson for Express VPN told Wired.

Will you legally challenge these directions?

• Nord: We still need to better understand the regulation before deciding on the best course of action.
• Proton VPN: It’s premature to say how we will proceed legally because that is another element that we’re still evaluating.
• Windscribe: We will not, as we’re not an Indian corporation and we don’t have the resources to fight every unjust law in every country. This is up to the citizens to voice their concerns, and use the democratic process to fire these politicians in the next election cycle.
• Mullvad: No, not since we do not have any operation in India.

We have also asked the above questions to Express VPN and Private Internet Access, and will update this post once we get a response from them.

What are the new rules for VPN providers?

Starting 28 June 2022, VPN providers are required to:

• Maintain detailed customer information: Data Centres, Virtual Private Server (VPS) providers, cloud service providers and Virtual Private Network Service (VPN Service) providers, are required to register the following accurate information about customers and subscribers for a period of 5 years or longer duration after any cancellation or withdrawal of the registration:
  • Validated names of subscribers or customers hiring the services
  • Period of hire including dates
  • IPs allotted to or being used by the members
  • Email address and IP address and time stamp used at the time of registration
  • The purpose of hiring services
  • Validated address and contact numbers
  • Ownership pattern of the subscribers or customers hiring services
• Maintain logs for 180 days on Indian servers: Separately, all entities (not just VPN providers) must mandatorily enable logs of all their systems and maintain them securely for a rolling period of 180 days and the same should be maintained within Indian jurisdiction.
• Face fine of jail term for failure to comply: Failure to comply with these rules can result in imprisonment for up to one year or with a fine of up to one lakh rupees or both. It is not entirely clear who will be subject to the jail term if dealt out.

There are more directions that apply to VPN service providers as well as other companies that have information and communications technology (ICT) systems. You can also access a copy of the full directions here and a summary here.

Why has India issued these new directions?

“During the course of handling cyber incidents and interactions with the constituency, CERT-In has identified certain gaps causing hindrance in incident analysis. To address the identified gaps and issues so as to facilitate incident response measures, CERT-In has issued directions relating to information security practices, procedure, prevention, response and reporting of cyber incidents under the provisions of sub-section (6) of section 70B of the Information Technology Act, 2000,” the press release from CERT-In said.

Update (6 May, 12:30 pm): Added comments sent by Surfshark to MediaNama and removed comments made by Surfshark to Wired.

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Also Read:

• CERT-In Wants Cybersecurity Incidents Reported Within 6 Hours
• Why India’s New Cybersecurity Directive Is A Bad Joke
• Exclusive: Indian Government Looks For Solution To Bypass And Trace Those Using VPNs
• Use VPN Regularly? This Parliamentary Panel Thinks You’re A Cyber Criminal And Wants To Ban It Forever

Have something to add? Subscribe to MediaNama here and post your comment.