Implications of India’s new VPN rules
GS 2,3; Govt Policies and Interventions, Technology, Security Issues, Cyber Security.

  • The Indian government’s cybersecurity agency enacted a law requiring Virtual Private Network (VPN) providers to capture and store their customers’ records for 180 days. It also required these companies to gather and preserve client data for a period of up to five years. It also required that any recorded cybercrime be reported to the CERT-In within six hours of the offence.
  • According to Surfshark VPN, taking such drastic action that affects the privacy of millions of individuals in India will most likely be counterproductive and severely harm the country’s IT sector’s growth.
  • According to the Ministry of Electronics and Information Technology, the laws apply to “any company whatsoever,” regardless of whether it has a physical presence in India or not, as long as it provides services to Indian users.

What exactly is a VPN?

  • VPN is an abbreviation for “Virtual Private Network,” and it refers to the ability to establish a secure network connection when utilising public networks.
  • VPNs encrypt your internet traffic and conceal your identity online.
  • This makes it more difficult for third parties to follow your internet activities and steal information.

How does a VPN function?

  • A VPN conceals the IP address by routing it through a specially configured distant server managed by a VPN host.
  • This implies that if used a VPN to access the web, the VPN server becomes the source of the data.
  • This means that the Internet Service Provider (ISP) and other third parties will not be able to see the websites visited or the data transmitted and received online.
  • A VPN acts as a filter, converting all of the data into “gibberish.” Even if someone were to obtain the data, it would be worthless.

Why do individuals utilise VPN services?

  • Secure encryption: A VPN connection masks the internet data transmission and protects it from prying eyes. Anyone with network access and a desire to read unencrypted data can do so. Hackers and cyber thieves are unable to decode this data when using a VPN.
  • Hide the location: VPN servers simply work as proxies on the internet. Exact location cannot be established since the demographic location data is obtained from a server in another nation.
  • Data privacy is protected: The majority of VPN providers do not keep logs of the actions. Some providers, on the other hand, record the behaviour but do not share it with third parties. As a result, any potential record of the user behaviour is permanently hidden.
  • Regional Web Content Accessibility: Regional web material is not necessarily available from everywhere. Services and websites frequently contain content that is only available in specific regions of the world.
  • Secure data transfer: If we work from home, we may need to access critical files on the company’s network. This type of information necessitates a secure connection for security reasons. A VPN connection is frequently necessary to obtain network access.

CERT-IN (Indian Computer Emergency Response Team):

  • The Ministry of Electronics and Information Technology houses CERT-IN.
  • It is the focal point for dealing with cyber security issues such as hacking and phishing. It increases the Indian Internet domain’s security defences.
  • It was established in 2004 by the Government of India under Section (70B) of the Information Technology Act, 2000, inside the Ministry of Communications and Information Technology.

What exactly does the new CERT-IN directive state?

  • VPN providers must keep validated client names, physical addresses, email addresses, phone numbers, and the purpose they are using the service, as well as the dates they use it and their “ownership pattern.”
  • Additionally, Cert is requesting that VPN providers preserve a record of the IP and email addresses used by customers to register for the service, as well as the date of registration.
  • Most crucially, VPN providers will be required to record all IP addresses assigned to a client as well as a list of IP addresses that its customers frequently use.

Who will be affected by the new regulations?

  • Data centres, virtual private server (VPS) providers, cloud service providers, virtual asset service providers, virtual asset exchange providers, custodial wallet providers, and government organisations are all covered by these guidelines. Firms who provide Internet proxy-like services using VPN technology are also subject to the new legislation. Corporate entities are not being investigated.

What Exactly Is a Virtual Server, And What Are Its Applications?

  • A virtual server is a server environment that is constructed on top of a real server. It mimics the operation of a dedicated physical server.
  • The virtual twin operates similarly to a real server, running applications and utilising actual server resources. A single physical server can support several virtual servers.
  • Virtualizing servers’ aids in the reallocation of resources for shifting workloads. Converting a single physical server into numerous virtual servers enables organisations to make better use of processing power and resources by running various operating systems and applications on a single partitioned server.
  • Running numerous operating systems and apps on a single physical computer saves money since it takes up less space and hardware.
  • Virtualisation also saves money since the cost of operating a virtual server infrastructure is lower than that of a physical server infrastructure.
  • Because the operating system and applications are contained within a virtual machine, virtual servers are believed to be more secure than physical server architecture. This aids in the containment of security assaults and bad behaviour within the virtual machine.

Can Server Migration and Virtualization Assist VPN Providers in Skirting the New Regulations?

  • The Ministry of Electronics and Information Technology (MeiTY) FAQs on cybersecurity guidelines provide some clarification on relocation and virtualization.
  • It states that the laws apply to “any entity whatever” in the case of cyber events and cyber security incidents, whether or not they have a physical presence in India, as long as they provide services to Indian consumers.
  • Service providers that do not have a physical presence in India but provide services to Indian users must designate a point of contact to communicate with CERT-In.
  • Furthermore, logs may be held outside of India as long as the companies meet their commitment to provide logs to CERT-In within a reasonable time frame.
  • VPN businesses, on the other hand, feel that by relocating their physical servers to countries other than India, they will be in compliance with the rules that govern their activities.

Effect of the Bill Have on India’s IT Sector:

  • VPN providers leaving India is bad for the country’s developing IT sector. Taking such drastic action, which has a significant impact on the privacy of millions of individuals in India, will most certainly be counterproductive and severely harm the country’s IT sector’s growth, the business stated in a press release last week.
  • It calculated that 254.9 million Indians’ accounts have been compromised since 2004, and expressed worry that gathering large volumes of data inside Indian jurisdiction without effective protection methods may result in even more breaches.
  • The corporation located in the Netherlands also stated that they have never received a comparable instruction on preserving client logs from any other government in the globe.

What Is the Significance of Privacy?

  1. Privacy or anonymity is vital for both VPN service providers and consumers since it helps to avoid being monitored, particularly by websites and hackers.
  2. Because VPN conceals a device’s location from everyone, it also prevents government and law enforcement organisations from precisely identifying the location.
  3. VPN has also proven critical in nations that attempt to stifle dissent. Dissidents can remain secure by spoofing their location via VPNs.

Misuse Possibility:

  • According to experts, governments and their agencies may easily abuse such a restriction, and it may actually drive such people to the dark and deep web, which are far more difficult to regulate than VPN services.
  • It is also unclear whether the Centre would use this to take action against people who use VPNs to access content that is restricted in India.


No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *