Tricky road to VPN regulation: Cyber security or privacy invasion?

Major Virtual Private Network (VPN) apps shut down their servers in India after the Computer Emergency Response Team (CERT) came up with new cyber security rules on April 28, 2022. The new rules require VPN providers, cloud service providers, and data centres to store user data for five years and hand the same over to the CERT when demanded. As per the CERT directions, VPN providers are supposed to store all basic data about the customers, such as their names, addresses, phone numbers, email IDs, etc., along with the reason for using the VPN app for about five years. The VPN service providers have also been directed to keep a record of the IP and email IDs that the customers use for registration.

The CERT has now extended the date for complying with the new rules till September 25.

VPN providers fume

VPN providers recoiled at these directions, primarily because of the fact that these stipulations strike at the very idea of VPN itself. Complying with the directions will negate the very purpose for which VPN apps exist in the first place! VPN networks fundamentally allow Internet users to shield their identities online.

Indians love VPN so much! The country has 270 million VPN users and ranks among the top 20 countries in VPN adoption, according to AtlasVPN’s global index. 

VPN services that have stopped operating their servers in India in protest against these laws include Surfshark, NordVPN, TunnelBear, IPVanish, Private Internet Access, and ExpressVPN. And they were rather scathing in their criticism of the government.

ExpressVPN made it clear that it refuses to “participate in the Indian government’s attempts to limit Internet freedom”. According to it, the CERT norms are “incompatible with the purpose of VPNs, which are designed to keep users’ online activity private”.

“As countries’ data retention laws shift, we frequently find ourselves adjusting our infrastructure to best protect our users’ privacy and security. In this case, that has meant ending operations in India,” said ExpressVPN.

Such rules are typically introduced by “authoritarian governments in order to gain more control over their citizens,” alleged a spokeswoman for Nord Security, provider of NordVPN. “If democracies follow the same path, it has the potential to affect people’s privacy as well as their freedom of speech,” she said.

Private Internet Access said that the Indian government’s move “severely undermines the online privacy of Indian residents”.

Surfshark, one of the first VPN apps to exit India, claimed that it “proudly operates” under a strict “no logs” policy, so such new requirements go against the core ethos of the company. “A VPN is an online privacy tool, and Surfshark was founded to make it as easy to use for the common users as possible. The infrastructure that Surfshark runs on has been configured in a way that respects the privacy of our users and we will not compromise our values – or our technical base,” said the company.

In an article, the Lithuania-based VPN service contended that these measures do not provide the cyber security that India needs. 

According to Surfshark, taking such radical action that highly impacts the privacy of millions of people living in India will most likely be counter-productive and strongly damage the sector’s growth in the country. “Ultimately, collecting excessive amounts of data within Indian jurisdiction without robust protection mechanisms could lead to even more breaches nationwide.”

The new rules, however, don’t change anything as far as ordinary VPN users are concerned. They may have to go through rigorous KYC verification processes when they sign up for VPN service.

Can it be justified?

It is a tricky situation. On the one hand is the authorities’ intent to ensure cyber security. On the other, is the online freedom and the right to privacy of the citizens.

The question being asked is: can the government move be justified? How will taking such an action (the tech laws) impact the privacy of millions of people in India? Some say it will be counter-productive.

“As long as the VPNs are not passing data to unknown and untrusted third parties, there should be no risk to the user and ultimately the VPNs should be able to establish themselves as trust worthy entities. The more important question is what might a user be doing that they need to hide to such an extent?” asks James Clark, GM of media & entertainment at GeoComply. 

According to Clark, it is a pretty big move for a government to say that the use of VPNs for criminality is widespread enough to risk the potential backlash of consumers complaining that using a VPN for privacy is justified. “Clearly, the Indian government has reason to believe enough criminal activity takes place behind VPNs that they want to ensure any VPN user can be tracked down, should an investigation be required,” he says.

Not good for IT

Surfshark argues that VPN suppliers leaving India isn’t good for its burgeoning IT sector. “Surfshark’s data shows that since 2004, the year data breaches became widespread, 14.9 billion accounts have been leaked and a striking 254.9 million of them belong to users from India. To put in perspective, 18 out of every 100 Indians had their personal contact details breached. The situation is extremely worrying in terms of lost data points, considering that per every 10 leaked accounts in India, half are stolen together with a password,” says the company.

In this context, what is the ideal solution before the government?

This warrants a much bigger conversation around cyber security in general, maintains James Clark. “There may be a number of vulnerable parts of the general infrastructure or simply security-best practices are not adhered to,” he says.

Data is never one dimensional; a simple increase in number cannot condone external factors, says Gauri Bhatia, founder of The Unveiled Sagas. She feels that banning is not the way out.

“Technical literacy, increase in living costs, and accessibility of the worldwide web all account for the increase in data breach. Would you ban EVs if more people died on the road via cars? No, you would strengthen the legal framework, and make sure sensible and more responsible people landed on the road. I’ve read of a recent zero trust network. I believe that a hybrid architecture would be of best for the government, and the end user. A KYC or a verification model that profiles the user and removes the lack of accountability before the person enters the platform would add an extra layer of security, and ensure that those who come to the Internet come with a purpose. Divide the online activity between functional and intrusive,” she adds.

According to Bhatia, functional would be for those who use the Internet for applications, such as platforms with a dead-end user interface (SaaS) for their personal or company work.

“Intrusive is for the people who use the Internet for surfing, or for consuming content, one link after the other. Verifying both profiles before their activity begins would increase accountability of the user, removing the threat of anonymity altogether. What they do on the internet, however, stays personal to them and doesn’t get logged, as is on the VPN,” she says. 

So, do these new measures provide the cyber security that India needs, like Surfshark is asking?

VPN is a legal way of democratising data privacy architecture, says Gauri Bhatia. “However, acting as the devil’s advocate, there are two ways that the government thinks that this could help, and my views on why this is counterproductive: Number one is that the added measures will give them more data to track digital activity, just to be able to understand potential vulnerabilities. However, storing this additional data will require more infrastructure, which will shoot up the subscription costs. Private users will go back to their good old DNS or Tor’s, and there will be little to no data left to track as is. If their goal is to understand hacker/ disruptive behaviour, they’ll leave the VPNs as soon as any restriction on the user journey comes about.”

“Let’s say the people do maintain their subscriptions and the cost due to some world-moving innovation gets reduced and maintains viable. This law seems like a broad allegation and a metric for excessive abuse towards the VPN- anything fishy pertaining to the user activity, missing data or blackspots lead straight back to the VPN. The VPN is principally a legal framework, working to secure private user data; any growing corporate in an industry that is just booming at a global scale will not want to get caught walking on eggshells. As a potential consumer market and as a viable testing base, India looks unattractive,” she adds.

The flip side

While VPN services provide privacy to users, the flip side is that it is clandestinely used in illegal activities like streaming piracy. It is a thin line here. What can be done to ensure that VPN is put to use only for the purpose (protection of privacy) it is meant for, and that it is not misused for illegal activities, such as illegally downloading movies or other nefarious activities? 

A good first step, according to James Clark, would be to stop VPNs from allowing users to change their location to a different country. “Next would be to include an additional security check beyond simply an IP address.”

The VPN is not at fault here, argues Bhatia. “This all boils down to content; platforms need to ensure stricter guidelines with respect to the literature they allow. Of course, this does not mean an authoritarian governance. Micro-governance and strict guidelines provided to the tech start-ups can assist in them further setting better guidelines for their user-base. CNN/ML can be used to ensure that heavy data such as larger papers and movies that are primarily published on other (main) platforms are not copied on the oncoming ones.”

More breaches

Will collecting excessive amounts of data within Indian jurisdiction without robust protection mechanisms lead to even more breaches nationwide, as claimed by Surfshark?

Definitely, says Bhatia. “It is high time we accept that India is the hub of street-smartness. However, it only makes sense to first serve the customer, then the government. A democracy essentially works that way. If a new and upcoming innovative start-up feels like it is walking on eggshells with an economy that doesn’t support its own people, the corporate may feel more demoralised to care about consumer data. And we don’t have the infrastructure as of now to physically keep all of this extra data safe. This will all essentially be stored in hard drives, and I find it hard to believe that that won’t be both an eyesore and an attractive treasure mine both to potential hackers.” 

Much of this data is already tracked in some way, shape or form, says James. By including proper legislation and security on how that data is handled, the risk of a breach should be diminished, he says.

How will such data laws impact the privacy people?

Bhatia doesn’t think that India has the physical and the technical bandwidth to secure all of the additional data. The hackers or the activity that the government does plan to track will be of people who are clumsy in their approach, and smaller in their target, she adds. 

“That’s not all. This is going to cost a huge blow to the innovation stream in tech in India, where on the one side we complain of not birthing more unicorns. Potentially most tech evangelists and start-ups are already booking their one-way tickets to countries with better government support for their residents.”