- The Indian government has issued a directive mandating VPN service providers to retain user data.
- India currently has over 270 million VPN users, a majority of whom use it to connect to their company network.
- VPN service providers may leave India as it’s not possible to comply with the government’s directive.
The Indian government
released new guidelines on April 28 directing companies offering virtual private network (VPN) services in the country to record and store the details of their users.
directive was issued by the country’s cyber watchdog – the Indian Computer Emergency Response Team (CERT-In). The new guidelines come into effect after 60 days of issue, which is around June end.
The directive has come under criticism from various sections of society, including VPN providers, consumers and rights activists. The Internet Freedom Foundation
said, “The directions were released by CERT-In without any public consultation with technology and cyber security experts, which has led to the inclusion of multiple unwarranted provisions.”
What is the directive from the Indian government?
The directive issued by the government mandates VPN providers to maintain the following data as part of the know your customer (KYC) policy for a period of five years –
- Validated name of subscribers/customers
- Period of hire
- IPs allotted to the user
- Email address, IP address and time stamp used at the time of registration.
- Purpose of hiring services
- Validated address and contact numbers
- Ownership pattern of the subscribers
Essentially, this will eliminate one of the major benefits and use cases of VPN – anonymity. According to the directive, CERT-In can at any time ask these service providers to furnish this data. A failure to furnish the data will result in punitive action under the IT Act, 2000 and other applicable laws.
Impact on users
In addition to removing anonymity, this may have a much larger impact on the country. According to a VPN adoption Index maintained by AtlasVPN, India recorded over 270 million VPN users in 2021, which is around 20% of the population. This number has likely increased by now.
The increase in VPN users in the country has been due to an increase in people working from home due to the pandemic. There are several uses of VPN, including employees using it to connect to company networks securely while working from home, accessing geo-restricted content or simply staying anonymous.
VPN companies are against the directive from the government as recording user data goes against the main principles of VPN as they are designed to protect user privacy.
NordVPN, one of the largest VPN service providers in the world, is
reportedly considering pulling its servers out of India in response to the directive from the government.
VPN service providers may have to leave the country
“We are committed to protecting the privacy of our customers therefore, we may remove our servers from India if no other options are left,” Patricija Cerniauskaite, an official from NordVPN told Entrackr. The company reportedly has 28 servers in the country, which cater to both Indian and international users.
“PureVPN is a no-log VPN, user anonymity and security is a central priority but if that is compromised by this policy then we will have to consider our position in India,” Uzair Gadit, chief executive officer of PureVPN told Business Insider India in a statement.
“PureVPN stores no identifiable information, nor does it record or store user activity so this presents a significant risk for our users. More widely, this will impact the wider VPN industry,” Gadit added.
“VPNs are critical for user safety and the preservation of user’s right to online privacy and are fundamentally opposed to any efforts to undermine such technologies,” ExpressVPN said in a statement to
In addition to being opposed to the new guidelines from the government, some VPN providers have claimed that the guidelines do not apply to them as they do not come under the jurisdiction of Indian laws.
“We are operating under the jurisdiction of the Netherlands, and there are no laws requiring us to log user activity,” Surfshark said in a statement to ET.
Explained: Indian government makes user data collection mandatory for VPNs
Boris Johnson urges Russians to download VPNs to get round Putin’s censorship of mass killings in Ukraine
Internet censorship cost the global economy $5.5 billion in 2021, report says