India’s new VPN rules raise new concerns about online privacy | Media Pyro


Some VPN providers are now leaving India, while others are considering doing so ahead of new regulations that the government says are aimed at improving cyber security but firms say are vulnerable to abuse and could put user data at risk.

Under legislation coming into force this month, VPN providers are required to keep user data and IP addresses for at least five years – even after customers stop using the service.

“VPNs are central to online privacy, anonymity and free speech, so these restrictions are an attack on digital rights,” said Harold Lee, vice president of ExpressVPN, to the Thomson Reuters Foundation.

“The new laws are overbroad and so broad that they open a window for potential abuse. We refuse to put our users’ data at risk…so we took the very simple decision to remove our Indian VPN servers,” he said.

According to the AtlasVPN Global Index, India is among the top 20 countries with the highest VPN adoption. In 2020 and 2021, user numbers skyrocketed, as did the rest of the world, as companies secured their networks with more people working from home during the pandemic.

Many of them are corporate users, but there are also activists, journalists, lawyers and whistleblowers who use them to access blocked websites, protect their data and protect their identity.

As the digitization of data and services increases, security is becoming a major concern: India ranked third among the countries with the most data breaches last year, with Surfshark VPN estimating that nearly 87 million users were affected.

The new order, issued by India’s Computer Emergency Response Team (CERT-In) in April, also requires companies to report data breaches within six hours of noticing them and to keep IT and communications logs for six months.

Failure to do so may result in imprisonment.

Tech firms and digital rights organizations have raised concerns about the compliance burden and reporting timelines, but officials have said there will be no changes to the rules.

“If you don’t want to follow these rules, and if you want to get out, frankly, you have to get out,” India’s junior IT minister Rajiv Chandrasekhar told reporters last month.


Governments around the world are putting more control over the flow of information online through a series of regulations, as well as firewalls, internet shutdowns and social media blocking.

In recent years, India has tightened regulation of big tech companies and removed content. Dozens of lawyers, journalists and activists were also hacked by the Pegasus spyware last year.

Indian authorities declined to say whether the government had purchased the Pegasus spy software for surveillance.

Now, the new CERT-In rules can be used to closely monitor more citizens, said Ranjana Kumari, an activist and director of the Center for Social Research in New Delhi.

“The government has already tightened its control over the internet to suppress any dissent and people are already under increased surveillance,” she said.

“These new rules make the situation even worse.”

While authorities have clarified that the rules do not apply to corporate VPNs, ProtonVPN said they “are an assault on privacy and threaten to put citizens under the surveillance microscope,” adding that it will maintain its no-logs policy.

Surfshark also has a “strict no-logging policy, which means we do not collect or share our customers’ browsing data or any usage information,” said Gitis Malinauskas, head of legal.

“Even technically, we wouldn’t be able to meet the felling requirements,” he added.

A spokesperson for NordVPN, one of the world’s largest ISPs, said that while they welcome the government’s “intentions to improve the state of cyber security…we believe the discussion period should be extended.”

“If it comes to that, we will consider ending (our) presence in India.”

The Information Technology Industry Council, a global coalition, said the new directives, including an “excessive” definition of reportable incidents and a six-hour reporting schedule, could “actually undermine cybersecurity.

The risk of millions of people being tracked is exacerbated by the data retention mandate in the CERT-In directive, Raman Jeet Singh Cheema, Asia Pacific director of policy at Access Now, said in a June 1 open letter.

“Requiring service providers, including VPN providers, to log information they may not have collected for five years or more violates the right to privacy protected by the Constitution of India,” he said.

India’s IT ministry could not be reached for comment.

Authorities rejected requests from tech firms and digital rights groups to delay implementation and said the reporting schedule was “very generous.”


India isn’t the only country cracking down on VPNs.

Last year, Russia banned several VPN services as part of a wider campaign that critics say restricts internet freedom, although it has not been able to block them completely.

Russia’s move to block global news sites and social media platforms after its invasion of Ukraine – similar to China’s “Great Firewall” – has raised concerns that the internet is fracturing along geopolitical lines, isolating people digitally.

India’s new directive was drafted after little consultation with the tech industry or civil society organizations, said Pratik Vogre, policy director at the Internet Freedom Foundation, a Delhi-based digital rights group.

“Because of this, there are now a bunch of guidelines that are ambiguous, with a huge compliance burden, including potential jail time for non-compliance,” he said.

The rules could do a lot of damage, especially in the absence of data protection law, he added.

“While there is an obvious need to strengthen cyber security, when you ask for indiscriminate data collection, everyone is at risk – and there is a greater risk for people who are already at risk, such as activists, journalists, dissidents, minorities.” (Reporting by Rina Chandran @rinachandran; Editing by Kiran Gilbert Please mention the Thomson Reuters Foundation, the philanthropic arm of Thomson Reuters that highlights the lives of people around the world who are fighting for a free or just life.

This story was published from the news agency’s feed without changes to the text. Only the title has been changed.

Follow all business news, market news, latest news and news on Live Mint. Download The Mint News app to get daily market updates.

More or less


Source link

Avatar photo

About the author

Media Pyro is a site giving interesting facts about acer brand products. We also Provide information about your online Privacy Laws.