Advertisement

Appoint Compliance Officials: Centre Seeks Strict Rules For VPN Providers

The move follows fresh discussions within the government on strengthening enforcement of the framework amid growing concerns over the misuse of VPN services to conceal identities.

Appoint Compliance Officials: Centre Seeks Strict Rules For VPN Providers
The framework is aimed at improving India's ability to investigate ransomware attacks. (Representational)
  • The Centre seeks stricter compliance from VPN providers operating in India with cybersecurity rules
  • VPN firms must appoint compliance officers and retain subscriber data for five years under CERT-In rules
  • The move targets abuse of VPNs for hiding identities and accessing banned websites in India
New Delhi:

The Centre is pushing for stricter compliance with its cybersecurity directions governing virtual private network (VPN) service providers, with officials indicating that companies operating in India will be required to adhere to the existing regulatory framework, proposing appointing designated compliance personnel and maintaining records mandated under law.

The move follows fresh discussions within the government on strengthening enforcement of the framework amid growing concerns over the misuse of VPN services to conceal identities, evade law enforcement, and access websites and online platforms that have been blocked in India.

"There has been rampant abuse of VPN services. People use them to conceal their identity, bypass law enforcement, and access websites that have been blocked in India. The objective is not to monitor ordinary users but to ensure investigative agencies have the ability to trace those involved in cybercrime and other unlawful activities," a senior government official told NDTV.

Officials said the government is examining measures to ensure VPN providers establish a clearer compliance mechanism in India, including the appointment of designated compliance officers or authorised representatives responsible for responding to lawful requests from enforcement agencies and CERT-In. The objective, officials said, is to ensure accountability and faster coordination during cyber incident investigations.

The proposal mirrors the compliance architecture introduced under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, which require significant social media intermediaries to appoint a Chief Compliance Officer, a Nodal Contact Person for round-the-clock coordination with law enforcement agencies, and a Resident Grievance Officer. The government believes a similar framework would improve accountability among VPN service providers, particularly those serving Indian users from outside the country.

The renewed focus also brings back into the spotlight the directions issued by the Indian Computer Emergency Response Team (CERT-In) in April 2022. The directions require VPN providers, cloud service providers, virtual private server (VPS) providers, and data centres to collect and retain subscriber information for at least five years - even after a customer has discontinued the service.

Under the directions, service providers are required to maintain validated records of subscribers, including their names, physical addresses, contact numbers, email addresses, IP addresses, the period for which the services were used, and the purpose for availing the service. The information must be furnished to authorities whenever sought as part of a lawful investigation into a cyber incident.

Government officials have maintained that the framework is aimed at improving India's ability to investigate ransomware attacks, financial fraud, phishing campaigns, and other cyber offences, where perpetrators frequently rely on anonymisation tools to mask their identities. They reiterated that subscriber information is sought only during lawful investigations and not through indiscriminate surveillance.

The directions had triggered strong opposition from VPN companies and digital rights advocates when they were introduced. Several providers argued that mandatory retention of customer information was incompatible with their "no-logs" policies and undermined the privacy protections that VPN services are designed to offer.

ExpressVPN was among the first major providers to remove its physical servers from India rather than comply with the logging requirements, opting instead to serve Indian users through virtual server locations outside the country. Other providers adopted similar models while continuing to offer services in India.

Following representations from industry bodies and technology companies, the government extended the compliance deadline from June 27 to September 25, 2022, to give service providers additional time to implement the framework.

Officials said the latest push is aimed at ensuring that VPN providers are subject to compliance standards comparable to those applicable to other digital intermediaries operating in India, as the government seeks to strengthen its cybercrime investigation capabilities while expanding the country's digital regulatory framework.

Show full article

Track Latest News Live on NDTV.com and get news updates from India and around the world

Follow us:
Listen to the latest songs, only on JioSaavn.com