What are CERT-In directives?
VPN providers have been specifically instructed to store their authenticated customer names, physical addresses, email IDs, phone numbers and why customers use VPNs as part of the CERT directive- Print. They must also record the user’s “form of ownership” and the date they used the VPN, along with a timestamp record for when the user signed up and any IP addresses the VPN assigns to the user. VPN providers who offer a “no logs” service cannot do so if they adhere to such rules, which is why they pull servers out of government jurisdiction India.
How does the removal of the server affect users?
VPN providers install their servers in one country for two purposes — to be closer to their users and to increase the number of locations they can offer. In theory, removing servers from India affects the overall speed a VPN can provide, although this will hardly make a difference for those using VPNs who simply browse the web by spoof their location. In terms of location, experts note that privacy and content access rules in India will nonetheless make overseas users reluctant to use a VPN to change their location to India. , and so that’s not a problem for companies either.
View all images
Which VPNs removed servers from India?
For now, the big three – NordVPN, Surfshark and ExpressVPN – have confirmed that they will remove servers from India, although users will still be able to access their services from the country. ProtonVPN, run by Swiss company Proton AG known for its privacy-focused email service ProtonMail, has also indicated that it plans to continue its no-logs policy.
Can the government still access the data?
This is where it gets murky. The lawyers note that the government is showing intent to access VPN data and may require companies to comply even if they don’t have a physical presence in India, because of the “computer system.” Theirs is active in the Indian cyberspace. But they added that the Information Technology Act 2000 On May 19, Rajeev Chandrashekhar, MoS IT, warned VPN providers to comply with the rules or shut down Indian operations.
Is the industry compliant?
Industry stakeholders and civil society members are seeking changes to the CERT-In rules. The IT Department also held a consultation with a number of stakeholders on June 10, where it was reported to have agreed to relax some non-VPN related aspects of the CERT-In rules. Another industry consultation is being planned with Sanjay Bahl, general manager of CERT-In on June 21 by a network awareness organization. The new rules go into effect on June 27, and industry requirements include easing the reporting time of cybersecurity incidents.
