Listen to this article:
New Delhi: The stage is set for a stand-off between virtual provider network (VPN) companies and the Centre, over a new rule that requires the firms to collect and store user data for a period of at least five years.
Some of the biggest VPN companies such as NordVPN or ExpressVPN state they collect only minimal information about their users and also allow for ways for their users to remain largely anonymous by accepting payment through Bitcoin.
Their internal rules are now set to bring them into confrontation with the IT ministry, which last week quietly issued a new directive requiring an array of technology companies to start logging user data.
At least one company, NordVPN, has reportedly stated that they are examining the new directive and may choose to shutdown their Indian servers if it sees “no other options”.
The official directions that sparked controversy come from CERT-In – the government body in charge of analysing and tracking national cybersecurity incidents. In a press release, it noted that all “Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (VPN Service) providers” would be required to maintain a range of user data for a period of five years or longer even after cancellation or withdrawal of the service.
What kind of data does the government want them to store? According to the directive, the following categories of information will need to be logged:
Validated names of subscribers/customers hiring the services
Period of hire including dates
IPs allotted to/being used by the members
Email address and IP address and time stamp used at the time of registration/on-boarding
Purpose for hiring services
Validated address and contact numbers
Ownership pattern of the subscribers/customers hiring services
As for why, the initial press release states that “CERT-In has identified certain gaps causing hindrance in incident analysis” and that the new measures will help “facilitate incident response measures”.
In broad remarks last week, not specifically only about VPN companies, Union minister for MeitY Ashwini Vaishnaw reportedly said that there was “nothing to worry about”. “There is no privacy concern. Suppose, somebody takes a mask and shoots, wouldn’t you ask them to remove that mask? It is like that,” Vaishnaw said at an event in Bengaluru.
What do VPN companies say about user data?
The only problem with the government’s new rules? Most of the big VPN companies specifically say they don’t collect information like the IP addresses being used or being allotted to customers. On top of this, services like NordVPN allow for payment through Bitcoin, which futher prevents the company from even identifying their users through their payment details.
For instance, ExpressVPN’s website notes:
ExpressVPN does NOT and WILL NEVER log:
- IP addresses (source or VPN)
- Browsing history
- Traffic destination or metadata
- DNS queries
We have carefully engineered our apps and VPN servers to categorically eliminate sensitive information. As a result, ExpressVPN can never be compelled to provide customer data that does not exist.
NordVPN notes that it allows for payment in cryptocurrencies, a move that allows a user to “sign up and pay for NordVPN anonymously”. This is a service that the Indian government will almost certainly will frown upon, given the fact that its new directive calls for VPN companies to store “validated names” of subscribers and their addresses.
NordVPN’s website also talks about how it is a ‘zero-logs” service, a feature that is “confirmed by independent auditors” and helped by the fact that the company is based away from the EU and US jurisdictions.
In the past, companies like Nord and Express removed their physical services from countries like Russia after a stand-off over similar issues.
In a statement given to industry publication Entrackr, NordVPN’s parent Nord Security said that it “may remove” their servers from India if “no other options are left”.
“At the moment, our team is investigating the new directive recently passed by the Indian government and exploring the best course of action. As there are still at least two months left until the law comes into effect, we are currently operating as usual,” spokesperson Patricija Cerniauskaite told the publication.
It remains to be seen whether other companies like ExpressVPN – to which The Wire has sent a questionnaire – will comply with the new rules, which include asking all customers why they want to use a VPN service as well.
Overreach or necessary? What experts say
Over the last few days, multiple legal experts and privacy rights advocates have slammed the new rules, calling it everything from “ambiguous” to something that should be “withdrawn immediately”.
In a detailed statement put out on Thursday afternoon, the Internet Freedom Foundation, a New Delhi-based digital rights advocacy group, said that the rules were “excessive” and would harm the “individual liberty and privacy” of VPN users.
“Such excessive requirements for collecting and handing over data will not just impact VPN service providers but VPN users as well, harming their individual liberty and privacy. Here, it is also important to notice that it remains unclear how the 5 year period of data retention for VPNs will help in increasing cyber security,” it said in a statement.
“Such requirements go against internationally recognised principles of “storage limitation” related to the processing of data… Further, there are certain service providers such as Signal as well as certain VPNs such as Proton, which claim to not retain any logs due to their privacy respecting practices. These service providers may be forced to exit the Indian market as a result of these requirements”.