In India, new rules are about to be enacted bringing changes to the way VPN companies are allowed to operate there – and these changes have to do with data collection, retention, and sharing.
Because of the very nature of VPNs and the service they are supposed to provide, the new regulation, announced in late April with a deadline of two months to start compliance, has VPN companies considering their response, including leaving the Indian market altogether.
The difference between a trustworthy VPN and one that is less so is precisely in whether or not they log user information. But now the Indian government wants all providers of the service to collect customer data and store it for at least five years.
The authorities say this has nothing to do with attempts to harvest more data or undermine secure communications, but with dealing with data breaches. These have been affecting India on a large scale: the country is said to have been the third worst-hit in the world last year, when hundreds of millions of names, emails, phone numbers, location, and other data got leaked in a number of incidents, later surfacing on the dark web.
The Indian Computer Emergency Response Team (CERT-In), a government-mandated security organization, is in charge of investigating these incidents, and the VPN logs can be used to help it work more efficiently on cases of data breaches – but groups like the Free Software Movement of India aren’t convinced that this is the only purpose these logs will actually be used for.
Responding to the announcement of the new rules, Wired reported, ExpressVPN accused the Indian government of attempting to infringe on citizens’ digital rights, adding that the company will not log user activity or information, and would be “adjusting” in order to stick to this principle.
ProtonVPN thinks that the government’s move will lead to erosion of civil liberties, adding that the situation is being monitored, but that the provider will “ultimately remain committed to no-logs policy and preserving user privacy.”