Virtual Private Networks (VPNs)


    In News

    • Recently, India’s cyber security watchdog CERT-In issued new rules regarding virtual private networks (VPNs). 

    What is a VPN?

    • A VPN is a service that protects users online by preventing their IP address from being tracked by websites, law enforcement agencies, cybercriminals and others.
    • Corporate employees are the most frequent VPN users, mainly for securely accessing company networks.

    Data/ Statistics

    • India has over 270 million VPN users, about 20% of the country’s population.
    • They use it to access company networks securely, remain anonymous, access geo-restricted content, stay safe on public Wi-Fi networks, and get around internet curbs, among other things.  

    About the new rules

    • Storing Data: preserving a wide range of data on their customers, including their contact numbers, email IDs and IP addresses, for five years.
      • It also mandates VPN providers to record and keep their customers’ logs for 180 days.
    • Reporting an incident: Companies are also required to report cyber security incidents to CERT-In within six hours of becoming aware of them.
    • Application: they would apply only to individual VPN customers and not to enterprise or corporate VPNs.
      • They will be also applicable to data centres, virtual private server (VPS) providers, cloud service providers, virtual asset service providers, virtual asset exchange providers, custodian wallet providers and Government organisations.
    • Penalty: Failure to follow the rules will attract penalties for VPN providers. If they all refuse to comply, VPN services will effectively become illegal in India.
    • KYC verification process: Users apart from potentially having their privacy data exposed to the government will also face a stringent know-your-customer verification process when signing up for a VPN service, and will have to state their reasons for using it.

    Implications of the new rules

    • VPN companies will be forced to switch to storage servers: which will inflate their costs and eliminate their core function of user privacy.
    • Privacy concerns: the rules have triggered privacy concerns, and many top VPN providers have threatened to leave the country if forced to comply.
      • Top VPN providers NordVPN and Netherlands-based Surfshark have refused to comply with the government order so far, with Nord suggesting it might leave the country.
    • Damaging the IT sector’s growth: taking such radical action that highly impacts the privacy of millions of people in India will most likely be counterproductive and strongly damage the IT sector’s growth in the country.
    • Breach of account: It has raised the concern that collecting excessive amounts of data within Indian jurisdiction without robust protection mechanisms could lead to even more breaches.

    What is a virtual server and what are its uses? 

    • Meaning: A virtual server is a simulated server environment built on an actual physical server.
      • It recreates the functionality of a dedicated physical server.
      • The virtual twin functions like a physical server that runs software.
      • It uses resources of the physical server.
      • Multiple virtual servers can run on a single physical server.
    • Uses
      • It helps reallocate resources for changing workloads.
      • Converting one physical server into multiple virtual servers allows organisations to use processing power and resources more efficiently by running multiple operating systems and applications on one partitioned server.
      • Running multiple operating systems and applications on a single physical machine reduces the cost as it consumes less space, hardware.
      • Virtual servers are also said to offer higher security than a physical server infrastructure as the operating system and applications are enclosed in a virtual machine.
      • Virtual servers are also useful in testing and debugging applications in different operating systems and versions without having to manually install and run them in several physical machines.

    Global scenario

    • Currently, a handful of governments either regulate or outright ban VPNs.
    • These include China, Belarus, Iraq, North Korea, Oman, Russia, and the UAE.
      • In China though not all VPNs are officially banned only government-approved VPNs are officially permitted to function.
    • Other countries have internet censorship laws, which make using a VPN risky.

    Way forward/ Government’s stand

    • Not a breach of privacy: CERT-In says that the right to informational privacy of individuals is not affected by these rules since the agency does not envisage seeking of information on a continuing basis and expects to do so only in case of cybersecurity incidents.
    • Contractual obligation: the obligation of reporting cyber security incidents to CERT-In overrides any contractual obligation of not disclosing any details with the customer.
    • Corporate VPNs will remain unaffected: The CERT-In mandate could render VPN services illegal in India if providers don’t comply with it, but corporate VPNs will remain unaffected.
    • VPNs are also used by journalists, activists and whistleblowers for their work.
    • Tracking criminals: the move would make it easier for the law enforcement agencies to track criminals who use VPNs to hide their internet footprint.


    Indian Computer Emergency Response Team (CERT-In)

    • Operational: CERT-In has been operational since January 2004. 
    • The constituency of CERT-In is the Indian Cyber Community. 
    • CERT-In is the national nodal agency for responding to computer security incidents as and when they occur.
    • Power: CERT-In is empowered under Section 70B of the Information Technology Act to collect, analyse and disseminate information on cyber security incidents. 
    • It has been designated to serve as the national agency to perform the following functions in the area of cyber security:
      • Collection, analysis and dissemination of information on cyber incidents.
      • Forecast and alerts of cyber security incidents
      • Emergency measures for handling cyber security incidents
      • Coordination of cyber incident response activities.
      • Issue guidelines, advisories, vulnerability notes and whitepapers relating to information security practices, procedures, prevention, response and reporting of cyber incidents.
      • Such other functions relating to cyber security as may be prescribed. 

    Source: TH