On June 28, the government delayed the enforcement of a new controversial VPN law by 3 months. The new directives will now come into force on September 25. However, many popular VPN providers have already shuttered their operations in India, saying that the new laws defy the very ethos of using a VPN. So, what are these new laws, and why are they so controversial? Actually, what is a VPN anyway? In this video, we’ll answer all your questions.
But before I begin, hit that like button, and let us know in the comments any other burning questions about tech that you would like us to answer.
A Virtual Private Network or VPN encrypts your data and makes your activity across the web how to track. To understand this, first let’s understand how you connect to the internet.
When you type in a website name on your browser, it goes as a data packet to your Internet Service Provider, or ISP, who then sends it across to the correct destination, which is a specific website. This means that your ISP gets a plethora of information about your activity on the web, including the websites you visit, the specific web pages you browse and the time you spend there, your browsing and search history, or even the files you download or upload. Other parties can also track this information, including possible malicious hackers if you’re using Public Wi-Fi.
A VPN creates an encrypted tunnel for your data by first authenticating your client with a VPN server. The server then uses one of several encryption protocols to make sure that no one can monitor the information traveling between you and your online destination. So your ISP, or anyone trying to track you, loses the ability to monitor all your data.
A VPN also anonymises your location, and can be used to spoof location. So, sitting in India, you can use a VPN to make Netflix, for example, think that you’re logging on from the US.
VPNs can be used for anonymous browsing by consumers, but are also used by office workers to access their company servers remotely, or by businesses to allow users in selected locations to access each other’s networks securely, and safely share resources and information.
Also Read: Apple’s new security-focused Lockdown Mode explained
The Computer Emergency Response Team, or CERT-in, has issued a new directive for VPNs. The body, which falls under India’s IT Ministry, announced VPN providers who operate in India will have to keep records of customer names, validated physical and IP addresses, usage patterns and other forms of personally identifiable information. They have to maintain these logs for five years or more. Those who don't comply could potentially face up to a year in prison.
Many have pointed out that this goes against the very point of using a VPN, which is to keep your online activity anonymous. The government argues that VPN providers, cloud providers, and data centre operators have an obligation to know who is using their infrastructure. Rajeev Chandrasekhar, Minister of State for Electronics and Information Technology, said that “if there is a detected cyber breach or cyber incident,” then providers have to produce the usage logs.
He also said that if VPN providers do not want to comply with the new rules, they will have to pull out and cease operations in India. And many of them have done exactly that. Some of the biggest consumer VPN providers, including TunnelBear, NordVPN, SurfShark, ExpressVPN have removed their India-based servers.
Also Watch: Samsung Galaxy Book 2 Review: The dependable laptop that’s good at everything?
In a statement, ExpressVPN criticised the law strongly, saying that the law is so “overreaching and broad” that it opens up a window for potential abuse, and that they believe “the damage done by potential misuse of this kind of law far outweighs any benefit that lawmakers claim would come from it”. They also said that they “refuse to participate in the Indian government’s attempts to limit internet freedom.”
There also concerns about the security of these logs, which contain extremely sensitive personal information. A spokesperson from NordVPN argued that small and medium sized companies may not have the proper knowledge or means to ensure the security of this data. They also said that regulations like this were normally introduced by authoritarian governments in order to gain more control over their citizens, and if a democracy follows the same path, it may have an adverse effect on privacy and freedom of speech.
Also Watch: OnePlus 10R Review: is it worth the money?
So, will VPNs now stop working in India? Well, it’s not really clear. All of these service providers have removed or shut down their India exit nodes, which allowed users from abroad to access the internet as though they’re in India. However, for now, Indian users can still access popular VPN services, which only use servers located outside of the country.
The IT Ministry has said that the new laws apply to any VPN provider which provides services to Indian users, even if their servers are physically located outside of the country. VPN companies see this differently. SurfShark, for example, told The Hindu that they believe by moving servers outside of the country, they are complying with all local laws. This is an evolving situation, and we are likely to get more clarity on this in the future.