Virtual private network (VPN) service providers have raised concerns over a government order instructing them to keep user data for at least five years and share records with authorities if needed. Some VPN companies, including NordVPN, will leave the country if the government doesn’t give them space to serve their customers privately. At the same time, legal advocacy groups are recommending that the government drop the requirement that violates user privacy.

The order, adopted last week by CERT-In, an agency under the Ministry of Electronics and Information Technology and effective June 28, instructs VPN service providers to keep data, including their users’ verified names, email IDs and IP addresses, even when Five years or more “as provided by law” after its registration has been cancelled or revoked.

It also said that “all service providers” should “mandatory enable the logs of their systems” and maintain them securely over a rolling 180-day period, “as well as under Indian jurisdiction”. This directive restricts service providers from providing logs to CERT-In when ordered or directed by the agency.

According to the order, it is designed to help limit cybercrime and cybersecurity incidents in the country. The government agency said failure to provide information or to comply with instructions could lead to “punitive action” under section 70B(7) of the IT Act 2000 and other applicable laws.

However, VPN service providers – as their default model – offer the most important user privacy to attract customers.

“Surfshark has a strict no-logs policy, which means we do not collect or share our customer browsing data or any usage information,” Gytis Malinauskas, head of Surfshark’s legal department, said in a statement to Advertisement Shout. “Furthermore, we only use RAM-only servers, which automatically overwrite user-related data. So, at the moment, even technically, we cannot meet logging requirements.

See also  Twitter blue paid subscription service has been confirmed; the clubhouse style space can now be accessed online

Malinauskas added that Surfshark is still investigating the new rules and their impact, but has no plans to compromise user privacy and aims to continue providing a no-logs service to all of its users.

Similar to Surfshark, NordVPN’s parent company Nord Security is currently investigating the order that CERT-In unexpectedly passed.

Nord Security’s head of public relations, Laura Tyrylyte, told Advertisement Shout it was exploring the best course of action and was operating as usual as it was “at least two months” before the order went into effect.

“We are committed to protecting the privacy of our customers, so if there is no other option, we may remove our servers from India,” Tyrylyte said.

India is one of the largest markets for VPNs – given that internet censorship in the country is developing and implemented using various technical methods, including DNS throttling and TCP/IP blocking. In many cases, users have reported restrictions that are limited to certain Internet Service Providers (ISPs), which can be overcome using a VPN service. The country’s 2020 lockdown has also led to a significant growth in VPN services including ExpressVPN.

According to a report by UK VPN review site, as of 2020, India has become the second largest VPN market in the world, with 45% of its total internet users on VPNs.

“While India has a large number of VPN users, few VPN providers have a direct physical presence in the country, which will make it difficult for the authorities to enforce the new legislation,” said Simon Migliano, research director at

See also  carandbike awards 2022: Audience's Choice Car of the Year

According to details provided on the Panama-based VPN company’s website, service providers like NordVPN do have servers in India.

But despite this, Migliano said the impact on customers was minimal, as they could simply connect to a VPN service in another country.

“All in all, it seems unlikely that any legitimate VPN provider will comply with the CERT-In legislation, as it is not only difficult to enforce, but goes against everything they stand for,” the researchers said.

The order also directs service providers, data centers and organizations to report cyber incidents within six hours of notifying CERT-In. This is seen as a positive move by legal advocacy groups including – as the country is seeing many cybersecurity cases.

However, technology lawyer and founder Mishi Choudhary said the requirement to register VPN users and link identification to IP addresses raises serious privacy concerns and should be removed.

“CERT-In cannot take away the right to use certain tools in the cloak of cybersecurity,” she told Advertisement Shout.

Prasanth Sugathan, legal director at, said that collecting too much data about consumers is against the policies of most VPN providers and could lead some of them to leave the country instead of following the “burdensome rules” given in the order.

Legal experts found the directive ambiguous in nature as it did not clearly detail the impact on service providers.

“These directives were made without any kind of public consultation,” said Prateek Waghre, policy director at the Internet Freedom Foundation (IFF).

He added that the order did not make it clear what the rules would mean for VPN service providers and their operations in India.

See also  Indian Government ‘Continuously Monitors’ Crypto Industry, Says Finance Minister – Regulated Bitcoin News

“It is unclear whether VPN service providers that do not operate Indian IPs will still be liable under the directive,” he said, adding that the would certainly increase if any of these service providers had employees A layer of worry. domestic.

Recently, lawmakers have proposed restrictions on VPN services. Telecom operators, including Reliance Jio, are also seen as restricting access to certain VPN services. Still, VPN users in the country continue to grow so far.

Notice: ob_end_flush(): failed to send buffer of zlib output compression (1) in /home/advertis/domains/ on line 5275

Notice: ob_end_flush(): failed to send buffer of zlib output compression (1) in /home/advertis/domains/ on line 5275

Notice: ob_end_flush(): failed to send buffer of zlib output compression (1) in /home/advertis/domains/ on line 110