VPN logo on smartphone lying on laptop showing VPN providers to hand over customer data

VPN Providers Ordered by Indian Government To Hold All Customer Data for Five Years, Hand Over to Government Upon Request

Virtual private networks (VPN) sell themselves on their ability to anonymize traffic and protect user identities from any prying eyes. A new order from the Indian government could essentially undermine the business of VPN providers in the country, requiring the personal information of all users to be collected and this profile of customer data to be held for up to five years.

The country’s Computer Emergency Response Team (CERT-In), an office of the Ministry of Electronics and Information Technology tasked with taking point on cybersecurity threats, would also require VPN providers to grant it access to this customer data upon request.

Indian VPN providers may no longer be able to assure privacy under new rules

The CERT-In order applies to VPN providers, virtual private server (VPS) providers, data centers and cloud service providers. These services are required to hold and turn over a variety of customer registration information: name, address, contact number, email address, time of initial registration, the dates of service provided, the reasons for hiring the service, IPs allocated to the user and their “ownership pattern.”

The order will go into effect in late June, and CERT-In has threatened VPN providers that do not comply with “punitive actions.” CERT-In claims that it needs the new ability to address “gaps” in its analysis of certain types of cybersecurity threats, but did not go into detail on exactly what the nature of those threats are.

VPN providers generally give the customer the ability to shield identifying information from internet service providers, which in turn makes it extremely difficult for any other parties to access their internet traffic. CERT-In’s terms essentially render this protection pointless. The terms are such a problem for the core business model of VPN providers that there is a general expectation that at least some will defy the new law, forcing the government to back up its threats with meaningful action.

VPN providers will be required to hold this customer data on a rolling 180-day basis, but any service dealing with cryptocurrency will be required to hold both this data and transaction records for five years. It is not clear what the “punitive action” that awaits non-compliant businesses is, but it will most likely be either fines or the more serious step of attempting to force them out of business by blocking them out from the internet.

Some Indian VPN providers say customer data will not be turned over

Several of the larger VPN providers in the country have already gone on record to say that they do not intend to comply with the new law. SurfShark, an international provider with over a million customers, issued a statement saying that this would not change its strict “no logs” policy and that it uses RAM-only servers that do not permanently store customer data. It also noted that it was based in the Netherlands and was not subject to laws of this nature passed in other countries. ProtonVPN, a sister service to privacy-focused ProtonMail with over half a million international customers, called the new rules an “erosion of civil liberties” and vowed to take no measures that would compromise user privacy or weaken its VPN services. NordVPN said that it was considering simply pulling its services from India entirely if the law goes ahead, something that other international VPN providers will no doubt give some serious thought to.

In addition to mass infringement on the privacy of customer data, VPN providers would be looking at substantial strain on their operations. An Atlas VPN survey conducted in 2021 found that 20% of Indians now use a VPN when on the internet, primarily due to increased work-from-home arrangements during the coronavirus pandemic but also due to a spate of geoblocking that has been going on for several years. There are also increasing concerns throughout the country about government surveillance and intrusions into personal privacy. For some VPN providers this could mean the continual retention of millions of records of customer data, something that their business model was not at all prepared for.

This would not be the first example of VPN providers pulling out of countries that pass laws that are too invasive and authoritarian. There was something of an exodus of these companies from Hong Kong in 2020 when the mainland Chinese government implemented new security laws that forced turnover of customer data upon demand. Some VPN providers have also pulled out of Russia not just due to the Ukraine invasion, but even earlier as the Russian government blocked several major providers (such as NordVPN and ExpressVPN) under the claim that they facilitated access to prohibited information.

Artur Kane, CMO at GoodAccess, points out that while requiring certain business categories to retain records is a common regulatory requirement throughout the world, there is little precedent for requesting this scale of customer data from VPN providers: “Until now, the data retention obligations were limited to infrastructure providers (internet service providers, telecommunications), and asking the same of VPN vendors is without precedent in democratic countries … Now, forcing VPN providers to track user traffic and their private data (like source and destination IP, port, protocol, and timestamps) is going to invalidate one of the last remaining safeguards of personal privacy on the public internet while helping to expose only a handful of lawbreakers. The value for the price doesn’t add up, either. Privacy is a basic human need, legally protected in many free countries, and people have the right to protect it, especially now, when their sensitive data is more valuable than ever and is being collected on a shocking scale. Law on the public internet can be enforced in other ways that do not impact user privacy, such as the use of behavioral algorithms by vendors, looking for characteristic patterns of potentially malicious behaviors, or disabling VPN services to those accounts where such events were detected.”