Privacy concerns raised over mandate to retain customer records

ANALYSIS Virtual private network (VPN) providers are digging in their heels, following the introduction of a new law in India requiring them to collect user data and keep it for at least five years.

Under a new directive (PDF) from the country's Computer Emergency Response Team (CERT-In), VPN providers in the country will have to keep records and logs of customer names, physical addresses, and contact numbers – all of which must be verified – along with email and IP addresses.

Service providers will also have to collect and keep the “period of hire” (the timestamp used at registration), the purpose of the contract, and the “ownership pattern” of the customer.


Catch up with the latest cybersecurity news from India


The regulations will come into effect at the end of June, along with potential penalties of imprisonment or a fine of ₹100,000 ($1,300) for infringements to the rules.

In a briefing, Rajeev Chandrasekhar, Indian minister of state for electronics and IT, said the rules were non-negotiable.

"If you don’t have the logs, start maintaining the logs," he said.

"If you’re a VPN that wants to hide and be anonymous about those who use VPNs who want to do business in India and you don’t want to apply, you don’t want to go by these rules, then if you want to pull out, frankly, that is the only opportunity you have. You have to pull out."

Mass exodus?

In response, ExpressVPN is – physically, at least – doing just that. As of last week, it's closed down its two physical servers in India. However, it says it will continue to operate its two Indian virtual server locations.

Physically located in Singapore and the UK, these allow users to connect with Indian IP addresses. Users based in India will also be able to continue using the company's apps as usual.

"ExpressVPN absolutely will not participate in the Indian government’s attempts to limit internet freedom," says Harold Li, vice president of ExpressVPN.


RECOMMENDED Black Hat Asia: ‘If democracy is to survive, technology will have to be tamed’


"As such, we have made the very straightforward decision to remove our Indian-based VPN servers. We refuse to ever put our users’ data at risk."

In any case, he says, the company's VPN servers have been specifically designed to avoid making logs, including by running in memory.

"Data centers are unlikely to be able to accommodate this policy and our server architecture under this new regulation, and thus there is no path forward other than to no longer have physical VPN servers in India," he says.

Civil liberties ‘eroded’

Other VPN services that operate in India are following a different strategy.

For example, Proton VPN is planning to carry on as normal despite its concerns about the new Indian regulations.

"India's new VPN regulations will erode civil liberties and make it harder for people to protect their data online," a spokesperson told The Daily Swig.

"Proton VPN is monitoring the situation, but ultimately we remain committed to our no-logs policy and preserving our users’ privacy."

Cutting against the grain

VPN provider Surfshark is taking a similar stance, commenting: "As the new regulation goes against the nature of the VPNs industry – which seeks to protect customers’ privacy – we remain committed to providing no-logs services to our clients, including those living in India."

India is no stranger to online control controversies, with a recent report from Access Now describing it as the world's worst offender for internet shutdowns for the last four years running.

Meanwhile, new rules introduced last year include requirements for social media platforms to be able to review the content of communications, and to allow authorities to request interception or monitoring of messages.

Udbhav Tiwari, senior manager, global public policy at Mozilla, told The Daily Swig: "While well-intentioned, the new rules contain vastly expanded data retention requirements as compared to industry norms. Forcing private players to collect such information without a strong data protection law places the privacy of the average user at risk.

Tiwari concluded: “The rules should be re-evaluated under the principles of necessity and proportionality to balance interest of the state with the fundamental right to privacy guaranteed to every Indian."


RELATED US export ban on hacking tools tweaked after public consultation