Indian Government recently made it mandatory in its new rules for VPN Service Providers to store user data for five years
While discussions continue to rage on regarding the new rules for VPN Service Providers, industry reactions have been slowly trickling in. The Indian Computer Emergency Response Team (CERT-In), under the aegis of the Ministry of Information and Technology, Government of India recently made it mandatory for data centers, virtual private server (VPS) providers, VPN service providers, cloud service providers to store user data for five years. The country has also ordered companies operating VPNs to hand it over to officials in case there was an “incident”.
While CERT-In states that this decision will help address identified gaps and issues that are slowing down incident response measures, some reactions from the industry claim that the could be counter productive to the benefits that VPN Service Providers offer. However, while these directions issued will help them to address the identified gaps, VPN service providers are of the view that they challenge the primary function of a VPN which is to hide users’ IP addresses from their Internet Service Providers and other third parties. Most VPN services do not store logs of user activities, and Internet services providers and other third parties cannot see which websites users visit or what data they send and receive online.
“Though I understand the reasons for enforcing this with regard to the VPN service, I feel the steps are directly conflicting and counter productive to the very purpose and benefits of VPN for legitimate purposes . This step directly attacks the core benefit the VPN service offers to its users and why users chose to use a VPN service (for their own safety and privacy and not for just illegal stuff). I can see why this has triggered an immediate extreme reaction from VPN providers to quit the country. I personally feel, there could have been a better middle ground – that is to make the VPN providers abide by laws of the countries and policies of restricted sites and not allow it to be able to grant access to services that are banned in the country,” said Venkatesh Sundar, Co-founder and CMO, Indusface.
Several notable VPN service providers, such as Nord VPN, have even threatened to remove their servers from India if the Government mandates them to store user data. “It’s easy to verify any VPN service provider, if they are breaking the law and thus would have forced a better responsible behaviour from VPN providers to ensure while it provides the benefit of user privacy it cannot be used to circumvent laws as they have the same country specific policies of restricting access in place, This could have been a better middle ground instead of what I feel currently is a extreme step that hits the core of the real value from the VPN service providers for many perfectly legitimate cases and benefit for users to maintain their privacy and safety while doing legal and legitimate things in the internet,” added Sundar on the issue.