Indian government wants VPNs to store customers' personal data for five years and report cybersecurity incidents in six hours.
India’s decision to enforce certain data management regulations on VPN services has prompted an exodus of companies from the country. In April this year, the country’s cybersecurity watchdog, in an apparent attempt to improve security, asked VPN providers in India to store customer’s details for five years and report cybersecurity incidents within six hours.
This rule will come into effect by the end of June 2022. The government has made it clear that those companies that are unwilling to comply can leave the country.
Many privacy experts have raised concerns about this new regulation. Storing personal data is against the very principle of VPN, which is to provide users anonymity on the web. Storing personal data opens up doors for several privacy concerns, as the government can demand access to it, or hackers may access it.
Response from VPNs
Many VPNs, on their part, are ready to leave India rather than comply. Express VPN, one of the most popular services in this category, shut down its servers in the country earlier this month. Another company, Surfshark, followed suit last week.
“Surfshark proudly operates under a strict “no logs'' policy, so such new requirements go against the core ethos of the company,” said Gytis Malinauskas, Head of Legal at Surfshark. “A VPN is an online privacy tool, and Surfshark was founded to make it as easy to use for the common users as possible. The infrastructure that Surfshark runs on has been configured in a way that respects the privacy of our users, and we will not compromise our values – or our technical base.”
To be clear, pulling the servers out doesn’t mean that the services of these companies are not available in India anymore. Both these companies are offering to introduce virtual Indian servers – which will be physically located in Singapore and London. Virtual servers are functionally identical to physical ones – the main difference is that they’re not located in the stated country. They still provide the same functionality – in this case, getting an Indian IP without having to comply with Indian laws.
Another company, Hide.me, has also decided to pull the plug on India operations and not offer a virtual server. Their customers in India can continue to use the service using servers located in other countries.
But analysts wonder if these workarounds would sustain because the government aims to control bad actors who might use VPNs. The Indian government, given its history of restricting tech services in the country, may eventually block access to companies that don’t comply with the laws. It has previously blocked several apps like TikTok for cybersecurity concerns.
Practical challenges besides privacy
Speaking to asmag.com, Genie Gan, Head of Public Affairs for APAC at Kaspersky, said that the government of India wants to ensure a safe and accessible internet to all, and this notification and the directions contained are intended to put in place checks and balances to ensure cyber security of its citizens.
“Reporting of cyber incidents is well defined in the directions but poses a few practical challenges, and those need to be addressed, as reporting within six hours may not be feasible in all scenarios,” Gan said. “In addition, maintenance of logs for 180 days place a cost of compliance and creation of infrastructure. Kaspersky’s business fundamentals are well grounded in India with a strong team.”
This means that customers may have to shell out more money for VPN services. Reporting requirements and maintaining data logs of all ICT systems will significantly add to the recurring costs of doing business in India. If these costs persist, the companies will eventually have to pass them on to the users.
“Another aspect that still needs practical clarity is on data privacy – ensuring data protection of such huge volumes of logs when shared will be very overwhelming and expensive,” Gan added.
Laura Tyrylyte, head of public relations at Nord Security, said that even though the directive may not directly affect people’s ability to access the internet, it will create additional difficulties for the internet infrastructure providers and their operations.
“As digital privacy advocates, we are also concerned about the possible effect this regulation may have on people’s data,” Tyrylyte continued. “From what it seems, the amount of stored private information will be drastically increased throughout hundreds or maybe thousands of different companies. It is hard to imagine that all small and medium enterprises will have a proper means to ensure the security of such data.”
Demanding extension
Nord Security has also said that while the regulations and intentions are valid, they would need more time to discuss the matter. The company is still yet to announce its next step.
“While we welcome the Indian government's intentions to improve the state of cybersecurity in general, we believe that the discussion period regarding the latest directive should be extended,” said Laura Tyrylyte, head of public relations at Nord Security. “If adopted as is, the new regulation may cause more adverse effects than it should, and that might outweigh potential benefits. With regards to our response, we are still assessing the situation and looking for the best course of action.”
Discussions on as the deadline loom
The last day to comply with the new regulations is almost here. Given the industry concerns, the government had reportedly held talks with several relevant people, but they haven’t reached a consensus so far. Although the rules don’t apply to enterprises now, any potential action against VPNs for non-compliance could impact all kinds of customers in India, potentially hurting the operations of many businesses.