[the_ad id="83613"]
vpn

Indian hosting company sues government over VPN rules

vpn

Pune-based hosting provider SnTHostings has sued the Indian government, challenging rules that would require VPN companies to maintain records of their users’ data. The Internet Freedom Foundation, which is assisting the firm in the lawsuit, announced news of petition in the Delhi High Court in a blog post on Wednesday. SnTHostings CEO Harsh Jain refused to comment on the case, citing the ongoing legal proceedings.

The Delhi High Court issued notice to the government on Wednesday. The case will be taken up next on December 9.

In the 33 page lawsuit, SnTHostings’s lawyers asked that the parts of the CERT-in directions (which we reported here) that require VPN providers to maintain user data be set aside. The firm argued that the requirement that VPN companies maintain logs defeats the entire purpose of such companies, and that the right to remain anonymous online is established by precedent.

“The Impugned Directions are ultra-vires Section 70B(6) of IT Act, 2000 as they require Petitioner to collect information it otherwise would not have collected,” the petition said. “Under threat of punitive action, the Impugned Directions require the Petitioner to collect logs which record the activities of the customers as well as personal information of its customers.”

It further argued that the directions violated the constitutional right to do business, and are not ‘reasonable restrictions’. It pointed to a letter sent by industry giants like Microsoft and Adobe that pointed out that “global threat actors” may start targeting the logs that CERT-in has ordered VPN providers to maintain.

SnTHostings had previously sent a legal notice to the government on the rules. The government has not replied to that notice, dated June 10, a person close to the lawsuit told Entrackr.

The petition, however, makes a couple of questionable claims: first, it says that “During June 2022, ExpressVPN, Surfshark, and NordVPN — all global leaders in the market — suspended India operations indefinitely.” These services remain available in India, but the India servers they used to operate are no longer available.

“VPN services anonymise outgoing traffic by encrypting online activity. This ensures that financial details such as bank account/credit card/debit card details are not accessible to third parties and, thus, furthers cyber security,” the petition further argues.

However, the majority of popular websites these days offer encrypted connections to users, and provide limited information to ISPs and other intermediaries between a user and a server. “The reality is that web security has improved so much in the last few years that VPN services, which charge monthly subscription fees that cost as much as Netflix, offer superfluous protection for most people concerned about privacy,” the New York Times reported, citing security researchers.

This is especially true for conventional financial transactions, as payment gateways often use standardized and constantly updated encryption norms, such as PCI-DSS, that can make it challenging to intercept payment information even over open unsecured networks.

On top of the privacy risks that follow from having VPN firms store data, the directions have already had business implications for Indian companies partnering with global VPN providers. Such firms “might opt for closing their physical servers in India,” Richa Babbar, Director of Edge & Ecosystem Development at Web Werks told Entrackr in an emailed statement in June. “This way the data centers hosting these servers will lose business.”

According to data from PeeringDB reviewed by Entrackr, Web Werks has a peering arrangement with Edgoo Networks, which appeared to facilitate connectivity to India servers for NordVPN. As NordVPN no longer offers India servers to its customers, Web Werks and other such hosting providers in India likely took a hit from the exodus of VPN firms from India.

Entrackr first reported that NordVPN was considering pulling its India servers, which it ended up doing. Other providers like ExpressVPN have followed suit. This has continued, with the company behind Protonmail also announcing that it was pulling India servers this month.

It is unclear what the government’s ultimate aim is with these controversial directions, and its refusal to reconsider their provisions. In an RTI response provided to Entrackr, one clue emerged that the government may not be content with VPN providers just removing servers from India. “The directions apply to any VPN Service provider offering services to the users in India,” the government told us.

This could potentially serve as a pretext for prohibiting VPN services that don’t maintain user logs, which could limit options for Indian internet users to browse the web anonymously. The SntHostings petition cited a portion of the Supreme Court’s 2017 judgment upholding privacy as a fundamental right to highlight the overreach that this approach may constitute.

“[U]nder the garb of prevention of money-laundering or black money, there cannot be such a sweeping provision which targets every resident of the country as a suspicious person,” the Supreme Court had held, striking down a requirement to link every Indian bank account to Aadhaar. “Presumption of criminality is treated as disproportionate and arbitrary.”

While the government efforts to track user information has been predictably crude so far, the fact remains that most of the steps taken recently seem to be unmindful of the unintended effects they might have on broader issues of privacy or the ecosystem in this case. So far, it has had more wins than otherwise, thanks to the importance of the Indian market, as we saw with social media platforms. But when it comes to paid services, the Indian market might look big but is actually only as big as a mid-size European country in revenues, which means many firms might choose to exit rather than bend. The VPN exits are a clear pointer to that, and future risks of such policies.

Send Suggestions or Tips