Ahead of the deadline to comply with the Indian government’s new data-collection rules, VPN companies from across the globe have pulled their servers out of the country in a bid to protect their users’ privacy.
Starting today, the Indian Computer Emergency Response Team, or CERT—a body appointed by the Indian government to deal with cybersecurity and threats—will require VPN operators to collect and maintain customer information including names, email addresses, and IP addresses for at least five years, even after they have canceled their subscription or account.
In April, CERT said it needed to implement these rules because “the requisite information is not found available” with the security provider during investigations into cybersecurity threats, thereby thwarting inquiries. The new rules, CERT claims, will “strengthen cyber security in India” and are “in the interest of sovereignty or integrity of India.”
VPN companies and privacy experts believe this move impacts user privacy and freedom of speech, and defeats the sole purpose of using VPNs, which encrypt users’ internet activity and mask their locations and identities.
“As digital privacy and security advocates, we are concerned about the possible effect this regulation may have on not only our users but people’s data in general,” says NordVPN spokesperson Laura Tyrylyte. “From what it seems, the amount of stored private information will be drastically increased throughout hundreds or maybe thousands of different companies.” She adds that similar regulations have been “typically introduced by authoritarian governments in order to gain more control over their citizens.”
Last year, India became the country with the highest rate of growth in the use of VPN services worldwide. During the first half of 2021, 348.7 million VPNs were installed, showing a 671 percent jump in growth when compared to the same period in 2020, according to a 2021 analysis by Atlas VPN
“VPNs by nature can be a privacy advancing tool and can be capable of protecting information security in multiple ways, being used by individuals and companies to secure confidential information,” says Tejasi Panjiar, associate policy counsel at the Internet Freedom Foundation. “They also help secure digital rights under the constitution, especially for journalists and whistleblowers, because the nature of information that’s transferred over VPNs is primarily encrypted, which allows them not only to secure confidential information but also to safeguard their own identity, protecting them from surveillance and censorship.”
The government defended its rules, saying it will not violate user privacy as information would be sought only on a case-by-case basis. This claim ignores the Indian government’s track record of surveilling critics, politicians, and activists. In August, an official investigation into whether Indians were spied on by the government using Israeli spyware Pegasus revealed that at least five phones of victims contained malware, but refused to disclose the report. Instead, the country’s top court recommended that existing surveillance laws incorporate the right to privacy and introduce mechanisms for citizens to raise complaints against illegal surveillance.
CERT did not respond to WIRED’s request for comment.