In the latest chapter of India’s ongoing battle against online privacy software, government employees are now barred from using third-party VPN services.
The new directive came following the decision of some of the best VPNs to shut down their Indian servers amid privacy concerns over new data law. So far, ExpressVPN, Surfshark and NordVPN have all announced they will physically leave the country before CERT-in directives come into force on June 27.
The Indian government is also urging employees to avoid storing any internal or confidential information on non-government cloud services such as Google Drive and Dropbox. The use of external mobile app-based scanner like CamScanner – which was actually banned in 2020 – is strongly discouraged, too.
“By following uniform cyber security guidelines in government offices across the country, the security posture of the government can be improved,” wrote the National Informatics Center (NIC) in an internal document reviewed by The Economic Times.
“All government employees, including temporary, contractual/outsourced resources are required to strictly adhere to the guidelines mentioned in this document. Any non-compliance may be acted upon by the respective CISOs/Department heads,” the new directive adds.
Why are VPNs leaving India?
Cybersecurity experts and privacy advocates have been raising many concerns over new India’s data law since it was announced on April 28.
Expected to come into force on June 27, Indian Computer Emergency Response Team (CERT-In) will force VPN and VPS providers, data centers, cloud storage services, and cryptocurrency exchanges to keep in store sensitive users’ data for up to five years and share these with authorities upon request.
Even though the new law comes as an attempt to curb an increasing cybercrime rate – India was the third most affected nation for data breaches worldwide in 2021 – VPN providers believe that these regulations go against the actual security software infrastructure.
Short for virtual private network, a VPN is a piece of software meant to protect people’s online privacy and anonymity. How? By masking their real IP address and securing all the data in transit inside an encrypted tunnel.
That’s why ExpressVPN wrote in a blog post (opens in new tab) that CERT-In new directives are “incompatible with the purpose of VPNs.”
Moreover, a strict no-log policy is a standard feature among the most private VPN services. This guarantees that none of users’ sensitive data can be stored, leaked or shared.
As Hide.me explained when announcing its decision to pull the plug on its Indian servers, India’s new data retention law “makes operating a zero-log VPN impossible”.
Despite the backlash, Indian authorities seem to remain firm in their decision to carry on and implement the new directives at the end of the month. On this point, Minister of State for Electronics and Information Technology Rajeev Chandrasekhar stated that providers that do not wish to comply with the rules are “free to leave India (opens in new tab)”.
At the same time, Head of PR at Nord Security Laura Tyrell told us: “One way or another, it will have a negative impact on people’s privacy and digital security.”