VPN (Virtual Private Network) exists to ensure online safety and overall privacy for a secure web surfing experience. If that purpose is changed by mandating VPN service providers to not only store users’ data but even track them, one can imagine the level of privacy that users may have when browsing online.
India is one of the world's major VPN marketplaces. VPN usage in the country has increased dramatically in recent years. According to an Atlas VPN estimate, VPN installs exploded to 348.7 million in H1 2021, marking a 671 percent increase over 2020. The report indicates that the surge can be ascribed to the country’s vigorously growing digital ecosystem, as the country's internet user base rose at an annual rate of 24 percent on average from 2015 to 2020. This again is due to the remote working or work-from-home models that imposed employees to connect to their respective companies’ VPN to continue working at their locations. While the same, the boredom from the lockdowns saw several game apps being installed, and online shows rose in popularity.
This new rule by the Indian IT Ministry has announced the same for at least a period of five years, with CERT-in or the Computer Emergency Response Team calling data centers and crypto exchanges to act likewise in response to cybersecurity activities and measures in the country.
The purpose of this policy, as stated by the Ministry of Electronics and IT, is to deal with the gaps that hinder the government’s response to certain cybercrime incidents. The scenario currently appears to be unavoidable and potentially harmful to both VPN service providers and Indian users and might change the way VPN functions.
Referring to the right to privacy, Shukla said that there needs to be a fairly high threshold of necessity where the government can invade the privacy of an individual. This has to be an exception and not a rule.
“Considering the rise in cyber incidents, it is understandable that the government may want to put in place mechanisms that make redressal of such incidents more effective. However, any action which adversely impacts the privacy of a large number of individuals without a suitably robust data protection mechanism could prove to be a recipe for a disaster,” he added.
VPNs could Change the Way They Roll
The most important reason to use a VPN is to hide the IP address. It allows customers to avoid website trackers collecting data and tracking their position. Paid VPN has a no-logging policy and works on RAM-only servers, ensuring complete secrecy. VPN providers will be required to retain servers that allow them to log in user data and store it for five years or longer under the new rule. Companies will incur increased costs as a result of switching to storage servers, and user privacy will no longer be a primary feature of these services.
How Companies will be Affected
Although the policy's details have yet to be revealed, there's a potential to expect some provision or alternative that protects user privacy while keeping track. While it is doubtful, the only alternative is to watch how VPN companies respond to this policy. According to the new law, failing to meet the expectations of the Ministry of Electronics and IT can result in one-year imprisonment. Companies must also keep track of and maintain user details long after a user has discontinued their service subscription. Companies will be required to convert to storage servers if the new change is enacted, allowing them to log in user data and retain it for at least five years. Companies will incur increased expenditures as a result of switching to storage servers.
How Users will be Affected
This means less privacy and possibly increased fees for the end-user. It would be feasible to follow one’s surfing and download history if data was logged. Meanwhile, paid VPN firms may raise subscription prices to cover the costs of the new storage servers they must now use.
Additionally, CERT-in will force companies to report twenty vulnerabilities, including unauthorized access to social media accounts, IT systems, server attacks, and more. Below is a complete list of the twenty vulnerabilities.
- Targeted scanning/probing of critical networks/systems.
- Compromise of critical systems/information.
- Unauthorized access to IT systems/data.
- Defacement of website or intrusion into a website and unauthorized changes such as inserting malicious code links to external websites etc.
- Malicious code attacks such as the spreading of viruses/worms/Trojan/Bots/Spyware/Ransomware/Cryptominers.
- Attack on servers such as Database, Mail, and DNS and network devices such as Routers.
- Identity Theft, spoofing and phishing attacks,
- Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks.
- Attacks on Critical Infrastructure, SCADA and operational technology systems, and Wireless networks.
- Attacks on Applications such as E-Governance, E-Commerce, etc.
- Data Breach.
- Data Leak.
- Attacks on Internet of Things (IoT) devices and associated systems, networks, software, and servers.
- Attacks or incidents affecting Digital Payment systems.
- Attacks through Malicious Mobile Apps.
- Fake mobile Apps.
- Unauthorized access to social media accounts.
- Attacks or malicious/ suspicious activities affecting Cloud computing systems/servers/software/applications.
- Attacks or malicious/suspicious activities affecting systems/ servers/ networks/ software/ applications related to Big Data, Blockchain, virtual assets, virtual asset exchanges, custodian wallets, Robotics, 3D and 4D Printing, additive manufacturing, and Drones.
- Attacks or malicious/ suspicious activities affecting systems/ servers/software/ applications related to Artificial Intelligence and Machine Learning.
Lack of Data Privacy Laws
VPNs often have a no-logging policy, and companies rely on RAM-disk servers and other log-free technology to monitor data and usage.
India has recently tightened its grip on online activities. The Indian government suspended 22 YouTube channels in April. The Indian government and Twitter, Google, and Facebook had a standoff in 2021 about control of social media content. In addition, the Chinese authorities banned around 200 apps in 2020, including TikTok. The worst thing is that India currently lacks a comprehensive data privacy law, and most decisions are based on previous Supreme Court decisions.
On the basis of Article 21 of the Indian Constitution, the Supreme Court ruled privacy to be a basic right in 2017. However, the court underlined that competing state and individual interests, including legitimate interception, could override a person's basic right to privacy.
According to Anupam Shukla, Partner at Pioneer Legal, the government should have ensured that the privacy law was enacted before coming up with a regulation requiring private entities like the VPN service providers to store data belonging to private individuals.