The saga of “India going after VPNs” is continuing. The controversial new law should’ve been enacted by now, but the government decided to give VPN providers an additional three months to comply with the new rules.
Said rules, if you recall, require VPNs to maintain the names and addresses of their customers along with their IP addresses. Unsurprisingly, many of the best VPN providers decided to shut down their servers in India, suggesting users to either connect to servers in nearby Singapore or some other country. Some even provided “virtual Indian servers” which come with an India IP address but are physically located somewhere else. This way they wouldn’t have to comply with local regulations as Indian authorities would not have a single place (data center) to raid
According to India’s regulatory body CERT, the deadline was extended because “additional time” had been sought by the industry players.
Or it could have something to do with the fact that nearly two dozen cybersecurity experts and technologists from India and across the world sent a joint letter to CERT and the Ministry of Electronics and IT, calling for the “dangerous CERT-In cybersecurity directions” to not be implemented.
“The Directions, as they stand, will have the unintended consequence of weakening cyber security, and its crucial component, online privacy. We are cognizant of the need for a framework to govern cyber incident reporting, but the reporting timelines and excessive data retention mandates prescribed in the Directions, will have negative implications in practice and impede effectiveness while endangering online privacy and security,” they wrote.
Nevertheless, lawmakers in India have made it clear that they have no intentions to relax the new rules. In fact, last month Rajeev Chandrasekhar, the junior IT minister of India, said that VPN providers who wish to conceal who uses their services “will have to pull out” of the country.
Beyond VPN providers, the new rules also affect other companies, requiring them to report incidents of security lapses such as data breaches within six hours of noticing such cases. I guess that part of the law makes sense, but the one affecting the privacy of VPN users – doesn’t. Or at least, that’s where we stand.