In what comes as a relief to VPN companies, India’s Computer Emergency Response Team (CERT-In) has pushed the deadline for implementation for the new data logging guidelines by three months, till September 2022.
The announcement came on Monday, as CERT said the reason for the postponement was industry players asking for “additional time”.
In April 2022, the Indian government issued new guidelines to virtual private server (VPS) providers, cloud service providers, VPN service providers, virtual asset service providers, virtual asset exchange providers, custodian wallet providers and government organisations, requiring them to log and store user data for a period of five years, to be made available to authorities at request. Under the new guidelines, the following data is required to be stored:-
- User details like names, email addresses, Phone numbers
- The subscriber’s purpose of using VPN service
- User’s signup IP address and IP address alloted by VPN host.
- The timestamps, subscription pattern, duration and usage patterns of the customer
The law also requires organisations involved to report and security lapses within 6 hours of their coming to attention. The initial timeline marked June 2022 as the deadline for compliance, failing which could lead to prosecution and jail time.
The guidelines, as expected, drew widespread criticism from multiple VPN service providers, as well as cybersecurity experts from India and across the globe. Many prominent VPN services like ExpressVPN, NordVPN etc. gave out statements of criticism.
We are keeping a close eye on the situation as it evolves, but want to be clear that ExpressVPN is fully committed to protecting our users’ privacy, including through never logging user activity, and will adjust our operations and infrastructure to preserve this principle if and when necessary. As a company focused on protecting privacy and freedom of expression online, ExpressVPN will continue to fight to keep users connected to the open and free internet, no matter where they are located.
~ExpressVPN
Another VPN provider, Surfshark, said:
Surfshark has a strict no-logs policy, which means that we don’t collect or share our customer browsing data or any usage information. Moreover, we operate only with RAM-only servers, which means that at this moment, even technically, we would not be able to comply with the logging requirements. We are still investigating the new regulations and its implications for us, but the overall aim is to continue providing no-logs services to all of our users.
~SurfShark VPN
The central government has had VPN services under their radar since 2021. In September 2021, a parliamentary committee urged the government to impose a permanent ban on VPNs, citing cybercriminals often use VPNs to hide their locations and identity.
Despite criticism, the government has doubled down on their policy, making it completely clear it has no intentions of repealing or reconsidering it. Rajeev Chandrasekhar, Junior IT Minister of India, said “If you don’t have the logs, start maintaining the logs. If you’re a VPN that wants to hide and be anonymous about those who use VPNs who want to do business in India and you don’t want to apply, you don’t want to go by these rules, then if you want to pull out, frankly, that is the only opportunity you have. You have to pull out.”
Most VPN providers have been in “wait and see” mode, as they have not yet started logging user data. As things currently stand, they are going to face tough decisions given the government’s refusal to budge. ExpressVPN has already shut down physical servers in India, providing service to Indian users via virtual servers.