India Orders VPN Companies to Log & Hand Over User Data

Written by Ipsita Kabiraj
Published on May 6, 2022

The Indian government has passed new legislation requiring all VPN service providers to preserve a 5-year record of their users. On April 28, 2022, the Indian IT ministry asked all VPN companies to log and send over user data, including IP addresses assigned to customers. The new limitation undermines the very foundations of a VPN, rendering it counterproductive for a lot of users.

Computer Emergency Response Team (CERT-in) has argued that this move is being made to fight cybercrime in the country. The government said that “During the course of handling cyber incidents and interactions with the constituency, CERT-In has identified certain gaps causing hindrance in incident analysis.” The order will become effective after 2 months (July 2022), and according to the new law, failure to comply could lead to a year’s imprisonment.

VPN providers must log and preserve the following user information for at least 5 years under the new regulations: Name, email address, and phone number, the purpose for using the VPN service, IP addresses allotted to the customer, as well as the IP address which the customer used to sign up with the service, and the ownership pattern of the customers. Companies must also keep track of and maintain user records even after a user cancels a subscription to the service.

While the above information can certainly help the government track down individuals who are using VPNs for malicious activities, it also heavily compromises the privacy of all VPN users and undermines the main selling point and the existence of a VPN.

VPNs are primarily designed for the purpose of concealing your IP address from third parties and your ISP. These tools provide users with a shadow IP address and help them access content that may be geo-restricted. It also safeguards your privacy online and protects you from breaches with strong encryption protocols. Most VPNs have a strict no-log policy, like ExpressVPN, and NordVPN, among others. These tools usually operate with RAM-disk servers and other log-less technology. If data collection is made mandatory, tracking your browsing history would be very easy. 

The new directive applies to data centers, Virtual Private Server (VPS) providers, VPN Service providers, Cloud service providers; KYC norms and practices by virtual asset service providers, virtual asset exchange providers, and custodian wallet providers. Cyber security incidents must be reported within 6 hours of occurrence, and critical user data must be turned over as directed to the authorities.

The virtual asset service providers, virtual asset exchange providers, and custodian wallet providers also need to maintain KYC details and financial transaction records of customers for a period of 5 years.

All service providers, intermediaries, data centers, body corporate, and Government organizations shall connect to the Network Time Protocol (NTP) Server of National Informatics Centre (NIC) or National Physical Laboratory (NPL) or with NTP servers traceable to these NTP servers, for
synchronization of all their ICT systems clocks.

Service providers, intermediaries, data centers, body corporate, and Government organizations must report the following cyber security incidents to the CERT-In:

In response to this mandate, VPN companies are refusing to log user information, and some are contemplating halting their operations in India. TechNadu contacted ExpressVPN's Harold Li, VP of Communications & Brand Strategy, and received the following quote:

This latest move by the Indian Government to require VPN companies to hand over user personal data represents a worrying attempt to infringe on the digital rights of its citizens. While we find their actions deeply concerning, this type of excessive government interference is neither new nor unique in the current geopolitical landscape.We are keeping a close eye on the situation as it evolves, but want to be clear that ExpressVPN is fully committed to protecting our users’ privacy, including by never logging user activity, and will adjust our operations and infrastructure to preserve this principle if and when necessary. As a company focused on protecting privacy and freedom of expression online, ExpressVPN will continue to fight to keep users connected to the open and free internet, no matter where they are located.

We also contacted NordVPN, and this is what Laura Tyrylyte, Head of Public Relations at Nord Security, said:

At the moment, our team is investigating the new directive recently passed by the Indian government and exploring the best course of action. As there are still at least two months left until the law comes into effect, we are currently operating as usual. We are committed to protecting the privacy of our customers therefore, we may remove our servers from India if no other options are left.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: