The IT Nerd

India has ordered VPN’s to collect and store users’ data, including names, addresses, contact numbers, email and IP addresses, for up to five year. With this move, Wired reported that VPN providers have since threated to quit India:

The justification from the country’s Computer Emergency Response Team (CERT-In) is that it needs to be able to investigate potential cybercrime. But that doesn’t wash with VPN providers, some of whom have said they may ignore the demands. “This latest move by the Indian government to require VPN companies to hand over user personal data represents a worrying attempt to infringe on the digital rights of its citizens,” says Harold Li, vice president of ExpressVPN. He adds that the company would never log user information or activity and that it will adjust its “operations and infrastructure to preserve this principle if and when necessary.”

Artur Kane, CMO at GoodAccess had this to say:

“Though controversial upon inception, the so-called data retention legislation has now been with us for decades. Most technologically developed countries enforce these directives with varying retention periods, usually ranging from 6 months to 2 years. In some countries, all expenses on data retention are even covered by the government.

Until now, the data retention obligations were limited to infrastructure providers (internet service providers, telecommunications), and asking the same of VPN vendors is without precedent in democratic countries.

The use of VPNs, in the past widely adopted by companies to provide remote access to company IT resources, has rapidly spread to millions of consumers over the past decade, who use it to avoid surveillance by internet providers, bypass country-based content filtering, and other restrictions. In my opinion, cybercriminals had been using VPNs to anonymize their activities even before ordinary users jumped on the trend.

Now, forcing VPN providers to track user traffic and their private data (like source and destination IP, port, protocol, and timestamps) is going to invalidate one of the last remaining safeguards of personal privacy on the public internet while helping to expose only a handful of lawbreakers. 

The value for the price doesn’t add up, either. Privacy is a basic human need, legally protected in many free countries, and people have the right to protect it, especially now, when their sensitive data is more valuable than ever and is being collected on a shocking scale.

Law on the public internet can be enforced in other ways that do not impact user privacy, such as the use of behavioral algorithms by vendors, looking for characteristic patterns of potentially malicious behaviors, or disabling VPN services to those accounts where such events were detected.”

I have been to India a number of times and this news is very disappointing. India really needs to reconsider this as this is a massive overreach by the Indian Government. And it risks making them a very repressive country that nobody will want to visit or do business in.

This entry was posted on May 9, 2022 at 11:48 am and is filed under Commentary with tags India, Privacy. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.