VPN services allow users to browse the Web anonymously and mask their IP, or Internet Protocol, addresses, and to bypass government censorship in countries including China, Russia and Turkey.
Indian authorities have argued that the new rules, which are to take effect June 27, are necessary for law enforcement to track down perpetrators of cybercrimes such as fraud, which is prevalent in a country with some 600 million Internet users.
But digital privacy advocates say the rules go beyond what most Western governments demand of Internet companies and align more closely with outliers such as China, which is known for draconian Internet regulation.
India’s new rules also would tighten tracking and data retention requirements for large cloud companies, such as Amazon, that provide the infrastructure for vast portions of the commercial Internet. Cloud-service providers would be required to store user data for up to six months.
“The VPN is one way a citizen has to maintain some semblance of privacy, which is one reason the Indian government wants to create an environment in which they can’t operate in the country,” said Nikhil Pahwa, an activist for digital rights and the founder of the Indian online publication MediaNama. “When it comes to the Internet, the Indian government has China envy.”
India has been engaged in an intense debate over the government’s alleged use of spyware against domestic dissidents and opposition politicians — an accusation that Indian officials have neither confirmed nor denied.
Prime Minister Narendra Modi’s government, meanwhile, has rolled out new laws — and is drafting additional legislation — that would give authorities greater control over Internet users’ data and the content they publish on social media.
Last year, the Information Technology Ministry issued rules requiring social media companies such as Facebook and Twitter to quickly respond to government requests for user data, and to rapidly remove objectionable and illegal posts or face criminal liability and even jail time for company executives. The Indian government clashed with Twitter in 2020 when the company refused to take down posts from farmers critical of Modi.
Officials argue that the new rules are part of a broad push to protect Indian citizens against disinformation, scammers and hacking.
Despite the criticism from VPN providers and digital privacy advocates, Indian officials have held firm. The junior technology minister, Rajeev Chandrasekhar, has warned companies to either comply or leave the country.
“The ability of all platforms to produce logs and details related to cybersecurity incidents, when required in investigations, is ESSENTIAL,” he reiterated Thursday in a text message, responding to ExpressVPN’s departure from India.
Other large VPN firms, including Nord Security, have said they also are considering pulling out of India. In 2019, Nord Security shut down its service in Russia instead of complying with a government order to block access to websites banned by Russian authorities.
With its servers in India shut down, ExpressVPN will route overseas users who are visiting Indian websites through servers in Britain and Singapore. These users should experience “minimal difference,” the company said, while vowing that it will not track or log the browsing activity of its users inside India.
Although there are no unified industry-wide statistics, several VPN providers have reported that in absolute numbers, Indians download VPNs more than people in any other country and that the use of VPNs in India has exploded in the past decade.
Prateek Waghre, a policy director at the New Delhi-based Internet Freedom Foundation, said there has been a broad push by governments to expand their ability to track online activity. In other democratic jurisdictions, such as Europe, the issue of authorities’ requiring telecom and Internet providers to store user data has been hotly debated. But the policy has been pushed through in India without public consultation, Waghre said.
Requiring VPN and other Internet service providers to track their users would make them complicit in an entrapment scheme, he argued.
“You’re creating a honeypot,” he said.