Connect with us

Hi, what are you looking for?


India’s new VPN rules spark fresh fears over online privacy


Virtual private networks (VPNs) that encrypt data and provide users with anonymity online have seen a surge in use in India in recent years as the government tightened its grip on the internet to curb dissent, and as more people worked from home. 

Now, some VPN providers are leaving India while others are considering doing so ahead of new rules that the government says are aimed at improving cybersecurity, but that the firms argue are vulnerable to abuse and could put users’ data at risk. 

Under legislation scheduled to take effect this month, VPN providers are required to retain user data and IP addresses for at least five years — even after clients stop using the service. 

“VPNs are central to online privacy, anonymity, and freedom of speech, so these restrictions represent an attack on digital rights,” Harold Li, vice president of ExpressVPN, told the Thomson Reuters Foundation. 

“The new laws are overreaching and are so broad as to open up the window for potential abuse. We refuse to put our users’ data at risk … as such, we have made the very straightforward decision to remove our India-based VPN servers,” he said. 

India ranks among the top 20 countries in VPN adoption, according to AtlasVPN’s global index, with users surging in 2020 and 2021 — as they did worldwide — as companies secured their networks with more people working from home amid the pandemic. 

Many are corporate users but there are also, activists, journalists, lawyers and whistleblowers who use them to access blocked websites, secure their data and protect their identity. 

With increasing digitisation of data and services, security is a major issue: India ranked third among countries with the most data breaches last year, according to estimates by Surfshark VPN, with nearly 87 million users affected. 

The new order, issued by the Indian Computer Emergency Response Team (CERT-In) in April, also requires companies to report data breaches within six hours of noticing them, and maintain IT and communications logs for six months. 

Failing to do so could be punishable with prison sentences. 

Tech firms and digital rights organizations have raised concerns about the compliance burden and reporting timeline, but officials have said there will be no changes to the rules. 

“If you don’t want to go by these rules, and if you want to pull out, then frankly … you have to pull out,” India’s junior IT minister Rajeev Chandrasekhar told reporters last month.  

MICROSCOPE OF SURVEILLANCEGovernments worldwide are imposing greater control on the flow of information online with a slew of regulations, as well as firewalls, internet shutdowns and social media blocks. 

India has tightened regulation of Big Tech firms in recent years, and ordered content takedowns. Dozens of lawyers, journalists and activists were also found to have been hacked by the Pegasus spyware last year. 

Indian authorities have declined to say whether the government had purchased Pegasus spyware for surveillance. 

Now, the new CERT-In rules can be used to keep close tabs on more citizens, said Ranjana Kumari, an activist and director of the Centre for Social Research in New Delhi. 

“The government has already been increasing its control of the internet to clamp down on any dissent, and people are already under increasing surveillance,” she said. 

“These new rules make it even worse.” 

While authorities have clarified that the rules do not apply to corporate VPNs, ProtonVPN said they are “are an assault on privacy and threaten to put citizens under a microscope of surveillance,” adding that it would maintain its no-logs policy. 

Surfshark also has a “strict no-logs policy, which means that we don’t collect or share our customer browsing data or any usage information,” said Gytis Malinauskas, its legal head. 

“Even technically, we would not be able to comply with the logging requirements,” he added. 

A spokesperson for NordVPN, one of the world’s largest providers, said that while they welcomed the government’s “intentions to improve the state of cybersecurity … we believe that the discussion period should be extended.” 

“If it comes to it — we will consider removing (our) presence from India.” 

The Information Technology Industry Council, a global coalition, said the new directives — including the “overbroad” definition of reportable incidents and six-hour reporting timeline — could “actually undermine cybersecurity.” 

The risk of surveillance for millions of people is exacerbated by the data retention mandate in CERT-In’s directive, said Raman Jit Singh Chima, Asia Pacific policy director at Access Now, in an open letter on Jun. 1. 

“Requiring service providers, including VPN providers, to log information that they may otherwise not collect, for five years or more, violates the right to privacy protected by the Indian Constitution,” he said. 

India’s information technology ministry could not be reached for comment. 

Authorities have declined requests from tech firms and digital rights groups to delay implementation, and have said the reporting timeline is “very generous.” 

India is not the only country cracking down on VPNs. 

Russia banned several VPN services last year as part of a wider campaign that critics say curbs internet freedom, although it has failed to block them entirely. 

Russia’s moves to block global news sites and social media platforms after its invasion of Ukraine — similar to China’s “Great Firewall” — have led to concerns that the internet is splitting along geopolitical lines, digitally isolating people. 

India’s new directive was drawn up with little consultation with the tech industry or with civil society organizations, said Prateek Waghre, policy director at Internet Freedom Foundation, a digital rights advocacy group in Delhi. 

“Because of that there are now a bunch of directions that are ambiguous, with a tremendous compliance burden, including potential imprisonment for non-compliance,” he said. 

The rules have the potential to cause a great deal of harm, particularly in the absence of a data protection law, he added. 

“While there is a clear need for enhanced cybersecurity, when you ask for indiscriminate data collection, everyone is at risk — and there is greater risk for people already at risk, such as activists, journalists, dissenters, minorities.” — Rina Chandran/Thomson Reuters Foundation

Your information is secure and your privacy is protected. By opting in you agree to receive emails from us. Remember that you can opt-out any time, we hate spam too!



A worker of Ayala Corp’s Integrated Micro-Electronics Inc. (IMI) solders an automotive computer component part at an electronics assembly line in Binan, Laguna south...


MARI GIMENEZ-UNSPLASH THE NATIONAL Government plans to borrow P200 billion from the domestic market in July, the Bureau of the Treasury (BTr) said on...


SCOTT GRAHAM-UNSPLASH PHILIPPINE PRESIDENT Rodrigo R. Duterte has signed an order updating the list of investment areas where foreign ownership is limited or barred....


ETIENNE GIRARDET-UNSPLASH WHOLESALE PRICES of building materials in Metro Manila jumped to their highest in more than a decade in May as construction activities...


MAYNILAD Water Services, Inc. targets to distribute starting in July up to 10 million liters per day (MLD) of its “new water” or treated...


SOLAR Philippines Power Project Holdings, Inc. was able to forge contracts for at least 60% of the 10 gigawatts (GW) of energy capacity that...

You May Also Like


BW FILE PHOTO GROSS BORROWINGS by the National Government reached P2.6 trillion as of end-September as it continued to raise funds to respond to...


REUTERS By Luz Wendy T. Noble, Reporter The country’s foreign exchange buffers slightly increased as of end-October as the value of the central bank’s...


COVID-19 has had a significant impact on the mental health of Filipinos across different groups all over the archipelago. From frontline workers, parents balancing...

Financial Advisors

The healthcare ecosystem is one that has thrived on the cusp of scientific progress, benefitting enormously from the winds of change in the technological...

Disclaimer: Respect, its managers, its employees, and assigns (collectively "The Company") do not make any guarantee or warranty about what is advertised above. Information provided by this website is for research purposes only and should not be considered as personalized financial advice. The Company is not affiliated with, nor does it receive compensation from, any specific security. The Company is not registered or licensed by any governing body in any jurisdiction to give investing advice or provide investment recommendation. Any investments recommended here should be taken into consideration only after consulting with your investment advisor and after reviewing the prospectus or financial statements of the company.

Copyright © 2022 Respect Investment. All Rights Reserved.