Several virtual private network (VPN) service providers across the world have decried the Union government’s recent directions directing such service providers to maintain logs of customers and comply with other additional requirements.
A VPN establishes a secure, encrypted connection between your computer and the internet, providing a private tunnel for your data and communications while you use public networks, according to antivirus company Avast.
VPN provider Surfshark’s legal department head Gytis Malinauskas told Moneycontrol that the company has a strict no-logs policy, which implies that it does not collect or share customer browsing data or any usage information.
Malinauskas also said that Surfshark only operates on RAM servers, which means that they cannot comply with logging requirements as mentioned in the recent directions released by India’s Computer Emergency Response Team (CERT-In). “We are still investigating the new regulations and its implications for us, but the overall aim is to continue providing no-logs services to all of our users,” Malinauskas said in a statement.
Windscribe told MediaNama that some of the requirements “demonstrate that whoever wrote these requirements has zero technical knowledge”.
CERT-IN’s direction says that virtual private server (VPS) provider and VPN service providers will have to maintain “accurate information” such as names of subscribers/customers hiring the services, IPs allotted to such customers, email address and IP address of the customer at the time of registration etc., for a period of 5 years or longer.
In a tweet, Proton VPN said that India’s new VPN regulations are “an assault on privacy, and that it will continue maintaining its no-log policy”. In the tweet, Proton VPN also attached a link to a three-year-old blog titled ‘using VPN servers in high-risk countries”.
The new Indian VPN regulations are an assault on #privacy and threaten to put citizens under a microscope of surveillance. We remain committed to our no-logs policy and recommend everyone using our servers in India to follow these guidelines: https://t.co/85WTkUJ5Z6. (1/2)— ProtonVPN (@ProtonVPN) May 5, 2022
NordVPN told Entrackr that it is “committed to protecting privacy” of its customers and if the company has ‘no other options left’ it may remove servers from the country. “At the moment, our team is investigating the new directive... As there are still at least two months left until the law comes into effect, we are currently operating as usual,” said Patricija Cerniauskaite, a spokesperson for NordVPN.
ExpressVPN told Wired these directions are a “worrying attempt to infringe on the digital rights of citizens”.
Earlier, Moneycontrol spoke to experts on the CERT-In directions which, apart from this, brings in additional compliance requirements such as mandating all body corporates to retain server logs for 180 days, reporting cybersecurity incident within 6 hours of the incident and aligning time servers of service providers to align to that of National Physical Laboratory and National Informatics Centre (NIC).
Biocon Chief Information Security Officer (CISO) Agnidipta Sarkar had said, "I am hoping the CERT will provide more details and engage with body corporates to thaw out open issues." (comments made in personal capacity). Software Freedom Law Centre founder Mishi Choudhury said that the VPN requirements raises serious privacy concerns and that it should be removed.
