![](\"https:\/\/media.wired.com\/photos\/6273f2add59c89e6ded93b42\/master\/pass\/India-VPN-Data-Security-GettyImages-1035245218.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Chris Stokel-Walker| Date: Thu, 05 May 2022 15:55:36 +0000<\/strong><\/p>\n Chris Stokel-Walker<\/a><\/span><\/span><\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n VPN companies are<\/span> squaring up for a fight with the Indian government over new rules designed to change how they operate in the country. On April 28, officials announced that virtual private network companies will be required to collect swathes of customer data\u2014and maintain it for five years or more\u2014under a new national directive<\/a>. VPN providers have two months to accede to the rules and start collecting data.<\/p>\n The justification from the country\u2019s Computer Emergency Response Team (CERT-In) is that it needs to be able to investigate potential cybercrime. But that doesn\u2019t wash with VPN providers, some of whom have said they may ignore the demands. \u201cThis latest move by the Indian government to require VPN companies to hand over user personal data represents a worrying attempt to infringe on the digital rights of its citizens,\u201d says Harold Li, vice president of ExpressVPN. He adds that the company would never log user information or activity and that it will adjust its \u201coperations and infrastructure to preserve this principle if and when necessary.\u201d<\/p>\n Other VPN providers are also considering their options. Gytis Malinauskas, head of Surfshark\u2019s legal department, says the VPN provider couldn\u2019t currently comply with India\u2019s logging requirements because it uses RAM-only servers, which automatically overwrite user-related data. \u201cWe are still investigating the new regulation and its implications for us, but the overall aim is to continue providing no-logs services to all of our users,\u201d he says. ProtonVPN is similarly concerned, calling the move an erosion of civil liberties. \u201cProtonVPN is monitoring the situation, but ultimately we remain committed to our no-logs policy and preserving our users\u2019 privacy,\u201d says spokesperson Matt Fossen. \u201cOur team is investigating the new directive and exploring the best course of action,\u201d says Laura Tyrylyte, head of public relations at Nord Security, which develops Nord VPN. \u201cWe may remove our servers from India if no other options are left.\u201d<\/p>\n The hardball response from VPN providers shows how much is at stake. India has rapidly shifted away from a free and open democracy and launched crackdowns on non-governmental organizations, journalists, and activists, many of whom use VPNs to communicate. Human Rights Watch recently warned<\/a> that media freedom is under attack in the country, with a number of law and policy changes threatening the rights of minority citizens in the country. India dropped eight places<\/a> in Reporters Without Borders\u2019 Press Freedom Index in the past year and now sits 150th out of 180 countries worldwide. Authorities are alleged to have targeted journalists, stoking nationalist division and encouraging harassment of reporters who are critical of Indian prime minister Narendra Modi. By collecting and storing data on all VPN users in India, authorities may find it easier to see who VPN-using journalists are contacting and why.<\/p>\n Officials in India have claimed that the new rules for VPN providers aren't part of a data grab aimed at further stymying press freedoms, but rather an attempt to better police cybercrime. India has been hit by a number of significant data breaches in recent years and was the third-most affected<\/a> country worldwide in 2021. \u201cData breaches have become so common in India that they no longer make front page news as they used to,\u201d says Mishi Choudhary, a technology lawyer and founder of the Software Freedom Law Center, a technology legal support services provider in India. In May 2021, the names, email addresses, locations, and phone numbers of more than 1 million customers of Domino\u2019s Pizza were stolen and posted online; in the same year, the personal information of 110 million users<\/a> of digital payment platform MobiKwik ended up on the dark web. Now, as the major incidents pile up, Indian officials are going after VPNs in an apparent attempt to reign in the cybercrime surge.<\/p>\n \u201cCERT-In is duty-bound to respond to any cybersecurity incidents,\u201d says Srinivas Kodali, a researcher focusing on digitalization in India from the Free Software Movement of India\u2014though he disputes its efficacy in doing so. Having this information on hand should, in theory, allow CERT-In to investigate any incidents more speedily after the fact. But many don\u2019t believe that\u2019s the full story. \u201cCERT-In doesn\u2019t really have a clean past, and they\u2019ve never really protected citizens\u2019 privacy,\u201d Kodali claims. \u201cAccording to the rules, they are going to only demand these logs when they actually need them for part of an investigation. But in India, you never know how they will be abused.\u201d<\/p>\n Such concerns of overreach are not unfounded. According to data published in April 2022 by Access Now, an advocacy group lobbying for internet freedoms, India was responsible for 106 of the 182 documented internet shutdowns<\/a> in 2021. It was the fourth successive year<\/a> the country held the unenviable title of the internet shutdown capital of the world. At the same time, India\u2019s government has allegedly misled parliament<\/a> about its use and deployment of the Israeli-produced spyware Pegasus against 160 politicians, lawyers, and activists<\/a> within the country.<\/p>\n That \u2018collect data first, ask questions later\u2019 approach to law enforcement has others worried, too. \u201cThis is a blunderbuss way of remembering all data and keeping tabs on your users,\u201d says Anupam Chander, professor of law at Georgetown University in Washington, DC. \u201cThat way, if [India] needs it for law enforcement, intelligence purposes, or other purposes, they can grab it later.\u201d And the VPN data grab could, potentially, collect information on millions of Indians who rely on the technology. One in five Indians<\/a> used a VPN in 2021, according to data gathered by service provider Atlas VPN\u2014up from just 3 percent in 2020. The increased usage echoes a broader rise in the use of VPNs in countries such as Venezuela, Costa Rica, and Cambodia, which saw similar increases. It also shows how people in India are seeking out VPNs for information security purposes, as well as to avoid geoblocking of popular websites.<\/p>\n There\u2019s another reason everyday Indians are pursuing VPNs: the rollout of a controversial nationwide identification database<\/a>. The ID system known as Aadhaar\u2014which first launched in 2009 and has evolved since then\u2014assigns citizens a 12-digit identity code based on their biometric and demographic information. Its proponents say that Aadhaar is part of a plan to digitize the Indian economy and make it easier to access government services. Its opponents say Aadhaar\u2019s ubiquity and required use\u2014you can\u2019t open a bank account, get an ambulance, or pay your taxes without one\u2014is an attempt to shoehorn a surveillance state into existence under the auspices of making things easier for citizens. Choudhary worries that the new rules for VPN providers are part of a broader \u201cmission creep\u201d to control what is said and by whom across India. \u201cThis is not just bureaucracy,\u201d Choudhary says. \u201cIt seems that the government of India is using every opportunity to make access to the internet much more controlled, as well as monitored.\u201d CERT-In did not respond to a request for comment.<\/p>\n And India is not alone. \u201cSouth Asian governments are basically competing with each other in this operational Olympics around violating the digital rights of their citizens,\u201d says Pakistani lawyer and internet activist Nighat Dad. Pakistan\u2019s government attempted to introduce a law<\/a> in October 2021 that gave it the right to monitor and censor any content posted on social media in the country. Pakistan has previously blocked access<\/a> to Facebook, Twitter, YouTube, WhatsApp, and Telegram \u201cto maintain public order.\u201d Dad is scared. \u201cNot only in Pakistan but in India, there are marginalized communities who are at risk. This is a scary situation.\u201d Similar concerns have been raised<\/a> in Indonesia, where digital platforms have to register with the communications ministry and agree to provide access to their systems and data on request. So too in Bangladesh, where internet freedom has reached an \u201call-time low,\u201d<\/a> according to Freedom House, as the governing party uses laws to crack down on political dissent through social media.<\/p>\n VPNs that are developed within\u2014or operate in\u2014India will have to choose whether to accede to CERT-In\u2019s request or withdraw their support from the country. Kodali says providers may adopt a halfway-house solution, barring new users from paying for VPNs with an Indian bank account, which would theoretically make it impossible for Indians to sign up while in practice quietly permitting them to find a workaround. But what starts in India likely won\u2019t end there. \u201cThis does have global implications,\u201d says Chander, who believes India is learning a lesson from China, with its stringent internet crackdowns. There\u2019s a worry other, more liberal governments will follow the Indian-Chinese model, too. Attacks on end-to-end encryption are commonplace in the UK<\/a>, while the US joined India, the UK, Japan, Australia, and New Zealand in signing an international statement<\/a> asking for backdoor access that would subvert encryption standards. \u201cI think it\u2019s important that governments justify these actions,\u201d says Chander, \u201cand explain how they don\u2019t threaten civil liberties.\u201d<\/p>\n