Americas

  • United States

Asia

Varun Aggarwal
APAC News Editor

As VPN firms start to leave India, government to hold a joint meeting

news
Jun 10, 20223 mins
RegulationVPN

The move comes two days after a second VPN firm, SurfShark, announced plans to remove its servers from India, following a directive that requires VPN firms to store customer data for five years.

VPN / network security / magnifying lens / country names
Credit: Olivier Le Moal / Getty Images

India’s Ministry of Electronics and Information Technology (MeitY) is expected to meet VPN players along with tech policy groups, cyber security experts and legal experts, on Friday to review an earlier directive that requires VPN companies to store customer data for five years, and mandated companies in India to report a security breach within six hours.

According to the Economic Times, which broke the story, the meeting could be chaired by Minister of State for Electronics and Information Technology Rajeev Chandrasekhar. As of early Friday evening, government officials had not confirmed whether the meeting had taken place.

Technology policy groups including The Dialogue, AccessNow, Internet Freedom Foundation, Software Freedom Law Center, India, and BSA India had earlier written to the minister about the directive, which is likely to make it difficult for VPN firms to operate in India but also create higher compliance pressure on enterprises in India.

While an FAQ document issued alongside the directive, posted on the website of the Indian Computer Emergency Response Team (Cert-In), clarifies that the new rules would not have an impact on enterprise VPN services, there is no such mention in the actual directive itself.

“The FAQs document is not legally binding. The FAQs also state that it is an ‘evolving document’. The fact that the document is not legally binding means neither BSA members nor any other organization can effectively rely on the FAQs to ensure compliance with the Directions. This could hurt their commercial operations, investments, and R&D activities,” the BSA said in a letter dated May 30 titled “BSA concerns on the CERT-In Directions on Information Security Practices”.

Companies seek clarity on VPN directive

BSA India is also seeking clarity on what specific security incidents are required to be reported within six hours and has requested the government to extend the reporting time to 72 hours after discovery.

“Based on our experience and research, the initial 24-72 hours after a potential incident is discovered involves uncertainty and fast-paced investigative, containment, and remediation work. This is a critical period, since there is a consistent need to react in unexpected ways to new information as it is discovered,” the letter said.

At least two VPN players, including SurfShark and ExpressVPN, have already announced they’d be removing their servers from India in response to the directive issued on April 28, effective toward the end of this month. NordVPN has also warned that it will be removing physical servers if the directives are not reversed.

“It’s puzzling that a Govt that claims to be a cheerleader of the tech ecosystem regularly comes up with policies that are reminiscent of the license raj. Nowhere in the world CERTs behave like rule making bodies to rob citizens of their privacy and drive businesses out. A time limit of 6hours and expectations of KYC mechanisms does how control at any cost is the north star here,” said Mishi Choudhary, technology lawyer and online civil liberties activist. Choudhary was also the founder of the Software Freedom Law Center, India, which has been petitioning against the new rules.

The directive is expected to impact both consumers as well as enterprises. While privacy advocates fear that the new directive could be an attack on privacy by forcing VPN companies to store information such as customers’ names, email addresses, IP addresses, know-your-customer records, and financial transactions for a period of five years, the rules could also add to compliance pressures on enterprises who will now be required to report any cyber security breach to Cert-In within six hours.