Why VPN service providers reluctant to comply with Modi govt's new guidelines? Explained

India is moving forward with new cybersecurity regulations that will require cloud service providers and virtual private network operators to track their customers' internet protocol addresses and companies that refuse to cooperate may be forced to exit the world's second-largest streaming market.

Several Virtual Private Network (VPN) service providers have expressed reluctance to comply with the new guidelines and sought a revision. They have claimed that the new rule may lead to cyber security loopholes in the system, an argument categorically rejected by the government. The government, on its part, has made it clear that it will make no change in the rules and directed the VPN service providers to comply with the new guidelines or exit the country.

The new circular issued by the Indian Computer Emergency Response Team (CERT-In) last month asks all government and private agencies, including internet service providers, social media platforms and data centres, to mandatorily report cyber security breach incidents to it within six hours of noticing them. Besides, the cloud service providers, VPN firms, data centre companies and virtual private server providers have been directed to store users' data for at least five years and hand it over to the government when requested.

How VPN works

The point of contention here is that VPN providers give the customer the ability to hide identifying information from internet service providers, making it extremely difficult for accessing their internet traffic. The service providers argue that the terms are a problem for the core business model.

NordVPN, one of the most popular VPN providers, had previously stated that it may withdraw from India if 'no other options remain'. US-based technology industry body ITI, having global tech firms such as Google, Facebook, IBM and Cisco as its members, too has expressed unwillingness to comply with the guidelines and urged has urged the government to reconsider the directive on reporting of cyber security breach incidents. ITI said that the provisions under the new mandate may adversely impact organisations and undermine cyber security in the country.

Prem Ojha, Group CEO of Fastway & Netplus Broadband, said that when you look at precedent from around the world, you would come to know that cybersecurity is a very complex issue. "The spatial awareness of numerous incidents shows that a larger force is behind all this. Therefore, reporting appropriately, on time, and mandatorily is an ultimate essential part and the government's responsibility to ensure that the internet is always safe."

Karmesh Gupta, founder of WiJungle, a network security platform based in Gurugram, said that the very basic fundamental of VPN is to maintain the anonymity of the users and their activities. "Maintaining user data and logs is completely opposite to the privacy policy of many of the major VPN service providers. This is the main reason why VPN service providers are reluctant to abide by the directives," he said.

In other countries, he said, especially the country where they are based, there is no law requiring them to maintain user logs and thus some VPN providers don’t even have the technical means to comply with the directives.