India’s New Cybersecurity Order Drives VPN Providers to Leave, Chilling Speech and Subjecting More Indians to Government Surveillance

See update below. Last updated Friday, July 1, 2022.

Virtual private networks (VPNs) enable users around the world to access and share information in a secure ecosystem while safeguarding their privacy and minimizing their digital data footprint. A new cybersecurity order issued by the Government of India’s Computer Emergency Response Team (CERT-In) requires VPN providers to maintain logs on users, undermining the purpose of using a VPN service and subjecting users to the very surveillance they are attempting to circumvent.

In the past month, a number of virtual private network providers have left India. ExpressVPN, NordVPN and SurfShark are a few services announcing they will no longer operate within Indian borders in an effort to protect the privacy and free expression rights of Indian users. In a recent blog post, ExpressVPN writes: “We will continue to fight to keep users connected to the open and free internet with privacy and security, no matter where they are located.” 

The cybersecurity order sets out new rules for VPN providers, cloud-service providers, intermediaries such as telecom and internet service providers, e-commerce giants, search engines, social media platforms, and nearly all other corporate and government entities. Among the many concerning requirements, several pertaining to VPNs are in direct opposition to how VPN services operate and why people use them.

The order, which was introduced in late April and comes into effect later this June, requires VPNs to maintain logs on all its users for five years including their validated names, IP addresses and email at time of signup, IP addresses allotted to or used by them through the VPN service, purpose of use, and other contact details. The Internet Freedom Foundation has written a very helpful explainer of the order in its entirety.

If the idea of VPNs holding incredibly sensitive information for up to five years rings any alarm bells for you, it should — particularly for users from marginalized and at-risk groups seeking secure communication and information channels. 

If the idea of VPNs holding incredibly sensitive information for up to five years rings any alarm bells for you, it should — particularly for users from marginalized and at-risk groups seeking secure communication and information channels. 

The requirements run counter to the purpose of offering a VPN service, which is to provide secure and private communications channels free from outside interference or access, and ideally to do so in a way that minimizes data collection, retention, and centralization (as CDT’s Signals of Trustworthy VPNs project back in 2018 shed important light on). The data retention mandate also runs counter to how VPNs should ideally be protecting and minimizing user data and how users expect them to work.

Data minimization is a large part of how trust between VPNs and users is maintained: users trust that VPNs will shield them from surveillance and scrutiny, and VPNs uphold this trust by maintaining few, if any, logs on the person’s use and online behavior. VPNs are especially egregious targets of this bill as the service masks activity from others but centralizes a significant portion of user traffic within the service, making users particularly vulnerable if VPNs are mandated to share data. 

What makes this order especially dangerous and threatening to Indian users’ rights is the context in which VPNs are used. Often VPNs are relied on when a user needs a secure, virtual place to speak freely or exchange information free from government surveillance, or when individuals need to access information that a governmental entity is trying to censor. Both instances make VPNs critical infrastructure to access the internet and exercise one’s rights.

A number of groups use VPNs. Journalists rely on VPN services to communicate with sensitive sources and keep themselves safe when reporting on human rights abuses, conflict situations, or any type of coverage that might make them vulnerable to scrutiny or backlash. VPNs are critical armor for journalists in a country like India, where they have been surveilled, arrested, or even killed for their work as freedom of the press continues to decline.

VPN services are also used by activists who are critical of the government and want to engage in democratic activities like speaking freely, sharing information, and organizing protests or assembly in a climate where those actions are not welcome. According to Freedom House’s Freedom on the Net India report, in the past year the Indian government has strong-armed social media platforms to take down content related to protests, including the farmers protest in early 2021, one of the largest protests in recent history. Just last week, the home of a young Muslim activist and her father was bulldozed by state government authorities because they were suspected of leading protests against the Islamophobic remarks made by a sitting government official.

VPN services are used by everyday citizens, including marginalized and at-risk groups seeking safe spaces or life-saving information.

Finally, VPN services are used by everyday citizens, including marginalized and at-risk groups seeking safe spaces or life-saving information. During the COVID-19 pandemic, VPN usage skyrocketed. Mashable reports that the use of ExpressVPN in India grew by 15% in the first three months of the COVID-19 pandemic due to increased remote work and employees seeking secure ways to exchange important files. The New York Times and several advocates reported instances of content related to COVID-19 and public health being taken down. India holds the dubious record of having the most internet shutdowns for four years in a row. During these periods, VPNs became a trusted avenue to access the internet and seek out information that may be blocked by government control.

With this order, Indian users lose out, as their government effectively seeks to monitor their communications and subject their speech to scrutiny. The Indian government also loses by failing to uphold its own principles laid out by the Personal Data Protection Bill (PDPB) of 2021. The PDPB followed a 2017 landmark judgment by the Supreme Court of India declaring privacy a fundamental right, to enshrine the Court’s decision into law. Yet, the new CERT-In order fails to uphold the PDPB’s foundational principles of data minimization borrowed from the European Union’s General Data Protection Regulation (GDPR) on which the PDPB is modeled, and runs counter to strong privacy by design principles.

This move by the Indian government is also part of a larger worrying trend amongst governments around the world to crack down on VPN providers. India joins a list of countries which effectively block the use of VPN services, including China, Belarus, Iran, and North Korea. Additionally, Russian users have recently reported ‘likely interference’ from authorities when trying to access VPN services. This comes at a time when the Russian government’s war against Ukraine has driven more users to seek out VPNs to access truthful information about the conflict, share critical documentation with the world, and communicate with one another free from interception. One estimate says that the volume of Russian traffic for a VPN provider increased 172 times.

With citizens being surveilled and arrested for their speech, and internet services being throttled in all corners of the country, the cybersecurity order is yet another way the Indian government is trending towards proto-digital authoritarianism. As CDT wrote last year, the conflict over online free expression is one that the government continues to escalate. The recent order is consistent with this undemocratic approach. We join civil society and human rights advocates to urge the Indian government to delay the order, and re-think its approach in order to safeguard the rights of Indian users.

Update: After facing substantial pushback from companies and civil society organizations, the Government of India has delayed the enforcement of the CERT-In cybersecurity order to September 25, 2022. Alongside requests to delay, local civil society advocates are also asking the government to reconsider the order and consult with human rights experts in order to ensure the protection of people’s rights.