Only “unscrupulous elements” would be wary of providing their identity information to access Virtual Private Networks, the Indian government argued in a court filing obtained by Entrackr. A Pune-based company, with assistance from the Internet Freedom Foundation, is challenging directions from April that require VPN providers to retain Indian users’ data. The case is ongoing in the Delhi High Court, and will next be heard in February.
VPNs allow users to browse the internet through servers from a different location, including those in other countries.
The government accused the Pune firm, SnTHostings, of waging a “proxy litigation”, and that it “espoused the cause of certain entities” such as NordVPN, ExpressVPN and Surfshark, the government said, explicitly naming three of the world’s largest VPN providers. The government warned that Article 226 of the constitution, which deals with the right to do business freely, did not apply to non-citizens, alluding to these firms.
Multiple mainstream VPN firms pulled out servers from India following the directions, which were issued by the Computer Emergency Response Team of India (CERT-in), which operates under the Ministry of Electronics and Information Technology.
NordVPN, IPVanish, Private Internet Access, Surfshark, ExpressVPN, CyberGhost, VPNUnlimited and Proton VPN have all announced that they are removing physical servers located in India, to stay out of the reach of Indian law. While these firms continue to allow Indian users to connect to servers abroad, the directions still apply to them, the government told Entrackr in response to an RTI application.
The filing makes one aspect of the Indian government’s policy very clear: unbreachable anonymity on the internet is not acceptable:
“The total anonymity of state and non-state actors and rogue elements to operate on internet or in cyber space may cause havoc with their nefarious activities,” the filing said.
“[…] the reality is that the VPN Services, which are basically Internet-proxy like services, are highly prone to misuse, since the offenders cannot be traced in a timely manner, if at all,” the government argued.
The filing then argues that VPNs are regulated in some countries already, but its choice of examples were Russia, Iraq, and the United Arab Emirates. According to the non-profit Freedom House’s Freedom on the Net 2022 index, these countries have a score of 23, 42, and 28 respectively out of a total of 100. (India’s score is 51.)
“The balance of individual interest vis-a-vis society’s interest ought to be maintained,” the government said.
The government then said that the directions are not a form of surveillance, arguing that providers are only required to retain logs on users for 180 days, and that they are only required to hand these over when a specific cybercrime is being investigated.
Further, it argued that VPNs don’t provide privacy, and referred to reports (without providing citations) that some VPN providers had been documented maintaining logs, and pointed out that they are just as capable of seeing user activity as Internet Service Providers.
The government also rejected demands that VPN providers only be required to perform logging for individual users after being notified that the latter are using the VPNs to commit crimes. The filing said doing so “would defeat the whole purpose of timely mitigation of the timely mitigation of cyber security threats.”
Turning its sights to SnTHostings, the government essentially accused the firm of covertly representing international VPN providers’ interests instead of its own. The company already collects the kind of data that the directions require, the government alleged, and that the firm didn’t even publicize providing a VPN service in the first place on its website.
In fact, the government said, SnTHostings promoted firms like NordVPN in a blog post, and chided the firm for promoting its competitors.
It is unclear what the government will do with VPN providers going forward. While they have largely made it clear that they will not be complying with the CERT-in directions, the requirements apply to any service that is made available to Indian users.
India may be on the verge of a ban on VPNs if the government gets serious about enforcing the directions, potentially forcing app marketplaces to take VPN apps offline (like in China) and requiring ISPs to block connections to recognized VPN servers.