VPN services allow users to browse the web anonymously and mask their IP, or Internet Protocol, address and circumvent government censorship in countries like China, Russia, and Turkey.
Indian authorities have argued that the new rules, which are due to come into force on June 27, are needed so that law enforcement can track down perpetrators of cybercrimes such as fraud, which plagues a country with some 600 million Internet users.
But digital privacy advocates say the rules go beyond what most Western governments require of internet companies and align more closely with outliers such as China, notorious for its draconian internet regulation.
India’s new rules would also strengthen tracking and data retention requirements for large cloud companies, such as Amazon, which provide the infrastructure for large portions of the commercial internet. Cloud service providers would be required to store user data for up to six months.
“VPN is a way for a citizen to maintain some semblance of privacy, which is one of the reasons why the Indian government wants to create an environment in which it cannot operate in the country,” said Nikhil Pahwa, a digital rights activist and the founder of Indian online publication MediaNama. “When it comes to the internet, the Indian government is the envy of China.”
India has been embroiled in an intense debate over the government’s alleged use of spyware against domestic dissidents and opposition politicians – a charge that Indian officials have neither confirmed nor denied.
Prime Minister Narendra Modi’s government, meanwhile, has introduced new laws – and is drafting additional laws – that would give authorities greater control over the data of internet users and the content they post on social media. .
Last year, the Department of Information Technology issued rules requiring social media companies such as Facebook and Twitter to respond quickly to government requests for user data and to promptly remove objectionable and illegal posts or to incur criminal liability and even a prison sentence for the directors of the company. The Indian government clashed with Twitter in 2020 when the company refused to remove posts by farmers critical of Modi.
Officials say the new rules are part of a broader campaign to protect Indian citizens from misinformation, scammers and hacking.
Despite criticism from VPN providers and digital privacy advocates, Indian officials have held firm. Deputy Technology Minister Rajeev Chandrasekhar has warned companies to comply or leave the country.
“The ability of all platforms to produce logs and details related to cybersecurity incidents, when required in investigations, is ESSENTIAL,” he reiterated in a text message Thursday, in response to ExpressVPN’s departure from the company. ‘India.
Other major VPN companies, including Nord Security, have said they are also considering pulling out of India. In 2019, Nord Security shut down its service in Russia instead of complying with a government order to block access to websites banned by Russian authorities.
With its servers in India shut down, ExpressVPN will route overseas users visiting Indian websites through servers in Britain and Singapore. These users should experience a “minimal difference”, the company said, while promising that it will not track or log the browsing activity of its users in India.
Although there are no unified industry-wide statistics, several VPN providers have reported that in absolute numbers, Indians download VPNs more than people in any other country and that usage VPNs in India has exploded over the past decade.
Prateek Waghre, policy director at the New Delhi-based Internet Freedom Foundation, said governments have been pushing hard to expand their ability to track online activity. In other democratic jurisdictions, such as Europe, the issue of authorities requiring telecommunications and internet providers to store user data has been hotly debated. But the policy was imposed in India without public consultation, Waghre said.
Requiring VPNs and other internet service providers to track their users would make them complicit in an entrapment scheme, he argued.
“You create a honeypot,” he said.