Can virtual servers bypass India’s VPN rules?

Published
25th Jun, 2022

Context

ExpressVPN, one of the major VPN providers, announced it will move its India-based servers to Singapore and the UK in response to the new VPN rules that require private network providers to store user information for at least five years.

About

The new VPIN rules

In April, India’s cybersecurity agency passed a rule mandating VPN providers to record and keeps their customers’ logs for 180 days.
It also asked these firms to collect and store customer data for up to five years.
It further mandated that any cybercrime recorded must be reported to the CERT within 6 hours of the crime.
Computer Emergency Response Team (CERT-In) directions are applicable to data centres, virtual private server (VPS) providers, cloud service providers, virtual asset service providers, virtual asset exchange providers, custodian wallet providers and Government organisations.
Firms that provide Internet proxy-like services through VPN technologies also come under the ambit of the new rule.
Corporate entities are not under the scanner.
In response to CERT-In rules, Nord VPN, one of the world’s largest VPN providers, has said it is moving its servers out of the country.

Virtual Server:

A virtual server is a simulated server environment built on an actual physical server. It recreates the functionality of a dedicated physical server.
It is a server (computer and various server programs) at someone else's location that is shared by multiple Web site owners so that each owner can use and administer it as though they had complete control of the server.

Uses of Virtual Server:

Efficient running: Converting one physical server into multiple virtual servers allows organisations to use processing power and resources more efficiently by running multiple operating systems and applications on one partitioned server.
Reduced cost: Running multiple operating systems and applications on a single physical machine reduces the cost as it consumes less space, hardware.
- Virtualisation also reduces cost as maintaining a virtual server infrastructure is low compared to physical server infrastructure.
Higher security: It offers higher security than a physical server infrastructure as the operating system and applications are enclosed in a virtual machine.
- This helps contain security attacks and malicious behaviors inside the virtual machine.
Debugging: Virtual servers are also useful in testing and debugging applications in different operating systems and versions without having to manually install and run them in several physical machines.
- Software developers can create, run, and test new software applications on a virtual server without taking processing power away from other users

Can server relocation and virtualisation help VPN providers circumvent the new rules?

The service providers who do not have a physical presence in India but offer services to the users in the country, have to designate a point of contact to liaise with CERT-In.
Also, logs may be stored outside India as long as the obligation to produce logs to CERT-In is adhered to by the entities in a reasonable time.

How will the law impact India’s IT sector?

VPN suppliers leaving India is not good for its burgeoning IT sector.
Taking such radical action that highly impacts the privacy of millions of people in India will most likely be counterproductive and strongly damage the IT sector’s growth in the country.
It estimated that 254.9 million Indians have had their accounts breached since 2004 and raised its concern that collecting excessive amounts of data within Indian jurisdiction without robust protection mechanisms could lead to even more breaches.