VPN Providers Threaten to Quit India Over New Data Law

VPN companies are fighting with the Indian government for new rules designed to change the way it operates in the country. On April 28, officials announced that virtual private networking companies will have to collect fragments of customer data and keep it for five years or more in accordance with a new national directive. VPN providers have two months to access the rules and start collecting data.

The justification for the country’s Computer Emergency Response Team (CERT-In) is that it must be able to investigate possible cybercrime. But that doesn’t happen with VPN providers, some of whom have said they can ignore the claims. “This latest move by the Indian government to require VPN companies to provide users’ personal data is a worrying attempt to infringe on the digital rights of their citizens,” said Harold Li, vice president of ExpressVPN. He added that the company would never record user information or activity and would adjust its “operations and infrastructure to preserve this principle if and when necessary.”

Other VPN providers are also considering their options. Gytis Malinauskas, head of Surfshark’s legal department, says the VPN provider is currently unable to meet India’s registration requirements because it uses only RAM servers, which automatically overwrites user-related data. “We are still investigating the new regulation and its implications for us, but the overall goal is to continue to offer unregistered services to all of our users,” he says. ProtonVPN is equally concerned, calling the move an erosion of civil liberties. “ProtonVPN is monitoring the situation, but we are still committed to our non-registration policy and preserving the privacy of our users,” said spokesman Matt Fossen. “Our team is researching the new directive and exploring the best course of action,” says Laura Tyrylyte, head of public relations at Nord Security, which develops Nord VPN. “We can remove our servers from India if there are no other options left.”

The harsh response from VPN providers shows how much is at stake. India has quickly moved away from a free and open democracy and launched repression against non-governmental organizations, journalists and activists, many of whom use VPNs to communicate. Human Rights Watch recently warned that media freedom is under attack in the country, with a number of changes in law and policies that threaten the rights of minority citizens in the country. India dropped eight places in the Reporters Without Borders Press Freedom Index last year and now ranks 150th out of 180 countries in the world. Authorities are reportedly targeting journalists, fueling the nationalist divide and encouraging harassment of critical journalists with Indian Prime Minister Narendra Modi. By collecting and storing data from all VPN users in India, authorities may find it easier to see who journalists using VPN are in contact with and why.

Officials in India have said that the new rules for VPN providers are not part of a data capture aimed at further hampering press freedoms, but rather an attempt to better control cybercrime. India has been hit by a number of major data breaches in recent years and was the third most affected country in the world in 2021. “Data breaches have become so common in India that they don’t make headlines like they used to, “he says. Mishi Choudhary, technology lawyer and founder of Software Freedom Law Center, a provider of legal technology support services in India. In May 2021, the names, email addresses, locations, and phone numbers of more than 1 million Domino’s Pizza customers were stolen and posted online; in the same year, the personal information of 110 million users of the MobiKwik digital payment platform ended up on the dark web. Now, as the main incidents pile up, Indian officials are chasing VPNs in an apparent attempt to reign supreme in the rise of cybercrime.

“CERT-In has an obligation to respond to any cybersecurity incident,” says Srinivas Kodali, a researcher focused on digitization in India of the Free Software Movement of India, although he denies its effectiveness in doing so. Having this information on hand should, in theory, allow CERT-In to investigate any incident more quickly after the fact. But many do not believe that this is the whole story. “CERT-In doesn’t really have a clean past and they’ve never really protected the privacy of citizens,” Kodali says. “According to the rules, they will only request these records when they really need them for part of an investigation. But in India, you never know how they will be mistreated.”

Source link

Leave a Reply