India now requires VPN service providers to store their customers’ data. This raises fears for online privacy, especially for activists, whistleblowers and dissidents.
Virtual private networks (VPNs) encrypt data and thus ensure that internet users can surf and communicate anonymously. Services are booming in India as a result of the government’s efforts to suppress dissident voices on the net and the rise of working from home.
But now several VPN providers are leaving the country, and even more, companies are considering doing the same. The reason for this is new rules around VPNs, which the Indian government says target cybersecurity, but which the companies say are easy to abuse and endanger users’ data.
Under the law, which comes into effect this month, providers will be required to keep their user data and IP addresses for at least five years, even if a customer drops out.
“VPNs are critical to online privacy, anonymity and freedom of expression, so these restrictions are nothing less than an attack on digital rights,” said Harold Li, vice president of ExpressVPN. ‘The new rules go too far and are formulated in such a broad way that they allow abuse. We refuse to compromise our users’ data. That’s why we immediately decided to remove our VPN servers in India.”
India is among the top 20 countries with the most VPN use, according to the AtlasVPN global index. In 2020 and 2021 in particular, the number of users grew rapidly, as it has everywhere in the world, as more people started working from home and companies wanted to secure their networks.
Many users are simply employees of those companies, but the services are also widely used by activists, journalists, lawyers and whistleblowers. They use VPNs to access blocked websites, secure their data and hide their identities.
As the digitization of data and services increases, security becomes a critical issue. India was in the top 3 countries with the most data breaches last year, according to estimates by Surfshark VPN. Nearly 87 million users are said to have been affected.
The new law, drafted in April by India’s Computer Emergency Response Team (CERT-In), also requires companies to report data breaches within six hours, and keep logs and internal communications for six months. Violations carry prison terms.
Tech companies and digital rights organizations have already protested, but the Indian government has said the rules will not be changed.
“If you don’t agree with the new rules and want to withdraw, then frankly you should just withdraw,” IT deputy minister Rajeev Chandrasekhar told reporters last month.