Providers of VPN services voice concerns about the government's order, and are planning to leave the country if no options have been made

Providers of VPN services voice concerns about the government's order, and are planning to leave the ...

Many major VPN companies, including NordVPN, are planning to leave the country if the government does not provide them the room to serve their customers in an private manner. During the same time, legal advocacy groups are implying that the government should remove the restrictions that violate user privacy.

The order, which was approved by the Ministry of Electronics and Information Technology''s agency CERT-In last week and is coming into force on June 28, directs VPN service providers to preserve data, including the valid names, email IDs, and IP addresses of their users for five years or longer "as mandated by the law" even after their registration or withdrawal.

According to the directive, "all service providers" should "mandatorily enable logs" of their systems and maintain them securely for a rolling period of 180 days, and the "same shall be maintained within the Indian jurisdiction."

According to the order, it is intended to help combat cybercrime and cybersecurity incidents in the country. Failure to provide information or non-compliance with the instructions may solicit "punitive action" under section 7 of the IT Act, 2000, and other laws as applicable, according to the government agency.

VPN services providers as their default model provide high user privacy in order to attract customers.

Malinauskas added that Surfshark is still looking at the new regulations and its implications, but has no intention to harm user privacy and is continuing to provide no-logs services to its users.

In a surprise move, Nord Security, the parent company of NordVPN is currently investigating the order passed by CERT-In.

Laura Tyrylyte, the head of North Security Public Relations, told Gadgets 360 that it was looking at the best course of action and is currently working as usual, considering that the order has expired.

"We are committed to protecting the privacy of our clients, therefore, we may remove our servers from India if no other options are left," said Tyrylyte.

ProtonVPN told Gadgets 360 that it was monitoring the situation and committed to its no-logs policy and protecting its users'' privacy.

The VPN service provider said that the new VPN regulations in India will erode civil liberties and make it difficult for people to protect their data online.

India is one of the major VPN markets due to the rise of Internet censorship in the country, which is implemented using various technological techniques, including DNS restrictions and TCP/IP blocking. In many instances, users have reported certain restrictions that can be eliminated using an Internet service. The 2020 lockdown in the country also resulted in a significant increase of VPN services including ExpressVPN.

According to a report from Top10VPN.com, India has been the second largest internet for VPNs in the world, with up to 45 percent of its total Internet user base relying on a VPN as of 2020.

"While there is a large number of VPN users in India, few VPN providers have a direct physical presence in the country, which will make it difficult for authorities to enforce the new legislation," says Simon Migliano, head of research at Top10VPN.com.

According to the information available on the company''s website for service providers such as NordVPN, India has their servers.

However, Migliano said that there will be little impact on customers as they might simply connect to a VPN service located in another country.

"It appears very unlikely that any legitimate VPN provider will comply with the CERT-In legislation, as it is not only difficult to enforce, but is also committed to everything they need, according to the researcher.

CERT-In has been appointed as a safe move by legal advocacy organizations, including SFLC.in, because the country is seeing a number of cybersecurity incidents.

However, Mishi Choudhary, a technology lawyer and founder of SFLC.in, said that the requirement to register VPN users and the linking of identification to IP addresses prompted serious privacy concerns and should be removed.

"CERT-In cannot remove the right to use certain technologies in the cyberspace,," she told Gadgets 360.

SFLC.in''s legal director, Prasanth Sugathan, said the collection of excessive data about consumers was based on the policy of many VPN providers, and it might result in some of them going out of the country rather than complying with the "huge penalties."

Legal experts think the directive is depressing, citing that it does not clear how it will impact service providers.

"These recommendations were made without any type of public consultation," said Prateek Waghre, the director of the Internet Freedom Foundation (IFF).

He added that the order does not clarify what the law signifies for VPN service providers and their operations in India.

"It''s also unclear whether the VPN service providers who are not operating an Indian IP will still be liable under the provisions of the directive," he said, adding that the development would certainly add a layer of concern if any of these service providers has employees in the country.

Legislators argued that VPN restrictions, which included Telecom operators, were also reducing access to some VPN services. Despite this, VPN users in the country have continued to increase so far.