New VPN rules and its impact

India’s cyber security watchdog Computer Emergency Response Team (CERT-In) had issued a new set of rules for the VPN companies to store personal data of the users.

• In the era of globalized, liberalized and interconnectivity, internet plays the central role.
• Emergence of new age technologies, like, Artificial Intelligence, Internet of Things, Machine Learning and cloud computing etc, usage of cyber space and internet have increased.
• Recent pandemic and worldwide lockdown has increased the usage and importance of internet in various fields.
• Amidst strong pushback from various concerns, central government had told the companies to either comply with the rules or exit from India.
  

What is VPN?

• Virtual Private Network (VPN), a service that allows users to surf the internet anonymously by preventing the IP address from being tracked by websites, law enforcement agencies, cybercriminals and others.
• Every time a user connects to a VPN, an intermediary is created between the user’s device and the destination website.
• Corporate employees are the most frequent VPN users, mainly for securely accessing company networks.

What are the major purposes for using VPN?

• Secure encryption: A VPN connection hides the traffic of your data online and protects it from external access. Unencrypted data can be viewed by anyone who has access to the network and wants to see it. With VPN, cyber criminals cannot clear this data.
• Hiding where you are: VPN servers actually act as your proxy on the Internet. Because human location data comes from a server in another country, your location cannot be determined.
• Data privacy is managed: Most VPN services do not keep logs for your activities. Some providers, on the other hand, record your behaviour, but do not transmit this information to other people. This means that any potential record of your user behaviour is kept permanently hidden.
• Regional content access: Regional web content is not always available everywhere. Services and websites often contain content that can be accessed only in certain parts of the world.
• Protect data transfer: If you work remotely, you may need to access important files in your company network. For security reasons, this type of information requires a secure connection. To gain network access, a VPN connection is usually required.

What are the new sets of rules?

• VPN companies are advised to store the personal information of the users, like, name, email-id, phone number and IP address for a period of 5 years.
• Apart from VPN companies, new sets of rules have also mandated data centres, virtual service network providers and cloud service providers to record and maintain similar data in the form of KYC.
• Virtual asset service providers, virtual asset exchange providers and custodian wallet providers have the obligations to record same set of data for the same period of time along with financial transactional records.

What is the rationale behind the step?

• Secured cyber space: In order to enhance the cyber security posture and ensure safe and trusted internet in the country government has initialized the new sets of rule.
• Investigative purpose: CERT-In, watchdog for the cyber-attacks has observed that non-availability of data hampers analysis and investigation.
• Internal security: Cyber space and internet usage are prone to cyber-attacks, threats and abuse. Cyber-space with VPN provides a safer platform to the extremist and terrorist organisations, creating a potential threat to the security of the nation.

How this will impact the users?

• Privacy Concern: Storing of data of the users breaches the privacy of the users, which is a fundamental right of every individual under article 21 of the Constitution of India.
• Freedom of information and internet: Right to freedom of information and internet are explicit right provided under the free speech and expression. New sets of rules curb the freedom of the individuals, impacting the ideals of democracy and modern political arena.
• Misuse and potential abuse: The stored information could be misused against the users. ‘Broad’ and ‘overreaching’ law opens the scope of potential abuse by cybercriminals and the states.
• Money laundering will be difficult.
• Bank fraud and scams will be reduced.

India has over 270 million VPN users, about 20% of the country’s population, who use them to access company networks securely, remain anonymous, access geo-restricted content, stay safe on public Wi-Fi networks, and get around internet curbs, among other things. In the age of internet and cyberspace it becomes essential part of the state to provide a safe and secured cyber space and have an upper hand on tackling the internal security instances. At the same time, it is also important to ensure the privacy and basic rights of the citizen, thus, there requires a proportionate balance between national security and privacy of the individuals.