The Indian government is telling VPN services to comply with a new policy that requires them to collect data on users or exit the country’s market.
“If you don’t maintain logs, this is not a good place to do business,” said Rajeev Chandrasekhar, Minister of State for Electronics and IT.
Chandrasekhar made the statement to clarify new rules India adopted last month that intend to help the country respond to cybersecurity incidents. The regulations will essentially require a wide range of internet services to collect and turn over data on users whenever Indian authorities demand the information.
The new rules also cover VPNs, and demand they log and store information about their Indian users, including the IP addresses allotted to them, along with their name and contact information. The IP address data, in particular, could be used to map out a user’s web activities when combined with data from other web services.
On Wednesday, the Indian Computer Emergency Response Team published an FAQ(Opens in a new window) that clarifies that the new policy applies “to any entity whatsoever,” even foreign companies. “Any service provider offering services to the users in the country needs to enable and maintain logs and records of financial transactions in Indian jurisdiction,” the document adds.
On the same day, Chandrasekhar also held a press briefing(Opens in a new window) about the rules, where he said: “There is no opportunity for somebody to say we will not follow the laws and rules of India.”
“If you don’t have the logs, start maintaining the logs. If you’re a VPN that wants to hide and be anonymous about those who use VPNs who want to do business in India and you don’t want to apply, you don’t want to go by these rules, then if you want to pull out, frankly, that is the only opportunity you have. You have to pull out,” he said.
Although India created the rules to help the country fight cybercrime and uncover hackers, the data-collection requirements undermine the main selling point to a VPN, which are often advertised as privacy tools. The services encrypt your internet connection, preventing ISPs and governments from snooping on your web activities. In addition, many VPNs have designed their services to never log customer web traffic data.
As a result, several top VPN services have already told PCMag they oppose India’s new rules. “We are committed to protecting the privacy of our customers; therefore, we may remove our servers from India if no other options are left,” NordVPN said earlier this month.
Recommended by Our Editors
Surfshark added it wouldn’t even be able to comply with India’s new rules, given its strict no-logs policy. “Thus at this moment even technically we would not be able to comply with the logging requirements,” the VPN provider said.
There is one exception to the policy, though. The FAQ notes the data-collection requirement applies to VPNs targeted at “general Internet subscribers/users.” However “Enterprise/Corporate VPNs” are exempt.
The new rules in India will take effect on June 27. Violators can face prison time or a fine of 100,000 rupees ($1,286). The Indian government also has a history of blocking apps over cybersecurity concerns.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.