Virtual private network (VPN) service providers in the Indian market have reiterated their commitment to privacy and termed directions issued by the Indian Computer Emergency Response Team (CERT-In) as "unimplementable". This comes a day after the government warned of terminating their businesses in the country, if they are non-compliant to new rules.
Responding to a query by Moneycontrol, Yegor Sak, founder of Canada-based VPN firm Windscribe, said, "Windscribe does not collect or store the origin country of any customer. We have no idea where a person is from when they use our service, so Rajeev Chandrasekhar's requirements are impossible to implement."
"Our service is free and available to anyone. We will not compromise the privacy of all our users to comply with these ridiculous requirements originating from a single country," Sak reiterated.
Rajeev Chandrasekhar is the Minister of State (MoS) for Information Technology (IT) in India. In a press conference on May 18, he stated that non-compliant providers would "have to pull out".
Similarly, Jan Jonsson, CEO of Sweden-based Mullvad VPN said, "It is impossible for a privacy focused VPN to legally operate in India under that law." Jonsson also clarified that the company does not have any VPN servers, staff or infrastructure in India. "This does not apply for Mullvad, so no, we will not comply," Jonsson told Moneycontrol.
In response to our queries, NordVPN's Patricija Cerniauskaite reiterated the company's stand of removing their servers from the country if there are no other options left. They added that they are still investigating the new directions and are exploring the 'best course of action'.
Moneycontrol has reached out to other VPN service providers as well, and this story will be updated as and when we receive a response.
On May 18, CERT-In issued a clarification on its April 28 directions where it mandated that VPN service providers and cloud service providers have to maintain customer logs such as their names, IP addresses, etc., for a period of five years.
These directions were criticised by multiple VPN providers. For instance, NordVPN had said that they may pull its servers from India if they find no way out; and Surfshark said the company does not collect or share customer browsing/usage data.
In its clarification, CERT-In stated the corporate and enterprise VPNs were exempted from the directions, and that it was only applicable to entities that provide “internet proxy like services through the use of VPN technologies, standard or proprietary, to general Internet subscribers”.
At a press conference organised to release clarifications on the directions, Chandrasekhar said, "There is no opportunity for somebody to say we will not follow the laws and rules of India. If you don't have the logs, start maintaining the logs. If you're a VPN that wants to hide and be anonymous about those who use VPNs... (then) you will have to pull out (from the country)."
Chandrasekhar said that a VPN provider, cloud provider, data centre operator have an obligation to know who is using their infrastructure. "Why? Because, if there is a detected cyber incident or cyber breach — from one of the people using your VPN or your cloud or your data centre, it is your obligation to produce the data. Now at that point, you cant say 'No it's our rules that we do not maintain logs'. If you don't maintain logs then this is not a good place to do business," Chandrasekhar said.
The issues with the CERT-In directions are not limited to the requirement for VPN service providers. Earlier experts had raised concerns on the requirement of retaining logs of their systems for 180 days, the six-hour reporting time for cybersecurity incidents and so on.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
